# Solved: annoying--- "yinstall"



## kim-smells (Oct 4, 2006)

heaps of people have been asking about this "yinstall" problem.. and ive been trying to keep up.. problem is.. im really slow with comps..  so yea... if anyone is able to help and start with the basics, ur help will b greatly appreciated 

i've done the combofix thing that i've seen on another post.. and kinda need help from then on .. thanks

Thao Nguyen - 06-10-04 13:21:55.37 Service Pack 2
ComboFix 06.09.28 - Running from: "D:\My DocQumentZ"

((((((((((((((((((((((((((((((( Files Created from 2006-09-04 to 2006-10-04 ))))))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-04 13:16	--------	d--------	C:\Program Files\Common Files
2006-10-04 11:51	--------	d--------	C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart
2006-10-04 11:51	--------	d--------	C:\Documents and Settings\Thao Nguyen\Application Data\setup hide copy
2006-10-04 11:50	--------	d--------	C:\Program Files\Surf owns heart
2006-10-04 11:49	--------	d--------	C:\Program Files\MessengerPlus! 3
2006-10-04 11:49	--------	d--------	C:\Program Files\Adverts
2006-10-04 11:46	--------	d--------	C:\Program Files\MSN Messenger
2006-10-03 17:32	--------	d--------	C:\Documents and Settings\Thao Nguyen\Application Data\Macromedia
2006-09-28 19:14	--------	d--------	C:\Documents and Settings\Thao Nguyen\Application Data\Adobe
2006-09-27 17:14	--------	d--------	C:\Program Files\QuickTime
2006-09-27 17:12	--------	d--------	C:\Program Files\Winamp
2006-09-27 16:58	--------	d--------	C:\Program Files\Apple Software Update
2006-09-27 16:14	--------	d--------	C:\Program Files\Common Files\Macromedia
2006-09-27 16:13	--------	d--------	C:\Program Files\Macromedia
2006-09-27 16:12	--------	d--h-----	C:\Program Files\InstallShield Installation Information
2006-09-27 16:12	--------	d--------	C:\Program Files\Common Files\InstallShield
2006-09-25 21:22	--------	d--------	C:\Program Files\Messenger Plus! Live
2006-09-25 21:11	--------	d--------	C:\Program Files\Common Files\Microsoft Shared
2006-09-24 01:09	--------	d--------	C:\Documents and Settings\Thao Nguyen\Application Data\IMVU
2006-09-14 16:51	--------	d---s----	C:\Documents and Settings\Thao Nguyen\Application Data\Microsoft
2006-09-01 19:43	--------	d--------	C:\Program Files\IMVU
2006-08-26 00:04	--------	d--------	C:\Documents and Settings\Thao Nguyen\Application Data\EBookSys
2006-08-24 16:36	--------	d--------	C:\Program Files\LimeWire
2006-08-21 22:21	16896	--a------	C:\WINDOWS\system32\fltlib.dll
2006-08-21 19:14	23040	--a------	C:\WINDOWS\system32\fltmc.exe
2006-08-21 19:14	128896	--a------	C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-18 17:01	--------	d--------	C:\Documents and Settings\Thao Nguyen\Application Data\Sun
2006-08-10 16:38	--------	d--------	C:\Program Files\Internet Explorer
2006-07-27 23:24	679424	--a------	C:\WINDOWS\system32\inetcomm.dll
2006-07-21 18:24	72704	--a------	C:\WINDOWS\system32\hlink.dll
2006-07-06 13:44	58952	--a------	C:\WINDOWS\system32\MsgPlusLoader.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SIGN PING"="C:\\DOCUME~1\\THAONG~1\\APPLIC~1\\SURFOW~1\\Mapi Poke.exe"
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"cprocsvc"="C:\\WINDOWS\\system32\\crunner\\cproc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SMSERIAL"="sm56hlpr.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"BigPond Toolbar"="\"C:\\Program Files\\Telstra\\Toolbar\\bpumTray.exe\""
"MPTBox"="C:\\Program Files\\Canon\\MultiPASS4\\MPTBox.exe"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -onlytray"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"KAVPersonal50"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe /minimize"
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"first kind four rule"="C:\\Documents and Settings\\All Users\\Application Data\\ClockDrvFirstKind\\Chin Live.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,d4,01,00,00,00,00,00,00,2c,02,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="7db39a0d-580f-4be9-9195-8bfcd226f6c2"
"SubscribedURL"="C:\\Program Files\\Formosoft\\Aqua Real\\AquaReal.ocx"
"FriendlyName"="Aqua Real"
"Flags"=dword:00004003
"Position"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,00,04,00,00,e1,02,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,01,00,00,00,00,04,00,00,e1,02,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-10-04 13:22:43.67 
ComboFix.txt
ComboFix2.txt


----------



## Cookiegal (Aug 27, 2003)

If you have taken anything out of startups via msconfig please go to *Start*  *Run*  type in *msconfig*  click OK and click on the Startup tab. Click on *Enable All* then *Apply* and OK. Then please do the following:

*Click here* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## kim-smells (Oct 4, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 21:30, on 06-10-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {41B8344A-9921-1B30-6F75-590003E99AD2} - C:\DOCUME~1\THAONG~1\APPLIC~1\SETUPH~1\ONCE FAST.exe (file missing)
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{300B21EE-0BC6-1033-1123-04040924003d}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [first kind four rule] C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Chin Live.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SIGN PING] C:\DOCUME~1\THAONG~1\APPLIC~1\SURFOW~1\Mapi Poke.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## kim-smells (Oct 4, 2006)

thanