# Lost Admin/Control Panel/lots of popups hijack this log posted



## nataliew56241 (Jun 1, 2006)

I posted earlier but didn't get an answer so I tried to do some of the things on one of the solved posts you had that sounded like my problem. I couldn't access control panel/it kept saying I didn't have system admin. rights but I am the system admin. Lots of popups. Anyway, I ran smitfraud in normal mode, then in safe mode. combofix won't run. It just locks up. Then I ran superantispyware. Things seemed good - admin stuff seemed to be back to normal so I ran spybot. It found more stuff, including smitfraud. I restarted the computer and ran hijack this again. So here's the latest log. I know your busy but I've done everything I can think of and can't get rid of this junk. Please help me.

Logfile of HijackThis v1.99.1
Scan saved at 07:36, on 2007-09-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\media\aim.exe
C:\WINDOWS\Media\aolupd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\dxoihjicqt.exe
C:\WINDOWS\system32\sxiaozh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Words\Words.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [cmd32] C:\WINDOWS\SYSTEM32\cmd32.exe
O4 - HKLM\..\Run: [dxoihjicqt] C:\WINDOWS\system32\dxoihjicqt.exe
O4 - HKLM\..\Run: [bnprqt] C:\WINDOWS\system32\bnprqt.exe
O4 - HKLM\..\Run: [lnwwlzpbcip] C:\WINDOWS\system32\lnwwlzpbcip.exe
O4 - HKLM\..\Run: [oljyydn] C:\WINDOWS\system32\oljyydn.exe
O4 - HKLM\..\Run: [lxzxfmnckgfw] C:\WINDOWS\system32\lxzxfmnckgfw.exe
O4 - HKLM\..\Run: [mxgslff] C:\WINDOWS\system32\mxgslff.exe
O4 - HKLM\..\Run: [sxteq] C:\WINDOWS\system32\sxteq.exe
O4 - HKLM\..\Run: [tauxlfoue] C:\WINDOWS\system32\tauxlfoue.exe
O4 - HKLM\..\Run: [yxtwwsevanlm] C:\WINDOWS\system32\yxtwwsevanlm.exe
O4 - HKLM\..\Run: [hhjnkekato] C:\WINDOWS\system32\hhjnkekato.exe
O4 - HKLM\..\Run: [njym] C:\WINDOWS\system32\njym.exe
O4 - HKLM\..\Run: [kudgafcorjv] C:\WINDOWS\system32\kudgafcorjv.exe
O4 - HKLM\..\Run: [ttjifnhe] C:\WINDOWS\system32\ttjifnhe.exe
O4 - HKLM\..\Run: [loqmfxqlxel] C:\WINDOWS\system32\loqmfxqlxel.exe
O4 - HKLM\..\Run: [oiwdnxccz] C:\WINDOWS\system32\oiwdnxccz.exe
O4 - HKLM\..\Run: [ddbjdqdczpqn] C:\WINDOWS\system32\ddbjdqdczpqn.exe
O4 - HKLM\..\Run: [eicnlxlnufd] C:\WINDOWS\system32\eicnlxlnufd.exe
O4 - HKLM\..\Run: [snzq] C:\WINDOWS\system32\snzq.exe
O4 - HKLM\..\Run: [humark] C:\WINDOWS\system32\humark.exe
O4 - HKLM\..\Run: [muqakztrnot] C:\WINDOWS\system32\muqakztrnot.exe
O4 - HKLM\..\Run: [ltzhe] C:\WINDOWS\system32\ltzhe.exe
O4 - HKLM\..\Run: [an] C:\WINDOWS\system32\an.exe
O4 - HKLM\..\Run: [hkobjsdh] C:\WINDOWS\system32\hkobjsdh.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [x] C:\WINDOWS\system32\x.exe
O4 - HKLM\..\Run: [wannihnuqg] C:\WINDOWS\system32\wannihnuqg.exe
O4 - HKLM\..\Run: [sxiaozh] C:\WINDOWS\system32\sxiaozh.exe
O4 - HKLM\..\Run: [vba] C:\WINDOWS\system32\vba.exe
O4 - HKLM\..\Run: [k] C:\WINDOWS\system32\k.exe
O4 - HKLM\..\Run: [dur] C:\WINDOWS\system32\dur.exe
O4 - HKLM\..\Run: [tptagqgliku] C:\WINDOWS\system32\tptagqgliku.exe
O4 - HKLM\..\Run: [keqp] C:\WINDOWS\system32\keqp.exe
O4 - HKLM\..\Run: [tnbuk] C:\WINDOWS\system32\tnbuk.exe
O4 - HKLM\..\Run: [zlfeo] C:\WINDOWS\system32\zlfeo.exe
O4 - HKLM\..\Run: [fpji] C:\WINDOWS\system32\fpji.exe
O4 - HKLM\..\Run: [iconyecmo] C:\WINDOWS\system32\iconyecmo.exe
O4 - HKLM\..\Run: [tmsut] C:\WINDOWS\system32\tmsut.exe
O4 - HKLM\..\Run: [ppokkwvsl] C:\WINDOWS\system32\ppokkwvsl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ciyeyabw] C:\WINDOWS\system32\ciyeyabw.exe
O4 - HKLM\..\Run: [nbgiiflvmda] C:\WINDOWS\system32\nbgiiflvmda.exe
O4 - HKLM\..\Run: [byrqlbhaclt] C:\WINDOWS\system32\byrqlbhaclt.exe
O4 - HKLM\..\Run: [xpzpnnkwnc] C:\WINDOWS\system32\xpzpnnkwnc.exe
O4 - HKLM\..\Run: [xikydlcpc] C:\WINDOWS\system32\xikydlcpc.exe
O4 - HKLM\..\Run: [hhddxosriy] C:\WINDOWS\system32\hhddxosriy.exe
O4 - HKLM\..\Run: [qqvppfznnv] C:\WINDOWS\system32\qqvppfznnv.exe
O4 - HKLM\..\Run: [bg] C:\WINDOWS\system32\bg.exe
O4 - HKLM\..\Run: [cwdt] C:\WINDOWS\system32\cwdt.exe
O4 - HKLM\..\Run: [vryefl] C:\WINDOWS\system32\vryefl.exe
O4 - HKLM\..\RunServices: [njym] C:\WINDOWS\system32\njym.exe
O4 - HKLM\..\RunServices: [muqakztrnot] C:\WINDOWS\system32\muqakztrnot.exe
O4 - HKLM\..\RunServices: [cmd32] C:\WINDOWS\SYSTEM32\cmd32.exe
O4 - HKLM\..\RunServices: [x] C:\WINDOWS\system32\x.exe
O4 - HKLM\..\RunServices: [ddbjdqdczpqn] C:\WINDOWS\system32\ddbjdqdczpqn.exe
O4 - HKLM\..\RunServices: [sxiaozh] C:\WINDOWS\system32\sxiaozh.exe
O4 - HKLM\..\RunServices: [dxoihjicqt] C:\WINDOWS\system32\dxoihjicqt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [zzfw] C:\Program Files\Common Files\zzfw\zzfwm.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\Nikki Walton\Local Settings\Temp\{32597C96-057E-4C36-9E7D-C417D6796D0B}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133798646906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175555595968
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - AppInit_DLLs: hadjajr.ini
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AiM Auto-Updater (AiM_SvC) - Unknown owner - C:\WINDOWS\media\aim.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Update Manager (AOL_Hosts) - Unknown owner - C:\WINDOWS\Media\aolupd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Print Spooler Service (neuvy95kxpanb) - Unknown owner - C:\WINDOWS\system32\oixgv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WPS Scanner Service (WPSScannerSvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe


----------



## sjpritch25 (Sep 8, 2005)

Welcome to TSG 

Not sure what copy of ComboFix you have, so please delete the one you downloaded.

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt and a fresh Hijackthis log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

*Note*: You are extremely infected. ComboFix will take may take a couple minutes to start. Just be patient.


----------



## nataliew56241 (Jun 1, 2006)

Did what you suggested. Got a stack overflow error on the combofix screen. Also got popup saying swreg.cfexe - application error The instruction at "0x7c911e58" referenced memory at "0x006f0072". The memory could not be "read". Click on OK to terminate the program. What next? Or what did I do wrong?


----------



## sjpritch25 (Sep 8, 2005)

Sorry my post is coming


----------



## sjpritch25 (Sep 8, 2005)

You will probably need to run this scan in Safe mode..

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Files Created Within* group click *30 days*
In the *Files Modified Within* group select *30 days*
In the *File String Search* group select *Non-Microsoft*
In the *Drivers Services* group select *Non-Microsoft*
In the *Additional Scans* group select *Desktop Comonents*

Now click the *Run Scan* button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the *Add Reply* button and Copy/Paste the information back here. I will review it when it comes in


----------



## nataliew56241 (Jun 1, 2006)

sorry. it started running after my post. i stopped and restarted (in case that matters) and here's the log.

ComboFix 07-09-10.2 - "Nikki Walton" 2007-09-09 10:07:07.1 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.173 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\LOCALS~1\APPLIC~1\WinTouch
C:\DOCUME~1\LOCALS~1\STARTM~1\Programs\Outerinfo
C:\DOCUME~1\LOCALS~1\STARTM~1\Programs\Outerinfo\Terms.lnk
C:\DOCUME~1\NIKKIW~1\APPLIC~1\WinTouch
C:\DOCUME~1\NIKKIW~1\APPLIC~1\WinTouch\wintouch.cfg
C:\DOCUME~1\NIKKIW~1\APPLIC~1\WinTouch\WTUninstaller.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\smante~1
C:\Program Files\stem32~1
C:\Program Files\stem32~1\??stem32\
C:\WINDOWS\asembl~1
C:\WINDOWS\b143.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd64.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\e.exe
C:\WINDOWS\system32\i.exe
C:\WINDOWS\system32\p.exe
C:\WINDOWS\system32\s.exe
C:\WINDOWS\system32\t.exe
C:\WINDOWS\system32\w.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CORE
-------\core

((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-09 16:41 d--------	C:\Program Files\Words
2007-09-09 16:36	65,528	--a------	C:\WINDOWS\b147.exe.bin
2007-09-09 16:05 d--------	C:\Program Files\SUPERAntiSpyware
2007-09-09 16:05 d--------	C:\DOCUME~1\NIKKIW~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-09 16:05 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-09 16:04 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-09-09 16:02	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-09-09 15:40 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-09-09 14:11	8,646	--a------	C:\WINDOWS\system32\tmp.reg
2007-09-09 12:36	12,416	--a------	C:\WINDOWS\system32\drivers\wpsnuio.sys
2007-09-09 12:36 d--------	C:\Program Files\Skyhook Wireless
2007-09-09 12:36 d--------	C:\Program Files\LocationPlugin
2007-09-09 07:33	99,328	--a------	C:\WINDOWS\system32\oixgv.exe
2007-09-09 07:33	99,328	--a------	C:\WINDOWS\system32\afxhneta.exe
2007-09-09 06:37	99,328	--a------	C:\WINDOWS\system32\oic.exe
2007-09-06 20:22	81,521	--a------	C:\aolX.exe
2007-09-05 22:24	59,904	--a------	C:\DOCUME~1\NIKKIW~1\wn507.exe
2007-09-01 11:24 d--------	C:\Program Files\AIM6
2007-08-28 14:37	99,328	--a------	C:\WINDOWS\system32\gaukqirkaium.exe
2007-08-28 03:54	78,848	--a------	C:\WINDOWS\system32\zqhtsnpvask.exe
2007-08-27 17:01	78,848	--a------	C:\WINDOWS\system32\woiufnzxfozr.exe
2007-08-27 16:59	78,848	--a------	C:\WINDOWS\system32\gdeses.exe
2007-08-21 18:17 d--------	C:\Program Files\STOPzilla!
2007-08-21 18:16 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-08-18 20:17 d--------	C:\WINDOWS\Pure Digital Prefs
2007-08-17 19:17 d--------	C:\WINDOWS\zzfw
2007-08-17 19:17 d--------	C:\Program Files\Common Files\zzfw
2007-08-11 23:19	91,136	--a------	C:\WINDOWS\system32\ciyeyabw.exe
2007-08-11 20:49	91,136	--a------	C:\WINDOWS\system32\waownkwwo.exe
2007-08-11 19:22	91,136	--a------	C:\WINDOWS\system32\crtcmtramfx.exe
2007-08-11 18:49	91,136	--a------	C:\WINDOWS\system32\vmdkhvvlb.exe
2007-08-10 18:43	87,040	--a------	C:\WINDOWS\system32\tfvies.exe
2007-08-10 16:24	87,040	--a------	C:\WINDOWS\system32\ojimaeubhm.exe
2007-08-10 16:24	8,782	--a------	C:\pun.exe
2007-08-10 16:09	8,782	--a------	C:\pun.pif
2007-08-10 13:36	87,040	--a------	C:\WINDOWS\system32\ig.exe
2007-08-10 07:12	87,040	--a------	C:\WINDOWS\system32\co.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-01 11:26	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-01 11:24	---------	d--------	C:\Program Files\Common Files\AOL
2007-09-01 11:21	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-09-01 11:20	---------	d--------	C:\Program Files\Common Files\Corel
2007-08-09 18:27	---------	d--------	C:\Program Files\iTunes
2007-08-09 18:27	---------	d--------	C:\Program Files\iPod
2007-08-09 17:56	---------	d--------	C:\Program Files\QuickTime
2007-08-09 17:53	---------	d--------	C:\Program Files\Apple Software Update
2007-08-04 19:49	---------	d--------	C:\Program Files\Creative Zone
2007-07-25 19:02	9806	--a------	C:\winupdate.exe
2007-07-23 22:54	9806	--a------	C:\binboot.exe
2007-07-23 19:04	---------	d--------	C:\Program Files\EA GAMES
2007-07-22 11:05	---------	d--------	C:\Program Files\Broderbund
2007-07-22 11:04	---------	d--------	C:\Program Files\Yahoo!
2007-07-22 11:03	---------	dr-h-----	C:\DOCUME~1\NIKKIW~1\APPLIC~1\yahoo!
2007-07-22 11:03	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-07-19 13:33	---------	d--------	C:\Program Files\AIM
2007-07-19 13:33	---------	d--------	C:\DOCUME~1\NIKKIW~1\APPLIC~1\Aim
2007-06-13 06:23	1033216	--a------	C:\WINDOWS\explorer.exe
2007-05-09 01:13:04	96,768	--sh--r	C:\WINDOWS\Media\aim.exe
2007-05-21 00:15:47	89,600	--sh--r	C:\WINDOWS\Media\aolupd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP OfficeJet Series 700"="C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" [2001-09-21 10:53]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 C:\WINDOWS\stsystra.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"HP Metrics"="C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe" [2004-01-16 14:11]
"D-Link RangeBooster G WDA-2320"="C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe" [2005-12-15 13:21]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-11-30 11:35]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 18:14]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"cmd32"="C:\WINDOWS\SYSTEM32\cmd32.exe" []
"dxoihjicqt"="C:\WINDOWS\system32\dxoihjicqt.exe" [2007-05-12 18:30]
"bnprqt"="C:\WINDOWS\system32\bnprqt.exe" []
"lnwwlzpbcip"="C:\WINDOWS\system32\lnwwlzpbcip.exe" []
"oljyydn"="C:\WINDOWS\system32\oljyydn.exe" []
"lxzxfmnckgfw"="C:\WINDOWS\system32\lxzxfmnckgfw.exe" []
"mxgslff"="C:\WINDOWS\system32\mxgslff.exe" []
"sxteq"="C:\WINDOWS\system32\sxteq.exe" []
"tauxlfoue"="C:\WINDOWS\system32\tauxlfoue.exe" []
"yxtwwsevanlm"="C:\WINDOWS\system32\yxtwwsevanlm.exe" []
"hhjnkekato"="C:\WINDOWS\system32\hhjnkekato.exe" []
"njym"="C:\WINDOWS\system32\njym.exe" [2007-05-20 14:28]
"kudgafcorjv"="C:\WINDOWS\system32\kudgafcorjv.exe" []
"ttjifnhe"="C:\WINDOWS\system32\ttjifnhe.exe" []
"loqmfxqlxel"="C:\WINDOWS\system32\loqmfxqlxel.exe" []
"oiwdnxccz"="C:\WINDOWS\system32\oiwdnxccz.exe" []
"ddbjdqdczpqn"="C:\WINDOWS\system32\ddbjdqdczpqn.exe" [2007-06-07 20:28]
"eicnlxlnufd"="C:\WINDOWS\system32\eicnlxlnufd.exe" [2007-06-07 21:53]
"snzq"="C:\WINDOWS\system32\snzq.exe" [2007-06-07 21:54]
"humark"="C:\WINDOWS\system32\humark.exe" [2007-06-09 14:03]
"muqakztrnot"="C:\WINDOWS\system32\muqakztrnot.exe" [2007-06-12 00:10]
"ltzhe"="C:\WINDOWS\system32\ltzhe.exe" []
"an"="C:\WINDOWS\system32\an.exe" []
"hkobjsdh"="C:\WINDOWS\system32\hkobjsdh.exe" []
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"x"="C:\WINDOWS\system32\x.exe" []
"wannihnuqg"="C:\WINDOWS\system32\wannihnuqg.exe" []
"sxiaozh"="C:\WINDOWS\system32\sxiaozh.exe" [2007-07-08 08:55]
"vba"="C:\WINDOWS\system32\vba.exe" []
"k"="C:\WINDOWS\system32\k.exe" []
"dur"="C:\WINDOWS\system32\dur.exe" []
"tptagqgliku"="C:\WINDOWS\system32\tptagqgliku.exe" []
"keqp"="C:\WINDOWS\system32\keqp.exe" []
"tnbuk"="C:\WINDOWS\system32\tnbuk.exe" []
"zlfeo"="C:\WINDOWS\system32\zlfeo.exe" []
"fpji"="C:\WINDOWS\system32\fpji.exe" []
"iconyecmo"="C:\WINDOWS\system32\iconyecmo.exe" []
"tmsut"="C:\WINDOWS\system32\tmsut.exe" []
"ppokkwvsl"="C:\WINDOWS\system32\ppokkwvsl.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"ciyeyabw"="C:\WINDOWS\system32\ciyeyabw.exe" [2007-08-11 23:19]
"nbgiiflvmda"="C:\WINDOWS\system32\nbgiiflvmda.exe" []
"byrqlbhaclt"="C:\WINDOWS\system32\byrqlbhaclt.exe" []
"xpzpnnkwnc"="C:\WINDOWS\system32\xpzpnnkwnc.exe" []
"xikydlcpc"="C:\WINDOWS\system32\xikydlcpc.exe" []
"hhddxosriy"="C:\WINDOWS\system32\hhddxosriy.exe" []
"qqvppfznnv"="C:\WINDOWS\system32\qqvppfznnv.exe" []
"bg"="C:\WINDOWS\system32\bg.exe" []
"cwdt"="C:\WINDOWS\system32\cwdt.exe" []
"vryefl"="C:\WINDOWS\system32\vryefl.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 01:07]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]
"OurPictures"="C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" [2006-06-19 18:30]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06]
"zzfw"="C:\Program Files\Common Files\zzfw\zzfwm.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Words"="C:\Program Files\Words\Words.exe" [2007-09-09 16:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"njym"=C:\WINDOWS\system32\njym.exe
"muqakztrnot"=C:\WINDOWS\system32\muqakztrnot.exe
"cmd32"=C:\WINDOWS\SYSTEM32\cmd32.exe
"x"=C:\WINDOWS\system32\x.exe
"ddbjdqdczpqn"=C:\WINDOWS\system32\ddbjdqdczpqn.exe
"sxiaozh"=C:\WINDOWS\system32\sxiaozh.exe
"dxoihjicqt"=C:\WINDOWS\system32\dxoihjicqt.exe
"ciyeyabw"=C:\WINDOWS\system32\ciyeyabw.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Eztbxtgj"=C:\WINDOWS\a?sembly\l?gonui.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Forget Me Not.lnk - C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe [2006-05-13 10:19:50]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=hadjajr.ini

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nikki Walton^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\Nikki Walton\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
"C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NetSvc"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

R2 AiM_SvC;AiM Auto-Updater;"C:\WINDOWS\media\aim.exe"
R2 AOL_Hosts;AOL Update Manager;"C:\WINDOWS\Media\aolupd.exe"
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 Wpsnuio;WPS NDIS Usermode I/O Protocol;C:\WINDOWS\system32\DRIVERS\wpsnuio.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S2 hpopar03;hpopar03;C:\WINDOWS\system32\drivers\hpopar03.SYS
S2 neuvy95kxpanb;Print Spooler Service;C:\WINDOWS\system32\pof.exe /service

.
Contents of the 'Scheduled Tasks' folder
"2007-09-04 23:37:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 10:16:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-10 10:19:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-10 10:19
.
--- E O F ---


----------



## sjpritch25 (Sep 8, 2005)

Okay, ignore my last post.


----------



## nataliew56241 (Jun 1, 2006)

i already started running it. should i stop?


----------



## sjpritch25 (Sep 8, 2005)

Yes please


----------



## sjpritch25 (Sep 8, 2005)

Please download the attached file named CFScript.txt and Save it to your Desktop.










Refering to the picture above, drag CFScript.txt into ComboFix.exe

In your next reply, please post a fresh Combofix log and a fresh Hijackthis log.

*Do not run on any other computer!!!! The Attached file CFScript.txt is created for this specfic computer. Running it on another system could cause it to crash or worse. *

================================
*Panda Activescan*
http://www.pandasoftware.com/products/activescan.htm

 Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *Local Disks* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location.

*In your next reply, please include the Panda Activscan log too. Thanks*


----------



## nataliew56241 (Jun 1, 2006)

Here's the new combofix log.

ComboFix 07-09-10.2 - "Nikki Walton" 2007-09-11 5:16:22.2 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.127 [GMT -4:00]
* Created a new restore point

FILE::
C:\WINDOWS\b147.exe.bin
C:\WINDOWS\system32\oixgv.exe
C:\WINDOWS\system32\afxhneta.exe
C:\WINDOWS\system32\oic.exe
C:\aolX.exe
C:\DOCUME~1\NIKKIW~1\wn507.exe
C:\WINDOWS\system32\gaukqirkaium.exe
C:\WINDOWS\system32\zqhtsnpvask.exe
C:\WINDOWS\system32\woiufnzxfozr.exe
C:\WINDOWS\system32\gdeses.exe
C:\WINDOWS\system32\ciyeyabw.exe
C:\WINDOWS\system32\waownkwwo.exe
C:\WINDOWS\system32\crtcmtramfx.exe
C:\WINDOWS\system32\vmdkhvvlb.exe
C:\WINDOWS\system32\tfvies.exe
C:\WINDOWS\system32\ojimaeubhm.exe
C:\pun.exe
C:\pun.pif
C:\WINDOWS\system32\ig.exe
C:\WINDOWS\system32\co.exe
C:\winupdate.exe
C:\binboot.exe
C:\WINDOWS\system32\dxoihjicqt.exe
C:\WINDOWS\system32\njym.exe
C:\WINDOWS\system32\ddbjdqdczpqn.exe
C:\WINDOWS\system32\eicnlxlnufd.exe
C:\WINDOWS\system32\snzq.exe
C:\WINDOWS\system32\humark.exe
C:\WINDOWS\system32\muqakztrnot.exe
C:\WINDOWS\system32\sxiaozh.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\aolX.exe
C:\binboot.exe
C:\DOCUME~1\NIKKIW~1\wn507.exe
C:\Program Files\Common Files\zzfw
C:\Program Files\Common Files\zzfw\~GLH0003.TMP.0.AVB
C:\Program Files\Common Files\zzfw\zzfwa.exe
C:\Program Files\Common Files\zzfw\zzfwd\class-barrel
C:\Program Files\Common Files\zzfw\zzfwd\vocabulary
C:\Program Files\Common Files\zzfw\zzfwd\zzfwc.dll
C:\Program Files\Common Files\zzfw\zzfwp.exe
C:\pun.exe
C:\pun.pif
C:\WINDOWS\b147.exe.bin
C:\WINDOWS\system32\afxhneta.exe
C:\WINDOWS\system32\ciyeyabw.exe
C:\WINDOWS\system32\co.exe
C:\WINDOWS\system32\crtcmtramfx.exe
C:\WINDOWS\system32\ddbjdqdczpqn.exe
C:\WINDOWS\system32\dxoihjicqt.exe
C:\WINDOWS\system32\eicnlxlnufd.exe
C:\WINDOWS\system32\gaukqirkaium.exe
C:\WINDOWS\system32\gdeses.exe
C:\WINDOWS\system32\humark.exe
C:\WINDOWS\system32\ig.exe
C:\WINDOWS\system32\muqakztrnot.exe
C:\WINDOWS\system32\njym.exe
C:\WINDOWS\system32\oic.exe
C:\WINDOWS\system32\oixgv.exe
C:\WINDOWS\system32\ojimaeubhm.exe
C:\WINDOWS\system32\snzq.exe
C:\WINDOWS\system32\sxiaozh.exe
C:\WINDOWS\system32\tfvies.exe
C:\WINDOWS\system32\vmdkhvvlb.exe
C:\WINDOWS\system32\waownkwwo.exe
C:\WINDOWS\system32\woiufnzxfozr.exe
C:\WINDOWS\system32\zqhtsnpvask.exe
C:\WINDOWS\zzfw
C:\WINDOWS\zzfw\wu
C:\WINDOWS\zzfw\zzfw.dat
C:\winupdate.exe

((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 )))))))))))))))))))))))))))))))
.

2007-09-11 05:11	99,328	--a------	C:\WINDOWS\system32\vhpkqzj.exe
2007-09-10 11:49	99,328	--a------	C:\WINDOWS\system32\tpyspnyrv.exe
2007-09-10 10:17	99,328	--a------	C:\WINDOWS\system32\pof.exe
2007-09-09 16:41 d--------	C:\Program Files\Words
2007-09-09 16:05 d--------	C:\Program Files\SUPERAntiSpyware
2007-09-09 16:05 d--------	C:\DOCUME~1\NIKKIW~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-09 16:05 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-09 16:04 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-09-09 16:02	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-09-09 15:40 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-09-09 14:11	8,646	--a------	C:\WINDOWS\system32\tmp.reg
2007-09-09 12:36	12,416	--a------	C:\WINDOWS\system32\drivers\wpsnuio.sys
2007-09-09 12:36 d--------	C:\Program Files\Skyhook Wireless
2007-09-09 12:36 d--------	C:\Program Files\LocationPlugin
2007-09-01 11:24 d--------	C:\Program Files\AIM6
2007-08-21 18:17 d--------	C:\Program Files\STOPzilla!
2007-08-21 18:16 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-08-18 20:17 d--------	C:\WINDOWS\Pure Digital Prefs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-01 11:26	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-01 11:24	---------	d--------	C:\Program Files\Common Files\AOL
2007-09-01 11:21	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-09-01 11:20	---------	d--------	C:\Program Files\Common Files\Corel
2007-08-09 18:27	---------	d--------	C:\Program Files\iTunes
2007-08-09 18:27	---------	d--------	C:\Program Files\iPod
2007-08-09 17:56	---------	d--------	C:\Program Files\QuickTime
2007-08-09 17:53	---------	d--------	C:\Program Files\Apple Software Update
2007-08-04 19:49	---------	d--------	C:\Program Files\Creative Zone
2007-07-23 19:04	---------	d--------	C:\Program Files\EA GAMES
2007-07-22 11:05	---------	d--------	C:\Program Files\Broderbund
2007-07-22 11:04	---------	d--------	C:\Program Files\Yahoo!
2007-07-22 11:03	---------	dr-h-----	C:\DOCUME~1\NIKKIW~1\APPLIC~1\yahoo!
2007-07-22 11:03	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-07-19 13:33	---------	d--------	C:\Program Files\AIM
2007-07-19 13:33	---------	d--------	C:\DOCUME~1\NIKKIW~1\APPLIC~1\Aim
2007-06-13 06:23	1033216	--a------	C:\WINDOWS\explorer.exe
2007-05-09 01:13:04	96,768	--sh--r	C:\WINDOWS\Media\aim.exe
2007-05-21 00:15:47	89,600	--sh--r	C:\WINDOWS\Media\aolupd.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-10_101832.17 )))))))))))))))))))))))))))))))))))))))))
.
----a-r 4,286 2006-02-02 17:53:36 C:\WINDOWS\Installer\{EA103B64-C0E4-4C0E-A506-751590E1653D}\Shortcut_start.9FAB98ED_2143_4534_9750_7CD4ECEB9596.exe
.
------w 4,286 2006-02-02 17:53:36 C:\WINDOWS\Installer\{EA103B64-C0E4-4C0E-A506-751590E1653D}\Shortcut_start.9FAB98ED_2143_4534_9750_7CD4ECEB9596.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP OfficeJet Series 700"="C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" [2001-09-21 10:53]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 C:\WINDOWS\stsystra.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"HP Metrics"="C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe" [2004-01-16 14:11]
"D-Link RangeBooster G WDA-2320"="C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe" [2005-12-15 13:21]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-11-30 11:35]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 18:14]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 01:07]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]
"OurPictures"="C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" [2006-06-19 18:30]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Words"="C:\Program Files\Words\Words.exe" [2007-09-09 16:41]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Forget Me Not.lnk - C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe [2006-05-13 10:19:50]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nikki Walton^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\Nikki Walton\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
"C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NetSvc"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

R2 AiM_SvC;AiM Auto-Updater;"C:\WINDOWS\media\aim.exe"
R2 AOL_Hosts;AOL Update Manager;"C:\WINDOWS\Media\aolupd.exe"
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 Wpsnuio;WPS NDIS Usermode I/O Protocol;C:\WINDOWS\system32\DRIVERS\wpsnuio.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S2 hpopar03;hpopar03;C:\WINDOWS\system32\drivers\hpopar03.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-09-04 23:37:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 05:24:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-11 5:27:22 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-11 05:26
C:\ComboFix2.txt ... 2007-09-10 10:19
.
--- E O F ---


----------



## nataliew56241 (Jun 1, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 5:31:19 AM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\media\aim.exe
C:\WINDOWS\Media\aolupd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Words\Words.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\Nikki Walton\Local Settings\Temp\{32597C96-057E-4C36-9E7D-C417D6796D0B}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133798646906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175555595968
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AiM Auto-Updater (AiM_SvC) - Unknown owner - C:\WINDOWS\media\aim.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Update Manager (AOL_Hosts) - Unknown owner - C:\WINDOWS\Media\aolupd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WPS Scanner Service (WPSScannerSvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe


----------



## nataliew56241 (Jun 1, 2006)

Incident Status Location

Spyware:Cookie/Doubleclick  Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.doubleclick.net/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.xiti.com/] 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[searchportal.information.com/] 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.statcounter.com/] 
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.hg1.hitbox.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.com.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.go.com/] 
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.hotlog.ru/] 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.questionmarket.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.realmedia.com/] 
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.target.com/] 
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.trafficmp.com/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.tribalfusion.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[ad.yieldmanager.com/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/hc/52580280] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/hc/89451406] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/hc/91338698] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/hc/LPpacificsunwear] 
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[stat.onestat.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.com.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.go.com/] 
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.hotlog.ru/] 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.questionmarket.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.realmedia.com/] 
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.target.com/] 
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.trafficmp.com/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.tribalfusion.com/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.xiti.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[ad.yieldmanager.com/] 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[searchportal.information.com/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/52580280] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/60960915] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/89451406] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/91338698] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/LPpacificsunwear] 
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[stat.onestat.com/] 
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.target.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.go.com/] 
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.bravenet.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.com.com/] 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[searchportal.information.com/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[server.iad.liveperson.net/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[server.iad.liveperson.net/hc/41164003] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application


----------



## nataliew56241 (Jun 1, 2006)

Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[server.iad.liveperson.net/hc/80503492] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[server.iad.liveperson.net/hc/LPpacificsunwear] 
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[stat.onestat.com/] 
Virus:Trj/ClassLoader.E Disinfected C:\Documents and Settings\Nikki Walton\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms0311.jar-459622bd-325d5a4d.zip[SuperMSClassLoader.class] 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Nikki Walton\Cookies\[email protected][1].txt  
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nikki Walton\Cookies\[email protected][1].txt 
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Nikki Walton\Cookies\[email protected][1].txt 
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nikki Walton\Cookies\[email protected][2].txt 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Nikki Walton\Desktop\ComboFix.exe[nircmd.exe] 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Nikki Walton\Desktop\SmitfraudFix\Process.exe 
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Nikki Walton\Desktop\SmitfraudFix\restart.exe 
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll 
Adware:Adware/Winpopup Not disinfected C:\Program Files\Words\UnInstall.exe 
Adware:Adware/Winpopup Not disinfected C:\Program Files\Words\Words.exe 
Virus:Trj/Downloader.PNC Disinfected C:\qoobox\Quarantine\C\binboot.exe.vir 
Adware:Adware/Yazzle Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1122OinAdmin.exe.vir  
Adware:Adware/Yazzle Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1122OinUninstaller.exe.vir 
Adware:Adware/Sqwire Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\zzfwa.exe.vir 
Adware:Adware/Sqwire Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\zzfwd\zzfwc.dll.vir 
Adware:Adware/Sqwire Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\zzfwp.exe.vir 
Virus:Trj/Downloader.PNC Disinfected C:\qoobox\Quarantine\C\pun.exe.vir 
Virus:Trj/Downloader.PNC Disinfected C:\qoobox\Quarantine\C\pun.pif.vir 
Virus:Bck/Hacdef.GW Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\afxhneta.exe.vir 
Virus:Trj/Downloader.MDW Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\cmd64.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ddbjdqdczpqn.exe.vir 
Virus:Trj/Downloader.MDW Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\dxoihjicqt.exe.vir 
Virus:Trj/Spammer.ABV Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\njym.exe.vir  
Virus:Bck/Hacdef.GW Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\oic.exe.vir 
Virus:Bck/Hacdef.GW Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\oixgv.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\p.exe.vir 
Virus:Trj/Downloader.PNC Disinfected C:\qoobox\Quarantine\C\winupdate.exe.vir 
Virus:Generic Malware Disinfected C:\WINDOWS\Media\aim.exe 
Virus:W32/Oscarbot.PI.worm Disinfected C:\WINDOWS\Media\aolupd.exe 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\ambjui.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\asqaiwdqswwv.exe 
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\system32\bfpfv.exe 
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\system32\bqznjnl.exe  
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\system32\cgejgem.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\dj.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\dmjy.exe 
Adware:Adware/WinAntiVirus2007 Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.20070906-152952.backup 
Virus:Trj/Spammer.ABV Disinfected C:\WINDOWS\system32\ekcvnaflyf.exe 
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\system32\eooxk.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\fe.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\fyptk.exe 
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\system32\gmocvrq.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\hdnvnbek.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\ihijixfrdni.exe  
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\system32\jhpfaq.exe 
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\system32\jhxq.exe 
Virus:Trj/Spammer.ABV Disinfected C:\WINDOWS\system32\jikxpdr.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\jk.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\khnsghfyktt.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\kixazcgoe.exe 
Virus:Trj/Spammer.ABV Disinfected C:\WINDOWS\system32\krysh.exe 
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\system32\lrph.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\lwsiycpkdne.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\lwzbbagdpagm.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\nfh.exe  
Virus:Bck/Hacdef.GW Disinfected C:\WINDOWS\system32\pof.exe 
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\system32\qrldtdofslef.exe 
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\system32\sdtbcwnv.exe 
Adware:Adware/WinAntiVirus2007 Not disinfected C:\WINDOWS\system32\systems.txt 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\tbhm.exe 
Virus:Bck/Hacdef.GW Disinfected C:\WINDOWS\system32\tpyspnyrv.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\umymrqxx.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\uykfa.exe 
Virus:Bck/Hacdef.GW Disinfected C:\WINDOWS\system32\vhpkqzj.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\womxhn.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\wxpl.exe


----------



## nataliew56241 (Jun 1, 2006)

I had to split the Activescan Panda report in 2 to make it fit.


----------



## sjpritch25 (Sep 8, 2005)

Please download the attached file named CFScript.txt and Save it to your Desktop.










Refering to the picture above, drag CFScript.txt into ComboFix.exe

In your next reply, please post a fresh Combofix log and a fresh Hijackthis log.

*Do not run on any other computer!!!! The Attached file CFScript.txt is created for this specfic computer. Running it on another system could cause it to crash or worse. *

Please run Panda Activescan again and post the log. Thanks.


----------



## nataliew56241 (Jun 1, 2006)

Is there anything else I can do? I work during the day (eastern) time, so mostly I can work on this computer at night during the week.


----------



## nataliew56241 (Jun 1, 2006)

Sorry, I throught I was having problems with the browser. I"ll do the cfscript thing and run panda again.


----------



## nataliew56241 (Jun 1, 2006)

ComboFix 07-09-10.2 - "Nikki Walton" 2007-09-12 9:36:16.3 - NTFSx86 
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.167 [GMT -4:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\dmjy.exe
C:\WINDOWS\system32\fe.exe
C:\WINDOWS\system32\dj.exe
C:\WINDOWS\system32\fyptk.exe
C:\WINDOWS\system32\hdnvnbek.exe
C:\WINDOWS\system32\ihijixfrdni.exe
C:\WINDOWS\system32\jk.exe
C:\WINDOWS\system32\khnsghfyktt.exe
C:\WINDOWS\system32\kixazcgoe.exe
C:\WINDOWS\system32\lwsiycpkdne.exe
C:\WINDOWS\system32\lwzbbagdpagm.exe
C:\WINDOWS\system32\nfh.exe
C:\WINDOWS\system32\systems.txt
C:\WINDOWS\system32\tbhm.exe
C:\WINDOWS\system32\umymrqxx.exe
C:\WINDOWS\system32\uykfa.exe
C:\WINDOWS\system32\womxhn.exe
C:\WINDOWS\system32\wxpl.exe
C:\WINDOWS\system32\vhpkqzj.exe
C:\WINDOWS\system32\tpyspnyrv.exe
C:\WINDOWS\system32\pof.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dj.exe
C:\WINDOWS\system32\dmjy.exe
C:\WINDOWS\system32\fe.exe
C:\WINDOWS\system32\fyptk.exe
C:\WINDOWS\system32\hdnvnbek.exe
C:\WINDOWS\system32\ihijixfrdni.exe
C:\WINDOWS\system32\jk.exe
C:\WINDOWS\system32\khnsghfyktt.exe
C:\WINDOWS\system32\kixazcgoe.exe
C:\WINDOWS\system32\lwsiycpkdne.exe
C:\WINDOWS\system32\lwzbbagdpagm.exe
C:\WINDOWS\system32\nfh.exe
C:\WINDOWS\system32\systems.txt
C:\WINDOWS\system32\tbhm.exe
C:\WINDOWS\system32\umymrqxx.exe
C:\WINDOWS\system32\uykfa.exe
C:\WINDOWS\system32\womxhn.exe
C:\WINDOWS\system32\wxpl.exe

((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-11 08:24	177,965	--a------	C:\bootlogsect.exe
2007-09-11 08:24 d--------	C:\WINDOWS\setup86x
2007-09-11 05:36 d--------	C:\WINDOWS\system32\ActiveScan
2007-09-09 16:41 d--------	C:\Program Files\Words
2007-09-09 16:05 d--------	C:\Program Files\SUPERAntiSpyware
2007-09-09 16:05 d--------	C:\DOCUME~1\NIKKIW~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-09 16:05 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-09 16:04 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-09-09 16:02	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-09-09 15:40 d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek
2007-09-09 14:11	8,646	--a------	C:\WINDOWS\system32\tmp.reg
2007-09-09 12:36	12,416	--a------	C:\WINDOWS\system32\drivers\wpsnuio.sys
2007-09-09 12:36 d--------	C:\Program Files\Skyhook Wireless
2007-09-09 12:36 d--------	C:\Program Files\LocationPlugin
2007-09-01 11:24 d--------	C:\Program Files\AIM6
2007-08-21 18:17 d--------	C:\Program Files\STOPzilla!
2007-08-21 18:16 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-08-18 20:17 d--------	C:\WINDOWS\Pure Digital Prefs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-11 06:34	---------	d--------	C:\Program Files\RitzPix E-Z Print & Share
2007-09-11 06:34	---------	d--------	C:\Program Files\QuickTime
2007-09-11 06:31	---------	d--------	C:\Program Files\iTunes
2007-09-11 06:27	---------	d--------	C:\Program Files\Google
2007-09-11 06:10	---------	d--------	C:\Program Files\Bonjour
2007-09-01 11:26	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-01 11:24	---------	d--------	C:\Program Files\Common Files\AOL
2007-09-01 11:21	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-09-01 11:20	---------	d--------	C:\Program Files\Common Files\Corel
2007-08-19 19:01	3402	--ahs----	C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-09 18:27	---------	d--------	C:\Program Files\iPod
2007-08-09 17:53	---------	d--------	C:\Program Files\Apple Software Update
2007-08-04 19:49	---------	d--------	C:\Program Files\Creative Zone
2007-07-30 19:19	92504	--a------	C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19	92504	--a------	C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19	549720	--a------	C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19	549720	--a------	C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19	53080	--a------	C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19	53080	--a------	C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19	43352	--a------	C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19	325976	--a------	C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19	325976	--a------	C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19	271224	--a------	C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19	207736	--a------	C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19	203096	--a------	C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19	203096	--a------	C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19	1712984	--a------	C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19	1712984	--a------	C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18	33624	--a------	C:\WINDOWS\system32\wups.dll
2007-07-30 19:18	33624	--a------	C:\WINDOWS\system32\dllcache\wups.dll
2007-07-23 19:04	---------	d--------	C:\Program Files\EA GAMES
2007-07-22 11:05	---------	d--------	C:\Program Files\Broderbund
2007-07-22 11:04	---------	d--------	C:\Program Files\Yahoo!
2007-07-22 11:03	---------	dr-h-----	C:\DOCUME~1\NIKKIW~1\APPLIC~1\yahoo!
2007-07-22 11:03	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-07-19 13:33	---------	d--------	C:\Program Files\AIM
2007-07-19 13:33	---------	d--------	C:\DOCUME~1\NIKKIW~1\APPLIC~1\Aim
2007-07-19 02:59	3583488	--a------	C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 19:31	765952	--a------	C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-08 05:04	74752	--a------	C:\WINDOWS\system32\iafw.exe
2007-07-08 05:04	74752	--a------	C:\WINDOWS\system32\ajcmimiipsi.exe
2007-06-30 23:50	87040	--a------	C:\WINDOWS\system32\eheagcsfcxma.exe
2007-06-30 23:18	87040	--a------	C:\WINDOWS\system32\dctscwsgerkv.exe
2007-06-27 10:34	823808	--a------	C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 10:34	671232	--a------	C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 10:34	6058496	---------	C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 10:34	52224	---------	C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 10:34	477696	--a------	C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 10:34	459264	---------	C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 10:34	44544	--a------	C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 10:34	384512	--a------	C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 10:34	383488	---------	C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 10:34	27648	--a------	C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 10:34	267776	---------	C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 10:34	232960	--a------	C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 10:34	230400	--a------	C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 10:34	193024	--a------	C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 10:34	153088	--a------	C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 10:34	132608	--a------	C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 10:34	124928	--a------	C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 10:34	1152000	--a------	C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 10:34	105984	--a------	C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 10:34	102400	--a------	C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 04:27	63488	--a------	C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 04:27	625152	--a------	C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 04:27	13824	---------	C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 03:00	161792	--a------	C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 02:08	1104896	--a------	C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08	1104896	--a------	C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-20 03:44	99328	--a------	C:\WINDOWS\system32\hyflugwy.exe
2007-06-19 09:31	282112	--a------	C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31	282112	--a------	C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-17 22:15	78848	--a------	C:\WINDOWS\system32\jpq.exe
2007-06-17 14:00	78848	--a------	C:\WINDOWS\system32\gpchsvx.exe
2007-06-13 06:23	1033216	--a------	C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 06:23	1033216	--a------	C:\WINDOWS\explorer.exe
2007-06-12 00:10	99328	--a------	C:\WINDOWS\system32\vamona.exe
2007-06-12 00:10	99328	--a------	C:\WINDOWS\system32\bnyqjhtm.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-10_101832.17 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 141,424 2006-08-24 12:28:54 C:\WINDOWS\Downloaded Program Files\asinst.dll
----a-r 4,286 2006-02-02 17:53:36 C:\WINDOWS\Installer\{EA103B64-C0E4-4C0E-A506-751590E1653D}\Shortcut_start.9FAB98ED_2143_4534_9750_7CD4ECEB9596.exe
----a-w 73,728 2006-08-02 16:39:06 C:\WINDOWS\system32\asuninst.exe
----a-w 11,776 2003-03-25 22:53:50 C:\WINDOWS\system32\ZPORT4AS.dll
----a-w 110,592 2007-03-29 13:20:50 C:\WINDOWS\system32\ActiveScan\as.dll
----a-w 233,472 2006-10-05 20:15:26 C:\WINDOWS\system32\ActiveScan\ascontrol.dll
----a-w 96,256 2005-06-03 18:03:18 C:\WINDOWS\system32\ActiveScan\asmdat.dll
----a-w 36,864 2003-08-01 15:00:16 C:\WINDOWS\system32\ActiveScan\certdll.dll
----a-w 86,016 2005-05-20 17:42:44 C:\WINDOWS\system32\ActiveScan\instlsp.dll
----a-w 4,608 2006-02-16 22:20:20 C:\WINDOWS\system32\ActiveScan\memvfile.dll
----a-w 348,160 2005-10-25 22:08:32 C:\WINDOWS\system32\ActiveScan\msvcr71.dll
----a-w 139,264 2004-05-04 19:01:02 C:\WINDOWS\system32\ActiveScan\pavaleas.dll
----a-w 45,056 2006-07-14 17:04:10 C:\WINDOWS\system32\ActiveScan\pavdr.exe
----a-w 159,832 2006-04-10 14:50:02 C:\WINDOWS\system32\ActiveScan\pavexcom.dll
----a-w 94,208 2006-02-14 17:05:38 C:\WINDOWS\system32\ActiveScan\pavinas.dll
----a-w 180,224 2006-02-16 22:35:38 C:\WINDOWS\system32\ActiveScan\pavoe.dll
----a-w 122,880 2006-10-05 20:15:38 C:\WINDOWS\system32\ActiveScan\pavpz.dll
----a-w 8,704 2006-06-30 18:13:38 C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
----a-w 49,152 2004-02-04 18:08:42 C:\WINDOWS\system32\ActiveScan\port32.dll
----a-w 69,632 2006-08-01 17:23:10 C:\WINDOWS\system32\ActiveScan\pscpu.dll
----a-w 1,388,544 2006-08-23 17:06:08 C:\WINDOWS\system32\ActiveScan\pskahk.dll
----a-w 10,752 2006-08-17 15:38:14 C:\WINDOWS\system32\ActiveScan\pskalloc.dll
----a-w 61,440 2006-09-04 15:49:54 C:\WINDOWS\system32\ActiveScan\pskas.dll
----a-w 779,264 2006-08-18 12:46:18 C:\WINDOWS\system32\ActiveScan\pskavs.dll
----a-w 417,792 2007-03-26 18:25:34 C:\WINDOWS\system32\ActiveScan\pskcmp.dll
----a-w 90,112 2006-08-09 14:42:24 C:\WINDOWS\system32\ActiveScan\pskfss.dll
----a-w 208,896 2006-07-19 14:55:58 C:\WINDOWS\system32\ActiveScan\pskhtml.dll
----a-w 9,728 2006-01-20 20:57:00 C:\WINDOWS\system32\ActiveScan\pskmas.dll
----a-w 14,336 2006-05-17 13:50:12 C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
----a-w 33,280 2006-08-16 14:58:12 C:\WINDOWS\system32\ActiveScan\pskpack.dll
----a-w 266,240 2006-06-30 18:42:36 C:\WINDOWS\system32\ActiveScan\pskscs.dll
----a-w 62,976 2006-08-17 18:33:14 C:\WINDOWS\system32\ActiveScan\pskutil.dll
----a-w 13,312 2006-08-08 17:13:10 C:\WINDOWS\system32\ActiveScan\pskvfile.dll
----a-w 69,632 2006-08-18 12:53:08 C:\WINDOWS\system32\ActiveScan\pskvfs.dll
----a-w 167,936 2006-08-18 12:49:50 C:\WINDOWS\system32\ActiveScan\pskvm.dll
----a-w 353,840 2007-04-18 21:16:04 C:\WINDOWS\system32\ActiveScan\psscan.dll
----a-w 35,328 2007-01-22 18:42:48 C:\WINDOWS\system32\ActiveScan\rawvfile.dll
----a-w  9,488 1997-09-18 10:12:32 C:\WINDOWS\system32\ActiveScan\sporder.dll
----a-w 69,632 2006-02-28 21:23:40 C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
.
------w 4,286 2006-02-02 17:53:36 C:\WINDOWS\Installer\{EA103B64-C0E4-4C0E-A506-751590E1653D}\Shortcut_start.9FAB98ED_2143_4534_9750_7CD4ECEB9596.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP OfficeJet Series 700"="C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" [2001-09-21 10:53]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 C:\WINDOWS\stsystra.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"HP Metrics"="C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe" [2004-01-16 14:11]
"D-Link RangeBooster G WDA-2320"="C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe" [2005-12-15 13:21]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-11-30 11:35]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 18:14]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 01:07]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]
"OurPictures"="C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" [2006-06-19 18:30]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Words"="C:\Program Files\Words\Words.exe" [2007-09-09 16:41]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Forget Me Not.lnk - C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe [2006-05-13 10:19:50]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nikki Walton^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\Nikki Walton\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
"C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NetSvc"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 Wpsnuio;WPS NDIS Usermode I/O Protocol;C:\WINDOWS\system32\DRIVERS\wpsnuio.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S2 AiM_SvC;AiM Auto-Updater;"C:\WINDOWS\media\aim.exe"
S2 AOL_Hosts;AOL Update Manager;"C:\WINDOWS\Media\aolupd.exe"
S2 hpopar03;hpopar03;C:\WINDOWS\system32\drivers\hpopar03.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-09-04 23:37:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 09:41:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-12 9:42:49
C:\ComboFix-quarantined-files.txt ... 2007-09-12 09:42
C:\ComboFix2.txt ... 2007-09-11 05:27
C:\ComboFix3.txt ... 2007-09-10 10:19
.
--- E O F ---


----------



## sjpritch25 (Sep 8, 2005)

Can you run Panda Activescan again and post the results. Thanks.


----------



## nataliew56241 (Jun 1, 2006)

Sorry, between work and kids, this took longer than I expected. Here's the latest panda activescan.

Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.doubleclick.net/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.xiti.com/] 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[searchportal.information.com/] 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.statcounter.com/] 
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.hg1.hitbox.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.com.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.go.com/] 
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.hotlog.ru/] 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.questionmarket.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.realmedia.com/] 
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.target.com/] 
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.trafficmp.com/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.tribalfusion.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[ad.yieldmanager.com/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/hc/52580280] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/hc/89451406] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/hc/91338698] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/hc/LPpacificsunwear] 
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[stat.onestat.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.com.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.go.com/] 
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.hotlog.ru/] 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.questionmarket.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.realmedia.com/] 
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.target.com/] 
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.trafficmp.com/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.tribalfusion.com/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.xiti.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[ad.yieldmanager.com/] 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[searchportal.information.com/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/52580280] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/60960915] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/89451406] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/91338698] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/LPpacificsunwear] 
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[stat.onestat.com/] 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.doubleclick.net/] 
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.target.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.go.com/] 
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.bravenet.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.com.com/] 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[searchportal.information.com/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[server.iad.liveperson.net/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[server.iad.liveperson.net/hc/41164003] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[server.iad.liveperson.net/hc/80503492] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[server.iad.liveperson.net/hc/LPpacificsunwear] 
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[stat.onestat.com/] 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Nikki Walton\Cookies\[email protected][1].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nikki Walton\Cookies\[email protected][1].txt 
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Nikki Walton\Cookies\[email protected][1].txt 
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nikki Walton\Cookies\[email protected][2].txt 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Nikki Walton\Desktop\ComboFix.exe[nircmd.exe] 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Nikki Walton\Desktop\SmitfraudFix\Process.exe 
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Nikki Walton\Desktop\SmitfraudFix\restart.exe 
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll 
Adware:Adware/Winpopup Not disinfected C:\Program Files\Words\UnInstall.exe 
Adware:Adware/Winpopup Not disinfected C:\Program Files\Words\Words.exe 
Adware:Adware/Yazzle Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1122OinAdmin.exe.vir 
Adware:Adware/Yazzle Not disinfected


----------



## nataliew56241 (Jun 1, 2006)

C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1122OinUninstaller.exe.vir 
Adware:Adware/Sqwire Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\zzfwa.exe.vir 
Adware:Adware/Sqwire Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\zzfwd\zzfwc.dll.vir 
Adware:Adware/Sqwire Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\zzfwp.exe.vir 
Adware:Adware/Sqwire Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\~GLH0003.TMP.0.AVB.VIR.0.AVB 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ddbjdqdczpqn.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\dj.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\dmjy.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\fe.exe.vir  
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\fyptk.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\hdnvnbek.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ihijixfrdni.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\jk.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\khnsghfyktt.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\kixazcgoe.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\lwsiycpkdne.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\lwzbbagdpagm.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\nfh.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\p.exe.vir 
Adware:Adware/WinAntiVirus2007 Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\systems.txt.vir  
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\tbhm.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\umymrqxx.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\uykfa.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\womxhn.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\wxpl.exe.vir 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\ambjui.exe 
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\asqaiwdqswwv.exe 
Adware:Adware/WinAntiVirus2007 Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.20070906-152952.backup


----------



## sjpritch25 (Sep 8, 2005)

You can delete these files

*C:\Program Files\Words\UnInstall.exe 
C:\Program Files\Words\Words.exe 
C:\WINDOWS\system32\ambjui.exe 
C:\WINDOWS\system32\asqaiwdqswwv.exe 
*

Run HijackThis, and press "Do a System Scan Only". 
1. When the scan is complete place a check mark next to the following entries:
*
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
*
2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...

In your next reply, please include a fresh Hijackthis log, and run another Panda activescan. Thanks.


----------



## nataliew56241 (Jun 1, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 9:17:20 AM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\Nikki Walton\Local Settings\Temp\{32597C96-057E-4C36-9E7D-C417D6796D0B}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133798646906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175555595968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AiM Auto-Updater (AiM_SvC) - Unknown owner - C:\WINDOWS\media\aim.exe (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Update Manager (AOL_Hosts) - Unknown owner - C:\WINDOWS\Media\aolupd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## nataliew56241 (Jun 1, 2006)

i deleted everything except word.exe - access was denied when i tried to delete it. everything else worked. will post pandacan when it's finished.


----------



## sjpritch25 (Sep 8, 2005)

Okay :up:


----------



## nataliew56241 (Jun 1, 2006)

Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.doubleclick.net/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.xiti.com/] 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[searchportal.information.com/] 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.statcounter.com/] 
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.hg1.hitbox.com/] 
Spyware:Cookie/Com.com Not disinfected  C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.com.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.go.com/] 
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.hotlog.ru/] 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.questionmarket.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.realmedia.com/] 
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.target.com/] 
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.trafficmp.com/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[.tribalfusion.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[ad.yieldmanager.com/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/hc/52580280] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/hc/89451406] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/hc/91338698] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[server.iad.liveperson.net/hc/LPpacificsunwear] 
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-1.txt[stat.onestat.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.com.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.go.com/] 
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.hotlog.ru/] 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.questionmarket.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.realmedia.com/] 
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.target.com/] 
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.trafficmp.com/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.tribalfusion.com/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[.xiti.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[ad.yieldmanager.com/] 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[searchportal.information.com/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/52580280] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/60960915] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/89451406] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/91338698] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[server.iad.liveperson.net/hc/LPpacificsunwear] 
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies-2.txt[stat.onestat.com/] 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.doubleclick.net/] 
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.target.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.go.com/] 
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.bravenet.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[.com.com/] 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[searchportal.information.com/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[server.iad.liveperson.net/] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[server.iad.liveperson.net/hc/41164003] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected


----------



## nataliew56241 (Jun 1, 2006)

C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[server.iad.liveperson.net/hc/80503492] 
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[server.iad.liveperson.net/hc/LPpacificsunwear] 
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Nikki Walton\Application Data\Mozilla\Firefox\Profiles\foqit6bd.default\cookies.txt[stat.onestat.com/] 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Nikki Walton\Cookies\[email protected][1].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nikki Walton\Cookies\[email protected][1].txt 
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Nikki Walton\Cookies\[email protected][1].txt 
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Nikki Walton\Cookies\[email protected][2].txt 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Nikki Walton\Desktop\ComboFix.exe[nircmd.exe] 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Nikki Walton\Desktop\SmitfraudFix\Process.exe 
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Nikki Walton\Desktop\SmitfraudFix\restart.exe 
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll 
Adware:Adware/Winpopup Not disinfected C:\Program Files\Words\Words.exe 
Adware:Adware/Yazzle Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1122OinAdmin.exe.vir 
Adware:Adware/Yazzle Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1122OinUninstaller.exe.vir 
Adware:Adware/Sqwire Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\zzfwa.exe.vir 
Adware:Adware/Sqwire Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\zzfwd\zzfwc.dll.vir 
Adware:Adware/Sqwire Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\zzfwp.exe.vir 
Adware:Adware/Sqwire Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\~GLH0003.TMP.0.AVB.VIR.0.AVB 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ddbjdqdczpqn.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\dj.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\dmjy.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\fe.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\fyptk.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\hdnvnbek.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\ihijixfrdni.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\jk.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\khnsghfyktt.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\kixazcgoe.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\lwsiycpkdne.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\lwzbbagdpagm.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\nfh.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\p.exe.vir 
Adware:Adware/WinAntiVirus2007 Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\systems.txt.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\tbhm.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\umymrqxx.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\uykfa.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\womxhn.exe.vir 
Adware:Adware/SystemDoctor Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\wxpl.exe.vir 
Adware:Adware/Winpopup Not disinfected C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc18.exe 
Adware:Adware/SystemDoctor Not disinfected C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc19.exe 
Adware:Adware/SystemDoctor Not disinfected C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc20.exe 
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe  
Adware:Adware/WinAntiVirus2007 Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.20070906-152952.backup


----------



## sjpritch25 (Sep 8, 2005)

Download *OTMoveIt* by OldTimer and save to your Desktop.
Double-click on *OTMoveIt.exe* to launch the program.
Please copy the file(s)/folder(s) paths listed below - _highlight everything in red and press CTRL+C or right-click and choose *Copy*_.

*C:\Program Files\Words\Words.exe 
C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc18.exe 
C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc19.exe 
C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc20.exe 
C:\WINDOWS\system32\drivers\etc\hosts.20070906-152952.backup*

Then in OTMoveIt, _right-click in the open text box labeled_ "*Paste List of Files/Folders to be Moved*" _and choose *Paste*_.
Click the red *MoveIt!* button.
The list will be processed and the results for each line will be displayed in the right-hand pane.
Highlight everything in the *Results* window, _press CTRL+C or right-click, choose *Copy*, right-click again_ and *Paste* it in your next reply.
Close the program when done.
_*Important!*_ _If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose *Yes*._

=================================

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.

 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## nataliew56241 (Jun 1, 2006)

results of move it:
C:\Program Files\Words\Words.exe moved successfully.
C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc18.exe moved successfully.
C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc19.exe moved successfully.
C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc20.exe moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20070906-152952.backup moved successfully.

Created on 09/14/2007 08:16:22


----------



## nataliew56241 (Jun 1, 2006)

sdfix:

SDFix: Version 1.104

Run by Administrator on Fri 09/14/2007 at 08:25 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
AiM_SvC

ImagePath:
"C:\WINDOWS\media\aim.exe"

AiM_SvC - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe:*:Enabled:Realmon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Files with Hidden Attributes:

C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\uninst.dll
C:\WINDOWS\system32\820D92CCE8.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp
C:\Documents and Settings\Nikki Walton\Application Data\Microsoft\Word\~WRL0002.tmp
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG

Finished!


----------



## nataliew56241 (Jun 1, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 8:43:48 AM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\Nikki Walton\Local Settings\Temp\{32597C96-057E-4C36-9E7D-C417D6796D0B}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133798646906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175555595968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Update Manager (AOL_Hosts) - Unknown owner - C:\WINDOWS\Media\aolupd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## sjpritch25 (Sep 8, 2005)

How is everything running??


----------



## nataliew56241 (Jun 1, 2006)

Much better. No more pop-ups, I can access the control panel and use run again. Should I run spybot and adaware? Did you see anything bad in the last hijack this log?


----------



## sjpritch25 (Sep 8, 2005)

Log is clean 

*Your Java is out of date.* Older versions have vulnerabilities that malware can use to infect your system. *Please follow these steps to remove older version Java components and update.*

*Updating Java:*

Download the latest version of *Java Runtime Environment (JRE) 6u2*.
Scroll down to where it says "_Java Runtime Environment (JRE) 6 Update 2_".
Click the "*Download*" button to the right.
Check the box that says: "*Accept*_ License Agreement_".
The page will refresh.
Click on the link to download _Windows Offline Installation_ with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel* double-click on *Add/Remove* programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the *Remove* or *Change/Remove* button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on *jre-6u2-windowsi586-p.exe* to install the newest version.

Now that your system is clean you should *SET A NEW RESTORE POINT* *to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection*. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To *SET A NEW RESTORE POINT*:
1. Go to *Start* > *Programs* > *Accessories* > *System Tools* and click "*System Restore*".
2. Choose the radio button marked "*Create a Restore Point*" on the first screen then click "*Next*". Give the R.P. a name then click "*Create*". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to *Start* > *Run* and type: *Cleanmgr*
4. Click "*OK*".
5. Click the "*More Options*" Tab.
6. Click "*Clean Up*" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
*How to Create a Restore Point*.
*How to use Cleanmgr*.

======================================

Here is some useful information on keeping your computer clean:
Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
If you don't have a *Firewall* installed, please choose from the following:
*ZoneAlarm Free*
*Kerio Personal Firewall*

If you don't have a *Anti-Virus* installed, please download the following free program:
*AntiVir Personal Edition*

Here are two great Preventive programs:
SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
IESpyads adds a long list of bad sites to your Restricted sites in *Internet Explorer* and protects against drive by downloads.

Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with *Internet Explorer* and *Mozilla Firefox*. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
Red for *Warning*
Yellow for *Use Caution*
Green for *Safe*
Grey for *Unknown*

Here are the link to install SiteAdisor in Internet Explorer and Firefox
Anti-Spyware Programs I Recommend:
Lavasoft's Ad-Aware SE Personal
SuperAnti-Spyware

For Even More Information On Securing Your Computer read *Tony Klein's* So How Did I Get Infected In The First Place]


----------



## nataliew56241 (Jun 1, 2006)

Spybot is still flagging these things. I think the windows security warning is because I'm using eTrust as my antivirus software but what about the rest of this stuff?

--- Report generated: 2007-09-16 23:08 ---

Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\ajcmimiipsi.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\dctscwsgerkv.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\dxp.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\eheagcsfcxma.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\ej.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\gpchsvx.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\iafw.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\jpq.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\lupuzhdkgava.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\qbvbfa.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\ronuqphhwqmy.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\casbddwj.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\cnkbpt.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\fwoqbfuxka.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\jjzewm.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\pla.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\przjlxo.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\qddakkj.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\rbt.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\ungjjttrsccv.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\bnyqjhtm.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\eo.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\hyflugwy.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\vamona.exe

Virtumonde.Winpop: User settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\WinPop

Virtumonde.Winpop: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\WinPop

Virtumonde: Tracking cookie (Internet Explorer: Nikki Walton) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-08-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-09-12 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-09-12 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-09-12 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-09-12 Includes\KeyloggersC.sbi (*)
2004-05-12 Includes\LSP.sbi (*)
2007-09-12 Includes\Malware.sbi (*)
2007-09-12 Includes\MalwareC.sbi (*)
2007-09-05 Includes\PUPS.sbi (*)
2007-09-12 Includes\PUPSC.sbi (*)
2007-09-12 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-09-12 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi (*)
2007-09-12 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi (*)
2007-09-12 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll


----------



## sjpritch25 (Sep 8, 2005)

Okay lets look a little deeper

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.
In the *Files Created Within* group click *60 days*
In the *Files Modified Within* group select *60 days*
In the *File String Search* group select *Non-Microsoft*
In the *Drivers Services* group select *Non-Microsoft*
In the *Additional Scans* group select *Desktop Comonents*, *Policy settings*, and *Security settings*

Now click the *Run Scan* button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the *Add Reply* button and Copy/Paste the information back here. I will review it when it comes in


----------



## nataliew56241 (Jun 1, 2006)

WinPFind3 logfile created on: 9/18/2007 9:20:34 AM
WinPFind3U by OldTimer - Version 1.0.42	Folder = C:\Documents and Settings\Nikki Walton\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

510.07 Mb Total Physical Memory | 142.71 Mb Available Physical Memory | 27.98% Memory free
1.67 Gb Paging File | 1.18 Gb Available in Paging File | 70.19% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.34 Gb Total Space | 14.44 Gb Free Space | 20.24% Space Free
Drive D: | 476.82 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: NIKKI
Current User Name: Nikki Walton
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
airpluscfg.exe -> %ProgramFiles%\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe -> D-Link [Ver = 4, 0, 1, 51215 | Size = 2490368 bytes | Modified Date = 12/15/2005 1:21:52 PM | Attr = ]
applemobiledeviceservice.exe -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 12, 0, 0 | Size = 106496 bytes | Modified Date = 6/28/2007 4:06:52 AM | Attr = ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4162 | Size = 446464 bytes | Modified Date = 3/2/2007 4:46:14 PM | Attr = ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4162 | Size = 446464 bytes | Modified Date = 3/2/2007 4:46:14 PM | Attr = ]
desktopweather.exe -> %ProgramFiles%\The Weather Channel FW\Desktop Weather\DesktopWeather.exe -> The Weather Channel Interactive [Ver = 5, 2, 0, 1 | Size = 715888 bytes | Modified Date = 3/16/2007 7:51:26 AM | Attr = ]
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.6: 2007072518 | Size = 7644520 bytes | Modified Date = 8/1/2007 4:34:20 PM | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 6/24/2007 1:07:02 AM | Attr = ]
hp product research.exe -> %ProgramFiles%\HP\Personal Printing Solutions Product Research\HP Product Research.exe -> Hewlett-Packard Corporation [Ver = 1.1.0.14 | Size = 368640 bytes | Modified Date = 1/16/2004 2:11:56 PM | Attr = ]
hpqste08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqste08.exe -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 204800 bytes | Modified Date = 5/12/2005 1:40:38 AM | Attr = ]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 282624 bytes | Modified Date = 5/12/2005 12:23:26 AM | Attr = ]
hprblog.exe -> %ProgramFiles%\HP\Digital Imaging\Product Assistant\bin\hprblog.exe -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 77824 bytes | Modified Date = 5/12/2005 12:16:22 AM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 49152 bytes | Modified Date = 5/12/2005 12:12:54 AM | Attr = ]
inorpc.exe -> %ProgramFiles%\CA\eTrust Antivirus\InoRpc.exe -> Computer Associates International, Inc. [Ver = 7.1.192.0 | Size = 139536 bytes | Modified Date = 4/6/2004 6:13:54 PM | Attr = ]
inort.exe -> %ProgramFiles%\CA\eTrust Antivirus\InoRT.exe -> Computer Associates International, Inc. [Ver = 7.1.410.1 | Size = 424457 bytes | Modified Date = 1/14/2005 2:33:20 PM | Attr = ]
inotask.exe -> %ProgramFiles%\CA\eTrust Antivirus\InoTask.exe -> Computer Associates International, Inc. [Ver = 7.1.501.1 | Size = 270608 bytes | Modified Date = 5/31/2005 12:22:04 PM | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 492608 bytes | Modified Date = 10/30/2006 10:36:32 AM | Attr = ]
itunes.exe -> %ProgramFiles%\iTunes\iTunes.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 15338560 bytes | Modified Date = 10/30/2006 10:36:32 AM | Attr = ]
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 256576 bytes | Modified Date = 10/30/2006 10:36:36 AM | Attr = ]
ktchnsnk.exe -> %ProgramFiles%\Hewlett-Packard\HP OfficeJet Series 700\Bin\ktchnsnk.exe -> [Ver = | Size = 28672 bytes | Modified Date = 9/21/2001 10:53:42 AM | Attr = ]
mdnsresponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 229376 bytes | Modified Date = 2/28/2006 12:42:38 PM | Attr = ]
realmon.exe -> %ProgramFiles%\CA\eTrust Antivirus\Realmon.exe -> Computer Associates International, Inc. [Ver = 7.1.192.0 | Size = 504080 bytes | Modified Date = 4/6/2004 6:14:48 PM | Attr = ]
stsystra.exe -> %SystemRoot%\stsystra.exe -> SigmaTel, Inc. [Ver = 1.0.4450.0 nd83 cp1 | Size = 339968 bytes | Modified Date = 3/22/2005 6:20:44 PM | Attr = ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
viewmgr.exe -> %ProgramFiles%\Viewpoint\Viewpoint Manager\ViewMgr.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 112336 bytes | Modified Date = 1/4/2007 5:38:20 PM | Attr = ]
viewpointservice.exe -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 5:38:10 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]
wzcsldr2.exe -> %ProgramFiles%\ANI\ANIWZCS2 Service\WZCSLDR2.exe -> Alpha Networks Inc. [Ver = 1, 0, 6, 41216 | Size = 49152 bytes | Modified Date = 11/30/2005 11:35:36 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(ANIWZCSdService) ANIWZCSd Service [Win32_Shared | Auto | Stopped] -> %ProgramFiles%\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -> Alpha Networks Inc. [Ver = 1, 0, 1, 30507 | Size = 49152 bytes | Modified Date = 11/30/2005 11:35:38 AM | Attr = ]
(AOL_Hosts) AOL Update Manager [Win32_Own | Auto | Stopped] -> %SystemRoot%\Media\aolupd.exe -> File not found
(Apple Mobile Device) Apple Mobile Device [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 12, 0, 0 | Size = 106496 bytes | Modified Date = 6/28/2007 4:06:52 AM | Attr = ]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4162 | Size = 446464 bytes | Modified Date = 3/2/2007 4:46:14 PM | Attr = ]
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %System32%\ati2sgag.exe -> [Ver = 5.13.0025 | Size = 520192 bytes | Modified Date = 3/6/2007 9:05:00 PM | Attr = ]
(Bonjour Service) ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## [Win32_Own | Auto | Running] -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 229376 bytes | Modified Date = 2/28/2006 12:42:38 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(FLEXnet Licensing Service) FLEXnet Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> Macrovision Europe Ltd. [Ver = 11.03.005 | Size = 654848 bytes | Modified Date = 6/30/2007 11:47:20 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 3/14/2007 8:58:02 PM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 1:41:10 AM | Attr = ]
(InoRPC) eTrust Antivirus RPC Server [Win32_Own | Auto | Running] -> %ProgramFiles%\CA\eTrust Antivirus\InoRpc.exe -> Computer Associates International, Inc. [Ver = 7.1.192.0 | Size = 139536 bytes | Modified Date = 4/6/2004 6:13:54 PM | Attr = ]
(InoRT) eTrust Antivirus Realtime Server [Win32_Own | Auto | Running] -> %ProgramFiles%\CA\eTrust Antivirus\InoRT.exe -> Computer Associates International, Inc. [Ver = 7.1.410.1 | Size = 424457 bytes | Modified Date = 1/14/2005 2:33:20 PM | Attr = ]
(InoTask) eTrust Antivirus Job Server [Win32_Own | Auto | Running] -> %ProgramFiles%\CA\eTrust Antivirus\InoTask.exe -> Computer Associates International, Inc. [Ver = 7.1.501.1 | Size = 270608 bytes | Modified Date = 5/31/2005 12:22:04 PM | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 492608 bytes | Modified Date = 10/30/2006 10:36:32 AM | Attr = ]
(NetSvc) Intel NCS NetService [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Intel\PROSetWired\NCS\Sync\NetSvc.exe -> Intel(R) Corporation [Ver = 2.2.7.0 | Size = 147456 bytes | Modified Date = 11/19/2004 1:26:40 PM | Attr = ]
(Viewpoint Manager Service) Viewpoint Manager Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 5:38:10 PM | Attr = ]

[Driver Services - Non-Microsoft Only]
(A3AB) D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB) [Kernel | On_Demand | Running] -> %System32%\drivers\A3AB.sys -> D-Link Corporation [Ver = 4.1.2.72 | Size = 466880 bytes | Modified Date = 8/25/2005 4:00:26 PM | Attr = ]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] -> %System32%\drivers\aliide.sys -> Acer Laboratories Inc. [Ver = 1.20 | Size = 5248 bytes | Modified Date = 8/17/2001 3:51:56 PM | Attr = ]
(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %System32%\drivers\AMDAGP.SYS -> Advanced Micro Devices, Inc. [Ver = 5.00 (xpsp_sp2_rtm.040803-2158) | Size = 43008 bytes | Modified Date = 8/4/2004 1:07:44 AM | Attr = ]
(ANIO) ANIO Service [Kernel | Auto | Running] -> %System32%\ANIO.sys -> Alpha Networks Inc. [Ver = 2.0.2.51213 | Size = 28195 bytes | Modified Date = 12/11/2005 12:55:38 PM | Attr = ]
(asc) asc [Kernel | Disabled | Stopped] -> %System32%\drivers\asc.sys -> Advanced System Products, Inc. [Ver = 2.9I-MS (XPClient.010817-1148) | Size = 26496 bytes | Modified Date = 8/17/2001 3:52:00 PM | Attr = ]
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %System32%\drivers\asc3550.sys -> Advanced System Products, Inc. [Ver = 3.1E-MS (XPClient.010817-1148) | Size = 14848 bytes | Modified Date = 8/17/2001 3:51:58 PM | Attr = ]
(ASCTRM) ASCTRM [Kernel | Auto | Running] -> %System32%\drivers\asctrm.sys -> Windows (R) 2000 DDK provider [Ver = 5.00.2195.1 | Size = 8552 bytes | Modified Date = 11/28/2005 10:59:40 PM | Attr = ]
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> %System32%\drivers\ati2mtag.sys -> ATI Technologies Inc. [Ver = 6.14.10.6677 | Size = 1972224 bytes | Modified Date = 3/2/2007 4:53:20 PM | Attr = ]
(BCM43XX) Linksys Wireless-G PCI Network Adapter Driver [Kernel | On_Demand | Stopped] -> system32\DRIVERS\bcmwl5.sys -> File not found
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\NIKKIW~1\LOCALS~1\Temp\catchme.sys -> File not found
(Changer) Changer [Kernel | System | Stopped] -> -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %System32%\drivers\cmdide.sys -> CMD Technology, Inc. [Ver = 2.0.7 (XPClient.010817-1148) | Size = 6656 bytes | Modified Date = 8/17/2001 3:51:54 PM | Attr = ]
(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %System32%\drivers\dac2w2k.sys -> Mylex Corporation [Ver = 6.00-21 (XPClient.010817-1148) | Size = 179584 bytes | Modified Date = 8/17/2001 3:52:16 PM | Attr = ]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(dmio) dmio [Kernel | Disabled | Stopped] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(dmload) dmload [Kernel | Disabled | Stopped] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(drvmcdb) drvmcdb [Kernel | Boot | Running] -> %System32%\drivers\drvmcdb.sys -> Sonic Solutions [Ver = 3.22.03a | Size = 87488 bytes | Modified Date = 12/1/2004 5:22:00 AM | Attr = ]
(drvnddm) drvnddm [File_System | Auto | Running] -> %System32%\drivers\drvnddm.sys -> Sonic Solutions [Ver = 2.56.43a | Size = 40480 bytes | Modified Date = 11/23/2004 4:56:00 AM | Attr = ]
(E100B) Intel(R) PRO Network Connection Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\e100b325.sys -> Intel Corporation [Ver = 5.41.22.0000 built by: WinDDK | Size = 117760 bytes | Modified Date = 8/17/2001 12:12:10 PM | Attr = ]
(GTNDIS5) GTNDIS5 NDIS Protocol Driver [Kernel | On_Demand | Stopped] -> %System32%\GTNDIS5.sys -> Printing Communications Assoc., Inc. (PCAUSA) [Ver = 5.03.16.54 | Size = 15872 bytes | Modified Date = 9/25/2003 11:15:32 PM | Attr = ]
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %System32%\drivers\Hdaudbus.sys -> Windows (R) Server 2003 DDK provider [Ver = 5.10.00.5011 built by: WinDDK | Size = 137728 bytes | Modified Date = 8/12/2004 7:45:54 PM | Attr = ]
(hpopar03) hpopar03 [Kernel | Auto | Stopped] -> %System32%\drivers\hpopar03.SYS -> File not found
(INO_FLPY) INO_FLPY [File_System | Boot | Running] -> %System32%\drivers\ino_flpy.sys -> Computer Associates [Ver = 5.00.6100.109 | Size = 20352 bytes | Modified Date = 1/5/2005 7:05:08 PM | Attr = ]
(INO_FLTR) INO_FLTR [File_System | Auto | Running] -> %System32%\drivers\ino_fltr.sys -> Computer Associates [Ver = 5.00.6100.149 | Size = 158976 bytes | Modified Date = 8/12/2005 12:35:10 AM | Attr = ]
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %System32%\drivers\mraid35x.sys -> American Megatrends Inc. [Ver = 6.19 (XPClient.010817-1148) | Size = 17280 bytes | Modified Date = 8/17/2001 3:52:12 PM | Attr = ]
(nv) nv [Kernel | On_Demand | Stopped] -> %System32%\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.10.5673 | Size = 1897408 bytes | Modified Date = 8/4/2004 12:29:56 AM | Attr = ]
(PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %System32%\drivers\pxhelp20.sys -> Sonic Solutions [Ver = 2.03.32a | Size = 20640 bytes | Modified Date = 4/25/2005 4:03:00 AM | Attr = ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %System32%\drivers\ql1080.sys -> QLogic Corporation [Ver = 3.04 | Size = 40320 bytes | Modified Date = 8/17/2001 3:52:20 PM | Attr = ]
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %System32%\drivers\ql12160.sys -> QLogic Corporation [Ver = 7.13.02 (W64) | Size = 45312 bytes | Modified Date = 8/17/2001 3:52:20 PM | Attr = ]
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %System32%\drivers\ql1280.sys -> QLogic Corporation [Ver = 7.13.01 (W2K) | Size = 49024 bytes | Modified Date = 8/17/2001 3:52:18 PM | Attr = ]
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\sasdifsv.sys -> [Ver = 1, 0, 0, 1006 | Size = 5632 bytes | Modified Date = 10/10/2006 1:53:48 PM | Attr = ]
(SASENUM) SASENUM [Kernel | On_Demand | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS -> SuperAdBlocker, Inc. [Ver = 1, 0, 0, 1002 | Size = 4096 bytes | Modified Date = 2/16/2006 5:51:08 PM | Attr = R ]
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.SYS -> [Ver = 1, 0, 0, 1036 | Size = 32256 bytes | Modified Date = 2/27/2007 12:39:26 PM | Attr = ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys -> [Ver = | Size = 27440 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %System32%\drivers\SISAGP.SYS -> Silicon Integrated Systems Corporation [Ver = 5.12.01.2010 (xpsp_sp2_rtm.040803-2158) | Size = 41088 bytes | Modified Date = 8/4/2004 1:07:44 AM | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %System32%\drivers\sparrow.sys -> Adaptec, Inc. [Ver = v2.0a (ReleaseBinaries.001205-1804) | Size = 19072 bytes | Modified Date = 8/17/2001 4:07:44 PM | Attr = ]
(sscdbhk5) sscdbhk5 [File_System | System | Running] -> %System32%\drivers\sscdbhk5.sys -> Sonic Solutions [Ver = 1.10.87a | Size = 5627 bytes | Modified Date = 7/14/2004 1:29:04 PM | Attr = ]
(ssrtln) ssrtln [File_System | System | Running] -> %System32%\drivers\ssrtln.sys -> Sonic Solutions [Ver = 1.10.87a | Size = 23545 bytes | Modified Date = 7/14/2004 1:28:50 PM | Attr = ]
(STHDA) SigmaTel High Definition Audio CODEC [Kernel | On_Demand | Running] -> %System32%\drivers\sthda.sys -> SigmaTel, Inc. [Ver = 5.10.4823.0 nd322 cp1 | Size = 1047816 bytes | Modified Date = 11/16/2005 4:36:00 PM | Attr = ]
(symc810) symc810 [Kernel | Disabled | Stopped] -> %System32%\drivers\symc810.sys -> Symbios Logic Inc. [Ver = 5.1.2409.1 (ReleaseBinaries.001205-1804) | Size = 16256 bytes | Modified Date = 8/17/2001 4:07:34 PM | Attr = ]
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %System32%\drivers\symc8xx.sys -> LSI Logic [Ver = 5.1.2409.1 (ReleaseBinaries.001205-1804) | Size = 32640 bytes | Modified Date = 8/17/2001 4:07:36 PM | Attr = ]
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %System32%\drivers\sym_hi.sys -> LSI Logic [Ver = 5.1.2462.0 (Lab01_N.010309-0027) | Size = 28384 bytes | Modified Date = 8/17/2001 4:07:40 PM | Attr = ]
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %System32%\drivers\sym_u3.sys -> LSI Logic [Ver = 5.1.2462.0 (Lab01_N.010309-0027) | Size = 30688 bytes | Modified Date = 8/17/2001 4:07:42 PM | Attr = ]
(szkg) szkg [Kernel | Boot | Stopped] -> %System32%\DRIVERS\szkg.sys -> File not found
(tfsnboio) tfsnboio [File_System | Auto | Running] -> %System32%\dla\tfsnboio.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 25883 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsncofs) tfsncofs [File_System | Auto | Running] -> %System32%\dla\tfsncofs.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 34843 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsndrct) tfsndrct [File_System | Auto | Running] -> %System32%\dla\tfsndrct.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 4123 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsndres) tfsndres [File_System | Auto | Running] -> %System32%\dla\tfsndres.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 2239 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsnifs) tfsnifs [File_System | Auto | Running] -> %System32%\dla\tfsnifs.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 86586 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsnopio) tfsnopio [File_System | Auto | Running] -> %System32%\dla\tfsnopio.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 15227 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsnpool) tfsnpool [File_System | Auto | Running] -> %System32%\dla\tfsnpool.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 6363 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsnudf) tfsnudf [File_System | Auto | Running] -> %System32%\dla\tfsnudf.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 98714 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsnudfa) tfsnudfa [File_System | Auto | Running] -> %System32%\dla\tfsnudfa.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 100603 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(ultra) ultra [Kernel | Disabled | Stopped] -> %System32%\drivers\ultra.sys -> Promise Technology, Inc. [Ver = 1.43 (Build 0603) | Size = 36736 bytes | Modified Date = 8/17/2001 3:52:22 PM | Attr = ]
(wanatw) WAN Miniport (ATW) [Kernel | On_Demand | Stopped] -> system32\DRIVERS\wanatw4.sys -> File not found
(WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found


----------



## nataliew56241 (Jun 1, 2006)

WinPFind3 logfile created on: 9/18/2007 9:20:34 AM
WinPFind3U by OldTimer - Version 1.0.42	Folder = C:\Documents and Settings\Nikki Walton\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

510.07 Mb Total Physical Memory | 142.71 Mb Available Physical Memory | 27.98% Memory free
1.67 Gb Paging File | 1.18 Gb Available in Paging File | 70.19% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.34 Gb Total Space | 14.44 Gb Free Space | 20.24% Space Free
Drive D: | 476.82 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: NIKKI
Current User Name: Nikki Walton
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
airpluscfg.exe -> %ProgramFiles%\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe -> D-Link [Ver = 4, 0, 1, 51215 | Size = 2490368 bytes | Modified Date = 12/15/2005 1:21:52 PM | Attr = ]
applemobiledeviceservice.exe -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 12, 0, 0 | Size = 106496 bytes | Modified Date = 6/28/2007 4:06:52 AM | Attr = ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4162 | Size = 446464 bytes | Modified Date = 3/2/2007 4:46:14 PM | Attr = ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4162 | Size = 446464 bytes | Modified Date = 3/2/2007 4:46:14 PM | Attr = ]
desktopweather.exe -> %ProgramFiles%\The Weather Channel FW\Desktop Weather\DesktopWeather.exe -> The Weather Channel Interactive [Ver = 5, 2, 0, 1 | Size = 715888 bytes | Modified Date = 3/16/2007 7:51:26 AM | Attr = ]
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.6: 2007072518 | Size = 7644520 bytes | Modified Date = 8/1/2007 4:34:20 PM | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 6/24/2007 1:07:02 AM | Attr = ]
hp product research.exe -> %ProgramFiles%\HP\Personal Printing Solutions Product Research\HP Product Research.exe -> Hewlett-Packard Corporation [Ver = 1.1.0.14 | Size = 368640 bytes | Modified Date = 1/16/2004 2:11:56 PM | Attr = ]
hpqste08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqste08.exe -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 204800 bytes | Modified Date = 5/12/2005 1:40:38 AM | Attr = ]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 282624 bytes | Modified Date = 5/12/2005 12:23:26 AM | Attr = ]
hprblog.exe -> %ProgramFiles%\HP\Digital Imaging\Product Assistant\bin\hprblog.exe -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 77824 bytes | Modified Date = 5/12/2005 12:16:22 AM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 49152 bytes | Modified Date = 5/12/2005 12:12:54 AM | Attr = ]
inorpc.exe -> %ProgramFiles%\CA\eTrust Antivirus\InoRpc.exe -> Computer Associates International, Inc. [Ver = 7.1.192.0 | Size = 139536 bytes | Modified Date = 4/6/2004 6:13:54 PM | Attr = ]
inort.exe -> %ProgramFiles%\CA\eTrust Antivirus\InoRT.exe -> Computer Associates International, Inc. [Ver = 7.1.410.1 | Size = 424457 bytes | Modified Date = 1/14/2005 2:33:20 PM | Attr = ]
inotask.exe -> %ProgramFiles%\CA\eTrust Antivirus\InoTask.exe -> Computer Associates International, Inc. [Ver = 7.1.501.1 | Size = 270608 bytes | Modified Date = 5/31/2005 12:22:04 PM | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 492608 bytes | Modified Date = 10/30/2006 10:36:32 AM | Attr = ]
itunes.exe -> %ProgramFiles%\iTunes\iTunes.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 15338560 bytes | Modified Date = 10/30/2006 10:36:32 AM | Attr = ]
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 256576 bytes | Modified Date = 10/30/2006 10:36:36 AM | Attr = ]
ktchnsnk.exe -> %ProgramFiles%\Hewlett-Packard\HP OfficeJet Series 700\Bin\ktchnsnk.exe -> [Ver = | Size = 28672 bytes | Modified Date = 9/21/2001 10:53:42 AM | Attr = ]
mdnsresponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 229376 bytes | Modified Date = 2/28/2006 12:42:38 PM | Attr = ]
realmon.exe -> %ProgramFiles%\CA\eTrust Antivirus\Realmon.exe -> Computer Associates International, Inc. [Ver = 7.1.192.0 | Size = 504080 bytes | Modified Date = 4/6/2004 6:14:48 PM | Attr = ]
stsystra.exe -> %SystemRoot%\stsystra.exe -> SigmaTel, Inc. [Ver = 1.0.4450.0 nd83 cp1 | Size = 339968 bytes | Modified Date = 3/22/2005 6:20:44 PM | Attr = ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
viewmgr.exe -> %ProgramFiles%\Viewpoint\Viewpoint Manager\ViewMgr.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 112336 bytes | Modified Date = 1/4/2007 5:38:20 PM | Attr = ]
viewpointservice.exe -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 5:38:10 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]
wzcsldr2.exe -> %ProgramFiles%\ANI\ANIWZCS2 Service\WZCSLDR2.exe -> Alpha Networks Inc. [Ver = 1, 0, 6, 41216 | Size = 49152 bytes | Modified Date = 11/30/2005 11:35:36 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(ANIWZCSdService) ANIWZCSd Service [Win32_Shared | Auto | Stopped] -> %ProgramFiles%\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -> Alpha Networks Inc. [Ver = 1, 0, 1, 30507 | Size = 49152 bytes | Modified Date = 11/30/2005 11:35:38 AM | Attr = ]
(AOL_Hosts) AOL Update Manager [Win32_Own | Auto | Stopped] -> %SystemRoot%\Media\aolupd.exe -> File not found
(Apple Mobile Device) Apple Mobile Device [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> Apple, Inc. [Ver = 1, 12, 0, 0 | Size = 106496 bytes | Modified Date = 6/28/2007 4:06:52 AM | Attr = ]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4162 | Size = 446464 bytes | Modified Date = 3/2/2007 4:46:14 PM | Attr = ]
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %System32%\ati2sgag.exe -> [Ver = 5.13.0025 | Size = 520192 bytes | Modified Date = 3/6/2007 9:05:00 PM | Attr = ]
(Bonjour Service) ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## [Win32_Own | Auto | Running] -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 229376 bytes | Modified Date = 2/28/2006 12:42:38 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(FLEXnet Licensing Service) FLEXnet Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> Macrovision Europe Ltd. [Ver = 11.03.005 | Size = 654848 bytes | Modified Date = 6/30/2007 11:47:20 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 3/14/2007 8:58:02 PM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/4/2005 1:41:10 AM | Attr = ]
(InoRPC) eTrust Antivirus RPC Server [Win32_Own | Auto | Running] -> %ProgramFiles%\CA\eTrust Antivirus\InoRpc.exe -> Computer Associates International, Inc. [Ver = 7.1.192.0 | Size = 139536 bytes | Modified Date = 4/6/2004 6:13:54 PM | Attr = ]
(InoRT) eTrust Antivirus Realtime Server [Win32_Own | Auto | Running] -> %ProgramFiles%\CA\eTrust Antivirus\InoRT.exe -> Computer Associates International, Inc. [Ver = 7.1.410.1 | Size = 424457 bytes | Modified Date = 1/14/2005 2:33:20 PM | Attr = ]
(InoTask) eTrust Antivirus Job Server [Win32_Own | Auto | Running] -> %ProgramFiles%\CA\eTrust Antivirus\InoTask.exe -> Computer Associates International, Inc. [Ver = 7.1.501.1 | Size = 270608 bytes | Modified Date = 5/31/2005 12:22:04 PM | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 492608 bytes | Modified Date = 10/30/2006 10:36:32 AM | Attr = ]
(NetSvc) Intel NCS NetService [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Intel\PROSetWired\NCS\Sync\NetSvc.exe -> Intel(R) Corporation [Ver = 2.2.7.0 | Size = 147456 bytes | Modified Date = 11/19/2004 1:26:40 PM | Attr = ]
(Viewpoint Manager Service) Viewpoint Manager Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe -> Viewpoint Corporation [Ver = 2, 0, 0, 54 | Size = 24652 bytes | Modified Date = 1/4/2007 5:38:10 PM | Attr = ]

[Driver Services - Non-Microsoft Only]
(A3AB) D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB) [Kernel | On_Demand | Running] -> %System32%\drivers\A3AB.sys -> D-Link Corporation [Ver = 4.1.2.72 | Size = 466880 bytes | Modified Date = 8/25/2005 4:00:26 PM | Attr = ]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] -> %System32%\drivers\aliide.sys -> Acer Laboratories Inc. [Ver = 1.20 | Size = 5248 bytes | Modified Date = 8/17/2001 3:51:56 PM | Attr = ]
(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %System32%\drivers\AMDAGP.SYS -> Advanced Micro Devices, Inc. [Ver = 5.00 (xpsp_sp2_rtm.040803-2158) | Size = 43008 bytes | Modified Date = 8/4/2004 1:07:44 AM | Attr = ]
(ANIO) ANIO Service [Kernel | Auto | Running] -> %System32%\ANIO.sys -> Alpha Networks Inc. [Ver = 2.0.2.51213 | Size = 28195 bytes | Modified Date = 12/11/2005 12:55:38 PM | Attr = ]
(asc) asc [Kernel | Disabled | Stopped] -> %System32%\drivers\asc.sys -> Advanced System Products, Inc. [Ver = 2.9I-MS (XPClient.010817-1148) | Size = 26496 bytes | Modified Date = 8/17/2001 3:52:00 PM | Attr = ]
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %System32%\drivers\asc3550.sys -> Advanced System Products, Inc. [Ver = 3.1E-MS (XPClient.010817-1148) | Size = 14848 bytes | Modified Date = 8/17/2001 3:51:58 PM | Attr = ]
(ASCTRM) ASCTRM [Kernel | Auto | Running] -> %System32%\drivers\asctrm.sys -> Windows (R) 2000 DDK provider [Ver = 5.00.2195.1 | Size = 8552 bytes | Modified Date = 11/28/2005 10:59:40 PM | Attr = ]
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> %System32%\drivers\ati2mtag.sys -> ATI Technologies Inc. [Ver = 6.14.10.6677 | Size = 1972224 bytes | Modified Date = 3/2/2007 4:53:20 PM | Attr = ]
(BCM43XX) Linksys Wireless-G PCI Network Adapter Driver [Kernel | On_Demand | Stopped] -> system32\DRIVERS\bcmwl5.sys -> File not found
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\NIKKIW~1\LOCALS~1\Temp\catchme.sys -> File not found
(Changer) Changer [Kernel | System | Stopped] -> -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %System32%\drivers\cmdide.sys -> CMD Technology, Inc. [Ver = 2.0.7 (XPClient.010817-1148) | Size = 6656 bytes | Modified Date = 8/17/2001 3:51:54 PM | Attr = ]
(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %System32%\drivers\dac2w2k.sys -> Mylex Corporation [Ver = 6.00-21 (XPClient.010817-1148) | Size = 179584 bytes | Modified Date = 8/17/2001 3:52:16 PM | Attr = ]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(dmio) dmio [Kernel | Disabled | Stopped] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(dmload) dmload [Kernel | Disabled | Stopped] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(drvmcdb) drvmcdb [Kernel | Boot | Running] -> %System32%\drivers\drvmcdb.sys -> Sonic Solutions [Ver = 3.22.03a | Size = 87488 bytes | Modified Date = 12/1/2004 5:22:00 AM | Attr = ]
(drvnddm) drvnddm [File_System | Auto | Running] -> %System32%\drivers\drvnddm.sys -> Sonic Solutions [Ver = 2.56.43a | Size = 40480 bytes | Modified Date = 11/23/2004 4:56:00 AM | Attr = ]
(E100B) Intel(R) PRO Network Connection Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\e100b325.sys -> Intel Corporation [Ver = 5.41.22.0000 built by: WinDDK | Size = 117760 bytes | Modified Date = 8/17/2001 12:12:10 PM | Attr = ]
(GTNDIS5) GTNDIS5 NDIS Protocol Driver [Kernel | On_Demand | Stopped] -> %System32%\GTNDIS5.sys -> Printing Communications Assoc., Inc. (PCAUSA) [Ver = 5.03.16.54 | Size = 15872 bytes | Modified Date = 9/25/2003 11:15:32 PM | Attr = ]
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %System32%\drivers\Hdaudbus.sys -> Windows (R) Server 2003 DDK provider [Ver = 5.10.00.5011 built by: WinDDK | Size = 137728 bytes | Modified Date = 8/12/2004 7:45:54 PM | Attr = ]
(hpopar03) hpopar03 [Kernel | Auto | Stopped] -> %System32%\drivers\hpopar03.SYS -> File not found
(INO_FLPY) INO_FLPY [File_System | Boot | Running] -> %System32%\drivers\ino_flpy.sys -> Computer Associates [Ver = 5.00.6100.109 | Size = 20352 bytes | Modified Date = 1/5/2005 7:05:08 PM | Attr = ]
(INO_FLTR) INO_FLTR [File_System | Auto | Running] -> %System32%\drivers\ino_fltr.sys -> Computer Associates [Ver = 5.00.6100.149 | Size = 158976 bytes | Modified Date = 8/12/2005 12:35:10 AM | Attr = ]
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %System32%\drivers\mraid35x.sys -> American Megatrends Inc. [Ver = 6.19 (XPClient.010817-1148) | Size = 17280 bytes | Modified Date = 8/17/2001 3:52:12 PM | Attr = ]
(nv) nv [Kernel | On_Demand | Stopped] -> %System32%\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.10.5673 | Size = 1897408 bytes | Modified Date = 8/4/2004 12:29:56 AM | Attr = ]
(PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %System32%\drivers\pxhelp20.sys -> Sonic Solutions [Ver = 2.03.32a | Size = 20640 bytes | Modified Date = 4/25/2005 4:03:00 AM | Attr = ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %System32%\drivers\ql1080.sys -> QLogic Corporation [Ver = 3.04 | Size = 40320 bytes | Modified Date = 8/17/2001 3:52:20 PM | Attr = ]
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %System32%\drivers\ql12160.sys -> QLogic Corporation [Ver = 7.13.02 (W64) | Size = 45312 bytes | Modified Date = 8/17/2001 3:52:20 PM | Attr = ]
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %System32%\drivers\ql1280.sys -> QLogic Corporation [Ver = 7.13.01 (W2K) | Size = 49024 bytes | Modified Date = 8/17/2001 3:52:18 PM | Attr = ]
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\sasdifsv.sys -> [Ver = 1, 0, 0, 1006 | Size = 5632 bytes | Modified Date = 10/10/2006 1:53:48 PM | Attr = ]
(SASENUM) SASENUM [Kernel | On_Demand | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS -> SuperAdBlocker, Inc. [Ver = 1, 0, 0, 1002 | Size = 4096 bytes | Modified Date = 2/16/2006 5:51:08 PM | Attr = R ]
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.SYS -> [Ver = 1, 0, 0, 1036 | Size = 32256 bytes | Modified Date = 2/27/2007 12:39:26 PM | Attr = ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys -> [Ver = | Size = 27440 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %System32%\drivers\SISAGP.SYS -> Silicon Integrated Systems Corporation [Ver = 5.12.01.2010 (xpsp_sp2_rtm.040803-2158) | Size = 41088 bytes | Modified Date = 8/4/2004 1:07:44 AM | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %System32%\drivers\sparrow.sys -> Adaptec, Inc. [Ver = v2.0a (ReleaseBinaries.001205-1804) | Size = 19072 bytes | Modified Date = 8/17/2001 4:07:44 PM | Attr = ]
(sscdbhk5) sscdbhk5 [File_System | System | Running] -> %System32%\drivers\sscdbhk5.sys -> Sonic Solutions [Ver = 1.10.87a | Size = 5627 bytes | Modified Date = 7/14/2004 1:29:04 PM | Attr = ]
(ssrtln) ssrtln [File_System | System | Running] -> %System32%\drivers\ssrtln.sys -> Sonic Solutions [Ver = 1.10.87a | Size = 23545 bytes | Modified Date = 7/14/2004 1:28:50 PM | Attr = ]
(STHDA) SigmaTel High Definition Audio CODEC [Kernel | On_Demand | Running] -> %System32%\drivers\sthda.sys -> SigmaTel, Inc. [Ver = 5.10.4823.0 nd322 cp1 | Size = 1047816 bytes | Modified Date = 11/16/2005 4:36:00 PM | Attr = ]
(symc810) symc810 [Kernel | Disabled | Stopped] -> %System32%\drivers\symc810.sys -> Symbios Logic Inc. [Ver = 5.1.2409.1 (ReleaseBinaries.001205-1804) | Size = 16256 bytes | Modified Date = 8/17/2001 4:07:34 PM | Attr = ]
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %System32%\drivers\symc8xx.sys -> LSI Logic [Ver = 5.1.2409.1 (ReleaseBinaries.001205-1804) | Size = 32640 bytes | Modified Date = 8/17/2001 4:07:36 PM | Attr = ]
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %System32%\drivers\sym_hi.sys -> LSI Logic [Ver = 5.1.2462.0 (Lab01_N.010309-0027) | Size = 28384 bytes | Modified Date = 8/17/2001 4:07:40 PM | Attr = ]
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %System32%\drivers\sym_u3.sys -> LSI Logic [Ver = 5.1.2462.0 (Lab01_N.010309-0027) | Size = 30688 bytes | Modified Date = 8/17/2001 4:07:42 PM | Attr = ]
(szkg) szkg [Kernel | Boot | Stopped] -> %System32%\DRIVERS\szkg.sys -> File not found
(tfsnboio) tfsnboio [File_System | Auto | Running] -> %System32%\dla\tfsnboio.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 25883 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsncofs) tfsncofs [File_System | Auto | Running] -> %System32%\dla\tfsncofs.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 34843 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsndrct) tfsndrct [File_System | Auto | Running] -> %System32%\dla\tfsndrct.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 4123 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsndres) tfsndres [File_System | Auto | Running] -> %System32%\dla\tfsndres.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 2239 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsnifs) tfsnifs [File_System | Auto | Running] -> %System32%\dla\tfsnifs.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 86586 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsnopio) tfsnopio [File_System | Auto | Running] -> %System32%\dla\tfsnopio.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 15227 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsnpool) tfsnpool [File_System | Auto | Running] -> %System32%\dla\tfsnpool.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 6363 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsnudf) tfsnudf [File_System | Auto | Running] -> %System32%\dla\tfsnudf.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 98714 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(tfsnudfa) tfsnudfa [File_System | Auto | Running] -> %System32%\dla\tfsnudfa.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 100603 bytes | Modified Date = 12/6/2004 3:05:00 AM | Attr = ]
(ultra) ultra [Kernel | Disabled | Stopped] -> %System32%\drivers\ultra.sys -> Promise Technology, Inc. [Ver = 1.43 (Build 0603) | Size = 36736 bytes | Modified Date = 8/17/2001 3:52:22 PM | Attr = ]
(wanatw) WAN Miniport (ATW) [Kernel | On_Demand | Stopped] -> system32\DRIVERS\wanatw4.sys -> File not found
(WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found


----------



## nataliew56241 (Jun 1, 2006)

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
ANIWZCS2Service -> %ProgramFiles%\ANI\ANIWZCS2 Service\WZCSLDR2.exe -> Alpha Networks Inc. [Ver = 1, 0, 6, 41216 | Size = 49152 bytes | Modified Date = 11/30/2005 11:35:36 AM | Attr = ]
ATIPTA -> %ProgramFiles%\ATI Technologies\ATI Control Panel\atiptaxx.exe -> ATI Technologies, Inc. [Ver = 6.14.10.5183 | Size = 344064 bytes | Modified Date = 2/9/2006 9:05:00 PM | Attr = ]
D-Link RangeBooster G WDA-2320 -> %ProgramFiles%\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe -> D-Link [Ver = 4, 0, 1, 51215 | Size = 2490368 bytes | Modified Date = 12/15/2005 1:21:52 PM | Attr = ]
HP Metrics -> %ProgramFiles%\HP\Personal Printing Solutions Product Research\HP Product Research.exe -> Hewlett-Packard Corporation [Ver = 1.1.0.14 | Size = 368640 bytes | Modified Date = 1/16/2004 2:11:56 PM | Attr = ]
HP OfficeJet Series 700 -> %ProgramFiles%\Hewlett-Packard\HP OfficeJet Series 700\Bin\ktchnsnk.exe -> [Ver = | Size = 28672 bytes | Modified Date = 9/21/2001 10:53:42 AM | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\HPWuSchd2.exe -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 49152 bytes | Modified Date = 5/12/2005 12:12:54 AM | Attr = ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 256576 bytes | Modified Date = 10/30/2006 10:36:36 AM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\QTTask.exe -> Apple Inc. [Ver = 7.2 | Size = 286720 bytes | Modified Date = 6/29/2007 6:24:52 AM | Attr = ]
Realtime Monitor -> %ProgramFiles%\CA\eTrust Antivirus\Realmon.exe -> Computer Associates International, Inc. [Ver = 7.1.192.0 | Size = 504080 bytes | Modified Date = 4/6/2004 6:14:48 PM | Attr = ]
SigmatelSysTrayApp -> %SystemRoot%\stsystra.exe -> SigmaTel, Inc. [Ver = 1.0.4450.0 nd83 cp1 | Size = 339968 bytes | Modified Date = 3/22/2005 6:20:44 PM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_02\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
UserFaultCheck -> -> File not found
< RunOnce [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -> 
SpybotDeletingA194 -> command /c del "%System32%\ungjjttrsccv.exe -> File not found
SpybotDeletingA2511 -> command /c del "%System32%\rbt.exe -> File not found
SpybotDeletingA2867 -> command /c del "%System32%\bnyqjhtm.exe -> File not found
SpybotDeletingA4750 -> command /c del "%System32%\eo.exe -> File not found
SpybotDeletingA4907 -> command /c del "%System32%\vamona.exe -> File not found
SpybotDeletingA7303 -> command /c del "%System32%\qddakkj.exe -> File not found
SpybotDeletingA8828 -> command /c del "%System32%\hyflugwy.exe -> File not found
SpybotDeletingC2594 -> cmd /c del "%System32%\eo.exe -> File not found
SpybotDeletingC393 -> cmd /c del "%System32%\hyflugwy.exe -> File not found
SpybotDeletingC4514 -> cmd /c del "%System32%\vamona.exe -> File not found
SpybotDeletingC5522 -> cmd /c del "%System32%\qddakkj.exe -> File not found
SpybotDeletingC607 -> cmd /c del "%System32%\bnyqjhtm.exe -> File not found
SpybotDeletingC715 -> cmd /c del "%System32%\rbt.exe -> File not found
SpybotDeletingC9792 -> cmd /c del "%System32%\ungjjttrsccv.exe -> File not found
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ -> 
IMAIL -> Installed = 1 -> 
MAPI -> Installed = 1 -> 
MSFS -> Installed = 1 -> 
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
AdobeUpdater -> %CommonProgramFiles%\Adobe\Updater5\AdobeUpdater.exe -> Adobe Systems Incorporated [Ver = 5, 1, 0, 1082 | Size = 2321600 bytes | Modified Date = 2/28/2007 11:06:56 PM | Attr = ]
Aim6 -> %ProgramFiles%\AIM6\aim6.exe -> AOL LLC [Ver = 1.4.9.1 | Size = 50736 bytes | Modified Date = 4/27/2007 5:17:28 PM | Attr = ]
DW4 -> %ProgramFiles%\The Weather Channel FW\Desktop Weather\DesktopWeather.exe -> The Weather Channel Interactive [Ver = 5, 2, 0, 1 | Size = 715888 bytes | Modified Date = 3/16/2007 7:51:26 AM | Attr = ]
OurPictures -> %ProgramFiles%\RitzPix E-Z Print & Share\OurPictures.exe -> Simple Star, Inc. [Ver = 2.5.0.284 | Size = 4796416 bytes | Modified Date = 6/19/2006 6:30:00 PM | Attr = ]
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 6/24/2007 1:07:02 AM | Attr = ]
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,249 | Size = 4670968 bytes | Modified Date = 3/27/2007 3:22:56 PM | Attr = ]
< RunOnce [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -> 
SpybotDeletingB1062 -> command /c del "%System32%\qddakkj.exe -> File not found
SpybotDeletingB3197 -> command /c del "%System32%\vamona.exe -> File not found
SpybotDeletingB4448 -> command /c del "%System32%\bnyqjhtm.exe -> File not found
SpybotDeletingB5716 -> command /c del "%System32%\ungjjttrsccv.exe -> File not found
SpybotDeletingB5827 -> command /c del "%System32%\hyflugwy.exe -> File not found
SpybotDeletingB7121 -> command /c del "%System32%\rbt.exe -> File not found
SpybotDeletingB8040 -> command /c del "%System32%\eo.exe -> File not found
SpybotDeletingD1346 -> cmd /c del "%System32%\hyflugwy.exe -> File not found
SpybotDeletingD17 -> cmd /c del "%System32%\qddakkj.exe -> File not found
SpybotDeletingD2767 -> cmd /c del "%System32%\vamona.exe -> File not found
SpybotDeletingD289 -> cmd /c del "%System32%\bnyqjhtm.exe -> File not found
SpybotDeletingD3637 -> cmd /c del "%System32%\eo.exe -> File not found
SpybotDeletingD6917 -> cmd /c del "%System32%\rbt.exe -> File not found
SpybotDeletingD8833 -> cmd /c del "%System32%\ungjjttrsccv.exe -> File not found
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
%AllUsersStartup%\Forget Me Not.lnk -> %ProgramFiles%\Broderbund\AG CreataCard\AGRemind.exe -> TLC Productivity Properties LLC [Ver = 3, 0, 0, 840 | Size = 323584 bytes | Modified Date = 7/3/2001 5:12:02 PM | Attr = ]
%AllUsersStartup%\HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 282624 bytes | Modified Date = 5/12/2005 12:23:26 AM | Attr = ]
< User Startup > -> C:\Documents and Settings\Nikki Walton\Start Menu\Programs\Startup -> 
%UserStartup%\RollerCoaster Tycoon 3_ Wild Registration.lnk -> %LocalSettings%\Temp\{32597C96-057E-4C36-9E7D-C417D6796D0B}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe -> File not found
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
AtiExtEvent -> %System32%\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4162 | Size = 110592 bytes | Modified Date = 3/2/2007 4:47:20 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> -> 
< HOSTS File > (686 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
127.0.0.1 localhost -> -> 
< Internet Explorer Settings > -> -> 
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKLM: Local Page -> C:\windows\system32\blank.htm -> 
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home -> 
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKLM: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
HKCU: Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKCU: Local Page -> C:\windows\system32\blank.htm -> 
HKCU: Search Bar -> http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE -> 
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKCU: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome -> 
HKCU: URLSearchHooks\\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} [HKLM] -> %ProgramFiles%\MyWaySA\SrchAsDe\deSrcAs.dll [] -> MyWay.com [Ver = 1, 0, 1, 14 | Size = 86016 bytes | Modified Date = 6/14/2005 3:56:30 PM | Attr = ]
HKCU: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar] -> File not found
HKCU: ProxyEnable -> 0 -> 
HKCU: ProxyOverride -> *.local -> 
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
msn.com [ - ] -> -> 
online_musicmatch.com [https] -> -> 
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{4D25F921-B9FE-4682-BF72-8AB8210D6D75} [HKLM] -> %ProgramFiles%\MyWaySA\SrchAsDe\deSrcAs.dll [] -> MyWay.com [Ver = 1, 0, 1, 14 | Size = 86016 bytes | Modified Date = 6/14/2005 3:56:30 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 2:04:00 AM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 3/14/2007 8:58:00 PM | Attr = R ]
{2E5E800E-6AC0-411E-940A-369530A35E43} [HKLM] -> %System32%\TwcToolbarIe7.dll [The Weather Channel Toolbar] -> [Ver = 1, 2, 0, 0 | Size = 262144 bytes | Modified Date = 2/12/2007 3:12:44 PM | Attr = ]
{BA52B914-B692-46c4-B683-905236F6F655} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
SITEguard [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 3/14/2007 8:58:00 PM | Attr = R ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 7/12/2007 4:00:36 AM | Attr = ]
{2E5E800E-6AC0-411E-940A-369530A35E43} -> Reg Data - Value does not exist [ButtonText: The Weather Channel] -> File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{0A130AD9-4C3C-4640-964B-9A27DA73301C} -> (Intel(R) PRO/100 VE Network Connection) -> 
{12B8776D-FE59-4798-A944-FFE649B07A12} -> (D-Link WDA-2320 Desktop Adapter) -> 
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ -> 
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -> %ProgramFiles%\Bonjour\mdnsNSP.dll -> Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 94208 bytes | Modified Date = 2/28/2006 12:42:30 PM | Attr = ]
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{01A88BB1-1174-41EC-ACCB-963509EAE56B} -> SysProWmi Class - CodeBase = http://support.dell.com/systemprofiler/SysPro.CAB -> 
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://download.microsoft.com/downl...-40e1-a617-af65a72a0465/LegitCheckControl.cab -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C} -> WUWebControl Class - CodeBase = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133798646906 -> 
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175555595968 -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab -> 
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -> - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab -> 
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab -> 
{AB86CE53-AC9F-449F-9399-D8ABCA09EC09} -> Get_ActiveX Control - CodeBase = https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx -> 
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> Shockwave Flash Object - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab ->

[Registry - Additional Scans - Non-Microsoft Only]
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\ -> 
0 -> [Key] -> 
0 -> FriendlyName = My Current Home Page -> 
0 -> Source = About:Home -> 
0 -> SubscribedURL = About:Home -> 
< Security Settings > -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\\DisableMonitoring -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Start -> 3 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ImagePath -> %SystemRoot%\system32\svchost.exe -k netsvcs -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DisplayName -> Background Intelligent Transfer Service -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DependOnService -> RpcSs; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DependOnGroup -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Description -> Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\FailureActions -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\\ServiceDll -> C:\WINDOWS\system32\qmgr.dll -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\0 -> Root\LEGACY_BITS\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Internet Connection Sharing -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\System32\svchost.exe -k netsvcs -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 22225 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> %SystemRoot%\System32\ipnathlp.dll -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:*:Enabledxpsp2res.dll,-22004 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:*:Enabledxpsp2res.dll,-22005 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:*:Enabledxpsp2res.dll,-22001 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:*:Enabledxpsp2res.dll,-22002 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> ->


----------



## sjpritch25 (Sep 8, 2005)

Please attach the log, its cut off. Thanks.


----------



## nataliew56241 (Jun 1, 2006)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\CA\eTrust Antivirus\Realmon.exe -> C:\Program Files\CA\eTrust Antivirus\Realmon.exe:*:Enabled:Realmon -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\AIM6\aim6.exe -> C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\iTunes\iTunes.exe -> C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:LocalSubNet:Enabledxpsp2res.dll,-22004 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:LocalSubNet:Enabledxpsp2res.dll,-22005 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:LocalSubNet:Enabledxpsp2res.dll,-22001 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:LocalSubNet:Enabledxpsp2res.dll,-22002 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\IcmpSettings\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\IcmpSettings\\AllowInboundEchoRequest -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\All -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %systemroot%\system32\svchost.exe -k netsvcs -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINDOWS\system32\wuauserv.dll -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 -> 
< Software Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\policies\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Conferencing\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\internet explorer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\internet explorer\control panel\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\internet explorer\restrictions\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Messenger\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Messenger\Client\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Messenger\Client\\PreventAutoRun -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Installer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Installer\\EnableAdminTSRemote -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\RTC\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\RTC\PortRange\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\RTC\PortRange\\Enabled -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\ExecutableTypes -> ADE;ADP;BAS;BAT;CHM;CMD;COM;CPL;CRT;EXE;HLP;HTA;INF;INS;ISP;LNK;MDB;MDE;MSC;MSI;MSP;MST;OCX;PCD;PIF;REG;SCR;SHS;URL;VB;WSC; -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\TransparentEnabled -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\DefaultLevel -> 262144 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\AuthenticodeEnabled -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\\PolicyScope -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\Description -> Stop the download of this file -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\FriendlyName -> Mdac11.cab -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\SaferFlags -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\HashAlg -> 32771 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\ItemData -> ^«0O•zI‰j
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\LastModified -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\\ItemSize -> ; -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\Description -> Stop the download of this file -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\FriendlyName -> mdac20.cab -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\SaferFlags -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\HashAlg -> 32771 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\ItemData -> g°Ô‹4:?Ó¼éÜdgó" -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\LastModified -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\\ItemSize -> ; -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\Description -> Stop the download of this file -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\FriendlyName -> mdac20_a.cab -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\SaferFlags -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\HashAlg -> 32771 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\ItemData -> 2xÜþøÈ"ÜŠ°Ý„} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\LastModified -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\\ItemSize -> -; -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\Description -> Stop the download of this file -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\FriendlyName -> _msadc10.cab -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\SaferFlags -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\HashAlg -> 32771 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\ItemData -> ½š*ÛBëØV%Mø/g -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\LastModified -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\\ItemSize -> å; -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\Description -> Stop the download of this file -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\FriendlyName -> msadc11.cab -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\SaferFlags -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\HashAlg -> 32771 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\ItemData -> 8k_„ìöiÓk•j"À€ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\LastModified -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\\ItemSize -> r; -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\\Description -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\\SaferFlags -> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\\ItemData -> %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\\LastModified -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\Windows Update\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\WindowsUpdate\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows\WindowsUpdate\AU\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\Terminal Services\ -> -> 
< Software Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\policies\ -> 
HKEY_CURRENT_USER\Software\Policies\ -> -> 
HKEY_CURRENT_USER\Software\Policies\Microsoft\ -> -> 
HKEY_CURRENT_USER\Software\Policies\Microsoft\internet explorer\ -> -> 
HKEY_CURRENT_USER\Software\Policies\Microsoft\internet explorer\control panel\ -> -> 
HKEY_CURRENT_USER\Software\Policies\Microsoft\internet explorer\restrictions\ -> -> 
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\ -> -> 
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\AppCompat\ -> -> 
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\ -> ->

[Files/Folders - Created Within 60 days]
bootlogsect.exe -> %SystemDrive%\bootlogsect.exe -> [Ver = | Size = 177965 bytes | Created Date = 9/11/2007 7:24:17 AM | Attr = ]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Created Date = 9/12/2007 8:35:31 AM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 534925312 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 9/9/2007 3:02:57 PM | Attr = ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Created Date = 9/14/2007 7:20:44 AM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Created Date = 9/14/2007 7:16:22 AM | Attr = ]
$NtUninstallKB921503$ -> %SystemRoot%\$NtUninstallKB921503$ -> [Folder | Created Date = 8/18/2007 2:04:18 AM | Attr = H ]
$NtUninstallKB933360$ -> %SystemRoot%\$NtUninstallKB933360$ -> [Folder | Created Date = 8/29/2007 2:00:55 AM | Attr = H ]
$NtUninstallKB936021$ -> %SystemRoot%\$NtUninstallKB936021$ -> [Folder | Created Date = 8/18/2007 2:04:31 AM | Attr = H ]
$NtUninstallKB936782_WMP10$ -> %SystemRoot%\$NtUninstallKB936782_WMP10$ -> [Folder | Created Date = 8/18/2007 2:00:44 AM | Attr = H ]
$NtUninstallKB938828$ -> %SystemRoot%\$NtUninstallKB938828$ -> [Folder | Created Date = 8/18/2007 2:04:24 AM | Attr = H ]
$NtUninstallKB938829$ -> %SystemRoot%\$NtUninstallKB938829$ -> [Folder | Created Date = 8/18/2007 2:04:10 AM | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 109056 bytes | Created Date = 9/9/2007 3:02:41 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 9/9/2007 9:07:00 AM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Created Date = 9/14/2007 7:24:18 AM | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 9/9/2007 3:02:41 PM | Attr = ]
Pure Digital Prefs -> %SystemRoot%\Pure Digital Prefs -> [Folder | Created Date = 8/18/2007 7:17:15 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 9/17/2007 2:32:20 AM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 9/17/2007 2:32:20 AM | Attr = H ]
setup86x -> %SystemRoot%\setup86x -> [Folder | Created Date = 9/11/2007 7:24:22 AM | Attr = ]
SStylerProDemo.ini -> %SystemRoot%\SStylerProDemo.ini -> [Ver = | Size = 491 bytes | Created Date = 8/4/2007 6:49:01 PM | Attr = ]
temp -> %SystemRoot%\temp -> [Folder | Created Date = 9/12/2007 8:43:19 AM | Attr = ]
Twain001.Mtx -> %SystemRoot%\Twain001.Mtx -> [Ver = | Size = 2 bytes | Created Date = 7/25/2007 6:57:40 PM | Attr = ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Created Date = 9/11/2007 4:36:13 AM | Attr = ]
asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 9/11/2007 4:36:39 AM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 9/11/2007 4:36:16 AM | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 135168 bytes | Created Date = 9/16/2007 8:54:25 AM | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 69632 bytes | Created Date = 9/16/2007 8:54:25 AM | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 135168 bytes | Created Date = 9/16/2007 8:54:25 AM | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 139264 bytes | Created Date = 9/16/2007 8:54:25 AM | Attr = ]
moveex.exe -> %System32%\moveex.exe -> [Ver = | Size = 38400 bytes | Created Date = 9/9/2007 3:02:41 PM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Created Date = 9/11/2007 4:36:15 AM | Attr = ]
remove4343.nld -> %System32%\remove4343.nld -> [Ver = 0. 0. 0. 0 | Size = 126214 bytes | Created Date = 9/11/2007 7:24:22 AM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 9/9/2007 3:02:41 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 9/9/2007 3:02:41 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 9/9/2007 3:02:41 PM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 8646 bytes | Created Date = 9/9/2007 1:11:56 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Created Date = 9/11/2007 4:36:16 AM | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 9/9/2007 3:02:41 PM | Attr = ]
ZPORT4AS.dll -> %System32%\ZPORT4AS.dll -> [Ver = | Size = 11776 bytes | Created Date = 9/11/2007 4:36:39 AM | Attr = ]
wpsnuio.sys -> %System32%\drivers\wpsnuio.sys -> Skyhook Wireless [Ver = 2.0.0.54 | Size = 12416 bytes | Created Date = 9/9/2007 11:36:12 AM | Attr = ]

[Files/Folders - Modified Within 60 days]
bootlogsect.exe -> %SystemDrive%\bootlogsect.exe -> [Ver = | Size = 177965 bytes | Modified Date = 9/11/2007 8:24:20 AM | Attr = ]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Modified Date = 9/12/2007 9:43:24 AM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 9/16/2007 9:54:28 AM | Attr = H ]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 9/9/2007 3:40:56 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 534925312 bytes | Modified Date = 9/14/2007 8:37:12 AM | Attr = HS]
IPH.PH -> %SystemDrive%\IPH.PH -> [Ver = | Size = 4603 bytes | Modified Date = 9/1/2007 11:26:38 AM | Attr = H ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 9/12/2007 8:55:30 AM | Attr = R ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 9/10/2007 10:18:34 AM | Attr = ]
RECYCLER -> %SystemDrive%\RECYCLER -> [Folder | Modified Date = 9/9/2007 3:43:26 PM | Attr = HS]
SDFix -> %SystemDrive%\SDFix -> [Folder | Modified Date = 9/14/2007 8:40:56 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 9/17/2007 3:32:22 AM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Modified Date = 9/14/2007 8:16:24 AM | Attr = ]


----------



## nataliew56241 (Jun 1, 2006)

$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 8/28/2007 9:02:00 PM | Attr = H ]
$NtUninstallKB921503$ -> %SystemRoot%\$NtUninstallKB921503$ -> [Folder | Modified Date = 8/18/2007 3:04:20 AM | Attr = H ]
$NtUninstallKB933360$ -> %SystemRoot%\$NtUninstallKB933360$ -> [Folder | Modified Date = 8/29/2007 3:00:58 AM | Attr = H ]
$NtUninstallKB936021$ -> %SystemRoot%\$NtUninstallKB936021$ -> [Folder | Modified Date = 8/18/2007 3:04:34 AM | Attr = H ]
$NtUninstallKB936782_WMP10$ -> %SystemRoot%\$NtUninstallKB936782_WMP10$ -> [Folder | Modified Date = 8/18/2007 3:00:48 AM | Attr = H ]
$NtUninstallKB938828$ -> %SystemRoot%\$NtUninstallKB938828$ -> [Folder | Modified Date = 8/18/2007 3:04:26 AM | Attr = H ]
$NtUninstallKB938829$ -> %SystemRoot%\$NtUninstallKB938829$ -> [Folder | Modified Date = 8/18/2007 3:04:12 AM | Attr = H ]
AppPatch -> %SystemRoot%\AppPatch -> [Folder | Modified Date = 9/13/2007 10:19:00 AM | Attr = ]
Bbstore -> %SystemRoot%\Bbstore -> [Folder | Modified Date = 7/22/2007 11:05:16 AM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 9/14/2007 8:37:14 AM | Attr = S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 9/13/2007 10:19:34 AM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 9/10/2007 10:12:48 AM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Modified Date = 9/14/2007 8:24:30 AM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 8/24/2007 11:59:16 AM | Attr = ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 8/18/2007 3:02:00 AM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1374 bytes | Modified Date = 8/29/2007 3:01:04 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 9/13/2007 10:21:22 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 9/16/2007 9:54:28 AM | Attr = HS]
Media -> %SystemRoot%\Media -> [Folder | Modified Date = 9/12/2007 4:37:52 AM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 8/18/2007 3:29:28 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 9/18/2007 9:18:22 AM | Attr = ]
Pure Digital Prefs -> %SystemRoot%\Pure Digital Prefs -> [Folder | Modified Date = 8/18/2007 8:22:16 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 9/17/2007 3:32:22 AM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 9/17/2007 3:32:22 AM | Attr = H ]
setup86x -> %SystemRoot%\setup86x -> [Folder | Modified Date = 9/11/2007 8:24:26 AM | Attr = ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 9/13/2007 10:23:10 AM | Attr = ]
SStylerProDemo.ini -> %SystemRoot%\SStylerProDemo.ini -> [Ver = | Size = 491 bytes | Modified Date = 8/4/2007 7:57:30 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 9/17/2007 4:27:38 AM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 8/9/2007 5:53:56 PM | Attr = S]
temp -> %SystemRoot%\temp -> [Folder | Modified Date = 9/18/2007 9:18:58 AM | Attr = ]
Twain001.Mtx -> %SystemRoot%\Twain001.Mtx -> [Ver = | Size = 2 bytes | Modified Date = 8/2/2007 8:28:24 PM | Attr = ]
WIN.INI -> %SystemRoot%\WIN.INI -> [Ver = | Size = 675 bytes | Modified Date = 9/11/2007 5:42:36 AM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 1135 bytes | Modified Date = 9/17/2007 12:00:50 AM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 9/1/2007 6:52:42 PM | Attr = ]
AppleSoftwareUpdate.job -> %SystemRoot%\tasks\AppleSoftwareUpdate.job -> [Ver = | Size = 284 bytes | Modified Date = 9/11/2007 7:37:26 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 9/14/2007 8:37:18 AM | Attr = H ]
820D92CCE8.sys -> %System32%\820D92CCE8.sys -> [Ver = | Size = 56 bytes | Modified Date = 8/19/2007 7:01:22 PM | Attr = RHS]
ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 9/13/2007 10:23:16 AM | Attr = ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 8/28/2007 9:03:34 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 9/18/2007 1:54:42 AM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 9/13/2007 10:24:02 AM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 9/18/2007 9:06:50 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 9/13/2007 10:26:00 AM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 9/13/2007 9:19:52 AM | Attr = ]
KGyGaAvL.sys -> %System32%\KGyGaAvL.sys -> [Ver = | Size = 3402 bytes | Modified Date = 8/19/2007 7:01:24 PM | Attr = HS]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 9/13/2007 9:19:50 AM | Attr = ]
remove4343.nld -> %System32%\remove4343.nld -> [Ver = 0. 0. 0. 0 | Size = 126214 bytes | Modified Date = 9/9/2007 10:45:56 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 7/22/2007 6:39:28 PM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 8646 bytes | Modified Date = 9/9/2007 3:46:24 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 9/13/2007 9:19:52 AM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 9/13/2007 10:31:06 AM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 9/14/2007 8:37:32 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 9/14/2007 8:26:06 AM | Attr = ]
wpsnuio.sys -> %System32%\drivers\wpsnuio.sys -> Skyhook Wireless [Ver = 2.0.0.54 | Size = 12416 bytes | Modified Date = 9/9/2007 12:36:14 PM | Attr = ]

[File String Scan - Non-Microsoft Only]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
PEC2 , -> %System32%\ODBCJET.HLP -> [Ver = | Size = 163384 bytes | Modified Date = 7/11/1997 1:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 7/22/2007 6:39:28 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]

< End of report >


----------



## nataliew56241 (Jun 1, 2006)

I'm not sure if you meant use reply to thread or quick reply. It's a long one. Thanks for digging deeper!


----------



## sjpritch25 (Sep 8, 2005)

can you attach the log, its easier for me. Thanks.


----------



## sjpritch25 (Sep 8, 2005)

did you get my last post.


----------



## nataliew56241 (Jun 1, 2006)

Let's see if this works.


----------



## nataliew56241 (Jun 1, 2006)

Is that ok?


----------



## sjpritch25 (Sep 8, 2005)

Thanks. Give me a couple minutes to review. Have you rebooted your computer??? Please do because you have some file to be deleted via spybot.


----------



## nataliew56241 (Jun 1, 2006)

I haven't rebooted yet. I'll do that next.


----------



## sjpritch25 (Sep 8, 2005)

didn't find anything bad in the log. Looks like spybot caught the leftovers. How is everything running???


----------



## nataliew56241 (Jun 1, 2006)

It's running fine but even after a restart spybot found another 30 problems.


----------



## sjpritch25 (Sep 8, 2005)

Okay, how many user accounts do you have???


----------



## nataliew56241 (Jun 1, 2006)

How many user accounts? There's nikki (who's admin) and guest.


----------



## nataliew56241 (Jun 1, 2006)

The guest account should have nothing on it.


----------



## nataliew56241 (Jun 1, 2006)

We can delete it if it's a problem.


----------



## sjpritch25 (Sep 8, 2005)

i assume you are nikki. so that would be one. Correct


----------



## nataliew56241 (Jun 1, 2006)

Actually Nikki is my daughter. Needless to say, I suspect most of the problem came from her use of the computer.


----------



## sjpritch25 (Sep 8, 2005)

Okay, please log in to here account and post a fresh Hijackthis log. Thanks.


----------



## nataliew56241 (Jun 1, 2006)

Everything I've been doing is in her account. I'll get you a new hijack this log. I should probably restart first since I've just done the spybot, right?


----------



## nataliew56241 (Jun 1, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 8:57:32 AM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\Nikki Walton\Local Settings\Temp\{32597C96-057E-4C36-9E7D-C417D6796D0B}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133798646906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175555595968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Update Manager (AOL_Hosts) - Unknown owner - C:\WINDOWS\Media\aolupd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## sjpritch25 (Sep 8, 2005)

Do you have your own account??? Or is it just hers and the guest account??


----------



## nataliew56241 (Jun 1, 2006)

It's just hers and the guest account. Hers is the admin, the guest basically has nothing on it. I'm not sure why we even set it up. If bad stuff is hiding there, can we delete the guest account somehow?


----------



## sjpritch25 (Sep 8, 2005)

Okay, lets run this to make sure you are clean.

*Download and scan with **Sysclean Package*.
1. Create a new folder on drive "C:\" ("C:\New Folder") and rename it *Sysclean*.
2. Place the sysclean.com inside that folder.
3. Then download the latest *Virus Pattern Files  (lptXXX.zip).*
4. Extract the *lptXXX.zip* pattern file into the same folder you created for sysclean.com.
5. Close all open applications and *DISABLE* your current anti-virus software. Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them first. *DO NOT perform a scan yet*.
*Reboot your computer in "SAFE MODE" using the F8 *. To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
7. Open the Sysclean folder and double-click on *sysclean.com* to run.
8. It will take some time to complete. Be patient and let it clean whatever it finds.
9. Exit when done, reboot normally and re-enable your anti-virus program.

Note: This tool generates a log file (sysclean.log) in the same folder where the scan is completed. When using Sysclean its best to *use the Administrator's account* or an account with Administrative rights otherwise you will not have the rights to scan some locations resulting in Access is denied log entries.


----------



## nataliew56241 (Jun 1, 2006)

I admit I don't understand the various user setup on this computer. The Nikki account is the admin and normally I see Nikki or guest when I restart the computer. When I restart in safe, I get Nikki and administrator. I chose administrator and ran sysclean (with eTrust turned off). Here's the log:

Damage Cleanup Engine (DCE) 5.3(Build 1103)
Windows XP(Build 2600: Service Pack 2)

Start time : Fri Sep 21 2007 09:09:46

Load Damage Cleanup Template (DCT) "C:\Sysclean\TMRDCT.ptn" (version ) [fail]
Load Damage Cleanup Template (DCT) "C:\Sysclean\tsc.ptn" (version 896) [success]

Complete time : Fri Sep 21 2007 09:11:31
Execute pattern count(2913), Virus found count(0), Virus clean count(0), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.3(Build 1103)
Windows XP(Build 2600: Service Pack 2)

Start time : Fri Sep 21 2007 14:53:58

Load Damage Cleanup Template (DCT) "C:\Sysclean\TMRDCT.ptn" (version ) [fail]
Load Damage Cleanup Template (DCT) "C:\Sysclean\tsc.ptn" (version 896) [success]

Complete time : Fri Sep 21 2007 14:55:42
Execute pattern count(2913), Virus found count(0), Virus clean count(0), Clean failed count(0)


----------



## sjpritch25 (Sep 8, 2005)

How is everything running??? Guest accounts will not show up in Safe Mode.


----------



## nataliew56241 (Jun 1, 2006)

Ran it again in Nikki's account. It found 4 virus'. Here's the log.

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2007-09-21, 09:09:45, Auto-clean mode specified.
2007-09-21, 09:09:45, Running scanner "C:\Sysclean\TSC.BIN"...
2007-09-21, 10:32:44, Scanner "C:\Sysclean\TSC.BIN" has finished running.
2007-09-21, 10:32:44, TSC Log:

2007-09-21, 10:37:21, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-09-21, 11:52:03, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/21/2007 10:37:51
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 733 (228309 Patterns) (2007/09/20) (473300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

C:\qoobox\Quarantine\C\DOCUME~1\NIKKIW~1\wn507.exe.vir [TROJ_Generic.A]
C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\zzfwd\vocabulary.vir [TROJ_Generic]
C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\~GLH0003.TMP.0.AVB.VIR.0.AVB [TROJ_TSUPDATE.G]
C:\qoobox\Quarantine\C\WINDOWS\system32\systems.txt.vir [TROJ_LOWZONES.DD]
125705 files have been read.
125705 files have been checked.
112044 files have been scanned.
184730 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/21/2007 11:52:02
---------*---------*---------*---------*---------*---------*---------*---------*
2007-09-21, 11:52:03, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/21/2007 10:37:51
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 733 (228309 Patterns) (2007/09/20) (473300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

Success Clean [ TROJ_Generic.A]( 1) from C:\qoobox\Quarantine\C\DOCUME~1\NIKKIW~1\wn507.exe.vir
Success Clean [ TROJ_Generic]( 1) from C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\zzfwd\vocabulary.vir
Success Clean [ TROJ_TSUPDATE.G]( 1) from C:\qoobox\Quarantine\C\Program Files\Common Files\zzfw\~GLH0003.TMP.0.AVB.VIR.0.AVB
Success Clean [TROJ_LOWZONES.DD]( 1) from C:\qoobox\Quarantine\C\WINDOWS\system32\systems.txt.vir
125705 files have been read.
125705 files have been checked.
112044 files have been scanned.
184730 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/21/2007 11:52:02	1 hour 13 minutes 59 seconds (4439.52 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-09-21, 11:52:03, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/21/2007 10:37:51
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 733 (228309 Patterns) (2007/09/20) (473300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

125705 files have been read.
125705 files have been checked.
112044 files have been scanned.
184730 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/21/2007 11:52:02	1 hour 13 minutes 59 seconds (4439.52 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-09-21, 11:52:03, Scanner "C:\Sysclean\VSCANTM.BIN" has finished running.

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2007-09-21, 14:53:58, Auto-clean mode specified.
2007-09-21, 14:53:58, Running scanner "C:\Sysclean\TSC.BIN"...
2007-09-21, 14:55:44, Scanner "C:\Sysclean\TSC.BIN" has finished running.
2007-09-21, 14:55:44, TSC Log:

2007-09-21, 14:55:58, An error was detected on "C:\Documents and Settings\Nikki Walton\*.*": Access is denied.
2007-09-21, 14:59:14, An error was detected on "C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc1\*.*": Access is denied.
2007-09-21, 14:59:14, An error was detected on "C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc13\*.*": Access is denied.
2007-09-21, 14:59:14, An error was detected on "C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc17\*.*": Access is denied.
2007-09-21, 14:59:14, An error was detected on "C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc2\*.*": Access is denied.
2007-09-21, 14:59:15, An error was detected on "C:\RECYCLER\S-1-5-21-899578203-3870083703-2537197871-1006\Dc22\*.*": Access is denied.
2007-09-21, 14:59:15, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-09-21, 16:02:49, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/21/2007 14:59:45
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 733 (228309 Patterns) (2007/09/20) (473300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

109624 files have been read.
109624 files have been checked.
100492 files have been scanned.
170636 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/21/2007 16:02:49
---------*---------*---------*---------*---------*---------*---------*---------*
2007-09-21, 16:02:49, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/21/2007 14:59:45
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 733 (228309 Patterns) (2007/09/20) (473300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

109624 files have been read.
109624 files have been checked.
100492 files have been scanned.
170636 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/21/2007 16:02:49	1 hour 2 minutes 52 seconds (3772.73 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-09-21, 16:02:49, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/21/2007 14:59:45
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 733 (228309 Patterns) (2007/09/20) (473300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

109624 files have been read.
109624 files have been checked.
100492 files have been scanned.
170636 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/21/2007 16:02:49	1 hour 2 minutes 52 seconds (3772.73 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-09-21, 16:02:49, Scanner "C:\Sysclean\VSCANTM.BIN" has finished running.

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2007-09-21, 18:56:07, Auto-clean mode specified.
2007-09-21, 18:56:07, Running scanner "C:\Sysclean\TSC.BIN"...
2007-09-21, 19:00:53, Scanner "C:\Sysclean\TSC.BIN" has finished running.
2007-09-21, 19:00:53, TSC Log:

2007-09-21, 19:05:33, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-09-21, 20:20:01, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/21/2007 19:06:02
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 733 (228309 Patterns) (2007/09/20) (473300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

125847 files have been read.
125847 files have been checked.
112182 files have been scanned.
184868 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/21/2007 20:20:01
---------*---------*---------*---------*---------*---------*---------*---------*
2007-09-21, 20:20:01, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/21/2007 19:06:02
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 733 (228309 Patterns) (2007/09/20) (473300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

125847 files have been read.
125847 files have been checked.
112182 files have been scanned.
184868 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/21/2007 20:20:01	1 hour 13 minutes 52 seconds (4431.67 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-09-21, 20:20:01, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/21/2007 19:06:02
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 733 (228309 Patterns) (2007/09/20) (473300)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

125847 files have been read.
125847 files have been checked.
112182 files have been scanned.
184868 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/21/2007 20:20:01	1 hour 13 minutes 52 seconds (4431.67 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-09-21, 20:20:01, Scanner "C:\Sysclean\VSCANTM.BIN" has finished running.


----------



## nataliew56241 (Jun 1, 2006)

It's running fine. There's more free space on the hard drive (significantly more) than when we started. No pop-ups and no issues with the control panel. It just bothers me that we had anti-virus, spybot, adaware, and the windows firewall and it still got so corrupted.


----------



## sjpritch25 (Sep 8, 2005)

I just found some files in ComboFix's quarantine folder.

Please post a fresh hijackthis log. hanks.


----------



## nataliew56241 (Jun 1, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 9:21:07 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\Nikki Walton\Local Settings\Temp\{32597C96-057E-4C36-9E7D-C417D6796D0B}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133798646906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175555595968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Update Manager (AOL_Hosts) - Unknown owner - C:\WINDOWS\Media\aolupd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## sjpritch25 (Sep 8, 2005)

Open Hijackthis, Click Open the Misc tools section Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.


----------



## nataliew56241 (Jun 1, 2006)

Ad-Aware SE Personal
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AIM 6
American Greetings CreataCard Select 6
ANIO Service
ANIWZCS2 Service
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
CA eTrust Antivirus
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.1
Digital Content Portal
EarthLink setup files
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP Creative Scrapbook Assistant
HP Deskjet 3900 series
HP Image Zone Express
HP Imaging Device Functions 5.0
HP OfficeJet Series 700 (Remove Only)
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-11-17
iPod for Windows 2006-03-23
iTunes
iTunes
Java(TM) 6 Update 2
Learn2 Player (Uninstall Only)
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire 4.12.10
Macromedia Flash Player
Mall Tycoon
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Web Publishing Wizard 1.52
Mozilla Firefox (2.0.0.7)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
MyWay Search Assistant
Nikon Message Center
Panda ActiveScan
PDF Settings
PictureProject In Touch Downloader 1.0
PL-2303 USB-to-Serial
PowerDVD 5.5
Qualxserve Service Agreement
QuickBooks Simple Start Special Edition
QuickTime
RangeBooster G WDA-2320
RealPlayer Basic
RitzPix E-Z Print & Share
RollerCoaster Tycoon
RollerCoaster Tycoon 2
RollerCoaster Tycoon 2: Time Twister
RollerCoaster Tycoon 2: Wacky Worlds
RollerCoaster Tycoon 3
Salon Styler Pro Demo
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
SigmaTel Audio
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SUPERAntiSpyware Free Edition
Tetris Worlds
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Glamour Life Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Weather Channel Desktop
The Weather Channel Toolbar
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Weather Services
WebCyberCoach 3.2 Dell
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WordPerfect Office 12
Yahoo! Messenger


----------



## sjpritch25 (Sep 8, 2005)

Please uninstall the following via Add/Remove programs:*
MyWay Search Assistant*

Run HijackThis, and press "Do a System Scan Only". 
1. When the scan is complete place a check mark next to the following entries:
*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
*
2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...

You can delete this folder too.
*C:\Program Files\MyWaySA*

How is everything running???


----------



## nataliew56241 (Jun 1, 2006)

After I removed myway search assistant, none of the other items were in the new hijack this log. Also, program files\mywaysa was gone too. I rebooted. Ran hijack this again to make sure they didn't reappear (which they didn't). Computer's running ok.

Logfile of HijackThis v1.99.1
Scan saved at 5:35:25 PM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\Nikki Walton\Local Settings\Temp\{32597C96-057E-4C36-9E7D-C417D6796D0B}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133798646906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175555595968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Update Manager (AOL_Hosts) - Unknown owner - C:\WINDOWS\Media\aolupd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## sjpritch25 (Sep 8, 2005)

Your log is clean!!!! :up:

Lets remove the tools we used.

Delete the following files and folders*
C:\Sysclean
C:\Combofix
C:\QooBox
C:\combofix.txt
C:\combofix-quarantine-files.txt*

On your desktop
*ComboFix.exe*

Now that your system is clean you should *SET A NEW RESTORE POINT* *to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection*. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To *SET A NEW RESTORE POINT*:
1. Go to *Start* > *Programs* > *Accessories* > *System Tools* and click "*System Restore*".
2. Choose the radio button marked "*Create a Restore Point*" on the first screen then click "*Next*". Give the R.P. a name then click "*Create*". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to *Start* > *Run* and type: *Cleanmgr*
4. Click "*OK*".
5. Click the "*More Options*" Tab.
6. Click "*Clean Up*" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
*How to Create a Restore Point*.
*How to use Cleanmgr*.

======================================

Here is some useful information on keeping your computer clean:
Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
If you don't have a *Firewall* installed, please choose from the following:
*ZoneAlarm Free*
*Kerio Personal Firewall*

If you don't have a *Anti-Virus* installed, please download the following free program:
*AntiVir Personal Edition*

Here are two great Preventive programs:
SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
IESpyads adds a long list of bad sites to your Restricted sites in *Internet Explorer* and protects against drive by downloads.

Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with *Internet Explorer* and *Mozilla Firefox*. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
Red for *Warning*
Yellow for *Use Caution*
Green for *Safe*
Grey for *Unknown*

Here are the link to install SiteAdisor in Internet Explorer and Firefox
Anti-Spyware Programs I Recommend:
Lavasoft's Ad-Aware SE Personal
SuperAnti-Spyware

For Even More Information On Securing Your Computer read *Tony Klein's* So How Did I Get Infected In The First Place]


----------



## nataliew56241 (Jun 1, 2006)

Ok, only problem is spybot is still finding problems. 28 at last count. Here's the latest spybot log.

--- Search result list ---
Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\ajcmimiipsi.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\dctscwsgerkv.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\dxp.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\eheagcsfcxma.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\ej.exe

Crypt.Spambot.qk: Executable (File, nothing done)
C:\WINDOWS\system32\gpchsvx.exe

Crypt.Spambot.qk: Executable (File, fixed)
C:\WINDOWS\system32\iafw.exe

Crypt.Spambot.qk: Executable (File, fixed)
C:\WINDOWS\system32\jpq.exe

Crypt.Spambot.qk: Executable (File, fixed)
C:\WINDOWS\system32\lupuzhdkgava.exe

Crypt.Spambot.qk: Executable (File, fixed)
C:\WINDOWS\system32\qbvbfa.exe

Crypt.Spambot.qk: Executable (File, fixed)
C:\WINDOWS\system32\ronuqphhwqmy.exe

Crypt.Spambot.qk: Executable (File, fixed)
C:\WINDOWS\system32\casbddwj.exe

Crypt.Spambot.qk: Executable (File, fixed)
C:\WINDOWS\system32\cnkbpt.exe

Virtumonde.Winpop: User settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\WinPop

Virtumonde.Winpop: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\WinPop

MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)

DoubleClick: Tracking cookie (Firefox: default) (Cookie, fixed)

HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)

HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)

HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)

Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)

HitsLink: Tracking cookie (Firefox: default) (Cookie, fixed)

CoreMetrics: Tracking cookie (Firefox: default) (Cookie, fixed)

WebTrends live: Tracking cookie (Firefox: default) (Cookie, fixed)

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe
2007-08-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-09-19 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-09-19 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-09-19 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-09-19 Includes\KeyloggersC.sbi (*)
2004-05-12 Includes\LSP.sbi (*)
2007-09-12 Includes\Malware.sbi (*)
2007-09-19 Includes\MalwareC.sbi (*)
2007-09-05 Includes\PUPS.sbi (*)
2007-09-19 Includes\PUPSC.sbi (*)
2007-09-19 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-09-19 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi (*)
2007-09-19 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi (*)
2007-09-19 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

--- ActiveX list ---
{01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class)
DPF name: 
CLSID name: SysProWmi Class
Installer: C:\WINDOWS\Downloaded Program Files\SysPro.inf
Codebase: http://support.dell.com/systemprofiler/SysPro.CAB
description: 
classification: Legitimate
known filename: SysPro.ocx
info link: 
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\Dell\SystemProfiler\
Long name: SysPro.ocx
Short name: 
Date (created): 1/23/2003 3:23:18 PM
Date (last access): 9/21/2007 8:14:56 PM
Date (last write): 1/23/2003 3:23:18 PM
Filesize: 86016
Attributes: archive 
MD5: 2EE3E0AE6AA35F135CAE24DF2DA9B172
CRC32: A76A5BDA
Version: 2.0.0.1

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name: 
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://download.microsoft.com/downl...-40e1-a617-af65a72a0465/LegitCheckControl.cab
description: 
classification: Legitimate
known filename: LegitCheckControl.DLL
info link: 
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.dll
Short name: LEGITC~1.DLL
Date (created): 7/12/2005 7:04:22 PM
Date (last access): 9/22/2007 5:34:24 PM
Date (last write): 3/15/2007 6:19:28 PM
Filesize: 1476992
Attributes: archive 
MD5: D41D8CD98F00B204E9800998ECF8427E
CRC32: ED982FE3

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name: 
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133798646906
description: 
classification: Legitimate
known filename: wuweb.dll
info link: 
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name: 
Date (created): 8/10/2004 3:02:30 PM
Date (last access): 9/22/2007 5:55:12 PM
Date (last write): 7/30/2007 7:19:28 PM
Filesize: 203096
Attributes: archive 
MD5: 5C9A003E7C6BA03F04DC2D9C82A7E6E0
CRC32: E29E0153
Version: 7.0.6000.381

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name: 
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175555595968
description: 
classification: Legitimate
known filename: muweb.dll
info link: 
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name: 
Date (created): 5/26/2005 4:19:32 AM
Date (last access): 9/22/2007 5:55:08 PM
Date (last write): 7/30/2007 7:19:04 PM
Filesize: 207736
Attributes: archive 
MD5: 2DEE560CCEF55353EB62FDA870446393
CRC32: 5AA71F7B
Version: 7.0.6000.381

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_02
Installer: 
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link: 
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_02\bin\
Long name: npjpi160_02.dll
Short name: NPJPI1~1.DLL
Date (created): 7/12/2007 2:22:38 AM
Date (last access): 9/21/2007 7:58:12 PM
Date (last write): 7/12/2007 4:00:36 AM
Filesize: 132496
Attributes: archive 
MD5: E3811F1A1C5063C941EC0E2766C3EA39
CRC32: AEFD3747
Version: 6.0.20.6

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name: 
CLSID name: 
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
description: 
classification: Open for discussion
known filename: 
info link: 
info source: Safer Networking Ltd.

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name: 
CLSID name: ActiveScan Installer Class
Installer: C:\WINDOWS\Downloaded Program Files\asinst.inf
Codebase: http://acs.pandasoftware.com/activescan/as5free/asinst.cab
description: 
classification: Legitimate
known filename: ASINST.DLL
info link: 
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name: 
Date (created): 8/24/2006 8:28:54 AM
Date (last access): 9/22/2007 5:50:02 PM
Date (last write): 8/24/2006 8:28:54 AM
Filesize: 141424
Attributes: archive 
MD5: CB0EBD772D7D003BD11A999FF515A89A
CRC32: 3CFE74C1
Version: 58.6.0.0

{AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control)
DPF name: 
CLSID name: Get_ActiveX Control
Installer: 
Codebase: https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
description: 
classification: Legitimate
known filename: HPGetDownloadManager.ocx
info link: 
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: HPGetDownloadManager.ocx
Short name:  HPGETD~1.OCX
Date (created): 1/12/2006 2:46:24 PM
Date (last access): 9/21/2007 8:08:54 PM
Date (last write): 1/12/2006 2:46:26 PM
Filesize: 88136
Attributes: archive 
MD5: 200E3189656F9A29FB5BC7F71AB3F283
CRC32: 8C85B2F9
Version: 3.3.0.0

{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_02
Installer: 
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
description: 
classification: Legitimate
known filename: npjpi160_02.dll
info link: 
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_02\bin\
Long name: npjpi160_02.dll
Short name: NPJPI1~1.DLL
Date (created): 7/12/2007 2:22:38 AM
Date (last access): 9/22/2007 9:09:16 PM
Date (last write): 7/12/2007 4:00:36 AM
Filesize: 132496
Attributes: archive 
MD5: E3811F1A1C5063C941EC0E2766C3EA39
CRC32: AEFD3747
Version: 6.0.20.6

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_02
Installer: 
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
description: 
classification: Legitimate
known filename: npjpi150_06.dll
info link: 
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_02\bin\
Long name: npjpi160_02.dll
Short name: NPJPI1~1.DLL
Date (created): 7/12/2007 2:22:38 AM
Date (last access): 9/22/2007 9:09:16 PM
Date (last write): 7/12/2007 4:00:36 AM
Filesize: 132496
Attributes: archive 
MD5: E3811F1A1C5063C941EC0E2766C3EA39
CRC32: AEFD3747
Version: 6.0.20.6

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name: 
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename: 
info link: 
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9c.ocx
Short name: 
Date (created): 3/23/2007 5:59:38 PM
Date (last access): 9/22/2007 5:33:16 PM
Date (last write): 3/23/2007 5:59:38 PM
Filesize: 2267368
Attributes: archive 
MD5: D41D8CD98F00B204E9800998ECF8427E
CRC32: B8EED2E6

--- Process list ---
PID: 0 ( 0) [System]
PID: 416 ( 4) \SystemRoot\System32\smss.exe
PID: 464 ( 416) \??\C:\WINDOWS\system32\csrss.exe
PID: 492 ( 416) \??\C:\WINDOWS\system32\winlogon.exe
PID: 536 ( 492) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 548 ( 492) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 728 ( 536) C:\WINDOWS\system32\Ati2evxx.exe
size: 446464
MD5: 39BE36B74B2D17B336146E82373E0396
PID: 748 ( 536) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 804 ( 536) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 844 ( 536) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 916 ( 536) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 944 ( 536) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1136 ( 536) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1248 ( 536) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 106496
MD5: 2ACFC9242BE81AE2356E14E5E05C02BB
PID: 1272 ( 492) C:\WINDOWS\system32\Ati2evxx.exe
size: 446464
MD5: 39BE36B74B2D17B336146E82373E0396
PID: 1336 ( 536) C:\Program Files\Bonjour\mDNSResponder.exe
size: 229376
MD5: 73686FE0B2E0469F89FD2075BE724704
PID: 1376 ( 536) C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
size: 139536
MD5: 41C76C4F92254258363A5C280FA6544E
PID: 1476 ( 536) C:\Program Files\CA\eTrust Antivirus\InoRT.exe
size: 424457
MD5: 4B73B01D1BAA24BDC324B9BE13DABCF7
PID: 1640 ( 536) C:\Program Files\CA\eTrust Antivirus\InoTask.exe
size: 270608
MD5: 84488C431BCFCBE5B140B03612A8380C
PID: 152 ( 536) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 328 ( 536) C:\WINDOWS\system32\wdfmgr.exe
size: 38912
MD5: AB0A7CA90D9E3D6A193905DC1715DED0
PID: 368 ( 536) C:\Program Files\Viewpoint\Common\ViewpointService.exe
size: 24652
MD5: 5F974FDE801C73952770736BECDE11E7
PID: 1652 ( 536) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 1824 (1556) C:\WINDOWS\Explorer.EXE
size: 1033216
PID: 2232 (1824) C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe
size: 28672
MD5: EA8CA6E01B5174C690E4DAB13089CBF3
PID: 2248 (1824) C:\WINDOWS\stsystra.exe
size: 339968
MD5: 0F869E88FA4489FBE231A42646488CE8
PID: 2256 (1824) C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
size: 49152
MD5: AC116F16A7716A720A45D7EA47CFD983
PID: 2272 (1824) C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
size: 368640
MD5: 67F8EE6EB44D9427649D9BFF710CC9BC
PID: 2288 (1824) C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
size: 2490368
PID: 2300 (1824) C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
size: 49152
MD5: 2E72D7C07F48A8FBA76241A43B19E3BF
PID: 2308 (1824) C:\PROGRA~1\CA\ETRUST~1\realmon.exe
size: 504080
MD5: 7427E4995C12F12A0A8987A122C82E5D
PID: 2316 (1824) C:\Program Files\iTunes\iTunesHelper.exe
size: 256576
MD5: D2ED7AF383AAB672CB7E135040967954
PID: 2352 (1824) C:\Program Files\QuickTime\qttask.exe
size: 286720
MD5: 49CCFBE5D5225B9D3CC78C09DEE147D0
PID: 2360 (1824) C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
size: 132496
MD5: 896E712A34D654A337C8CBB9DEB07200
PID: 2396 (1824) C:\Program Files\Messenger\msmsgs.exe
size: 1694208
PID: 2412 (1824) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 2452 (1824) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
PID: 2500 (1824) C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
size: 4796416
PID: 2536 (1824) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
size: 1318912
PID: 2588 (1824) C:\Program Files\AIM6\aim6.exe
size: 50736
MD5: 233CA87903AD80083DD16FE994F0B2E1
PID: 2632 ( 536) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 2668 (1824) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
size: 282624
MD5: 5597D0075861CB0A6E6087752D205C0D
PID: 2732 (2588) C:\Program Files\AIM6\aolsoftware.exe
size: 50736
MD5: C482C535CBFEFE722EC1EB7F11F680A3
PID: 2820 (2476) C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
size: 103928
MD5: F9AB943EB3CF38867FFEC53E9FC39EB5
PID: 3364 ( 536) C:\Program Files\iPod\bin\iPodService.exe
size: 492608
MD5: 688B773BA6074D5E9695EF1886FDCD3E
PID: 3832 (2668) C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
size: 204800
MD5: 2DB4D4386AC0F8CC367E1AA8AB1004EF
PID: 3912 ( 748) C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
size: 77824
MD5: 227DFED8580F7AC64D7AE18BC3A8A23A
PID: 3816 ( 368) C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
size: 112336
MD5: 1FF94B386646925D2B153C8A083115C7
PID: 2188 (1824) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
PID: 26228 (1824) C:\Program Files\Mozilla Firefox\firefox.exe
size: 7644520
PID: 45232 ( 844) C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
size: 743936
MD5: B719C7D08847D3C9EFD63732E1072A40
PID: 4 ( 0) System

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 9/22/2007 9:09:17 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


----------



## nataliew56241 (Jun 1, 2006)

Also, the computer has started running really slow. I've just loaded the new spybot will run it again (since it was complaining that it couldn't fnd files when I asked it to delete the spyware).


----------



## sjpritch25 (Sep 8, 2005)

Lets see what this finds.

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.

 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## nataliew56241 (Jun 1, 2006)

ok. i restarted after my last message to you (after running spybot) and noticed that when i started up a window popped up called c:\windows\system32\cmd.exe about 4 times and then closed itself. i'll start running sdfix


----------



## nataliew56241 (Jun 1, 2006)

SDFix: Version 1.106

Run by Nikki Walton on Sat 09/22/2007 at 10:28 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\Program Files\Words\list.txt - Deleted

Folder C:\Program Files\Words - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe:*:Enabled:Realmon"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe:*:Enabled:InocIT"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\uninst.dll
C:\WINDOWS\system32\820D92CCE8.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp
C:\Documents and Settings\Nikki Walton\Application Data\Microsoft\Word\~WRL0002.tmp
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG

Finished!


----------



## sjpritch25 (Sep 8, 2005)

Please post a fresh Hijackthis log. Thanks. How is everything running???


----------



## nataliew56241 (Jun 1, 2006)

The command.exe popup didn't appear this startup. The computer seems to be running more like normal. Here's the hijack this log. After I post that I'll run spybot and adaware, unless I hear from you in the meantime.
Logfile of HijackThis v1.99.1
Scan saved at 10:02:41 AM, on 9/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\Nikki Walton\Local Settings\Temp\{32597C96-057E-4C36-9E7D-C417D6796D0B}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133798646906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175555595968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Update Manager (AOL_Hosts) - Unknown owner - C:\WINDOWS\Media\aolupd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## sjpritch25 (Sep 8, 2005)

Looks is clean. How is everything running???


----------

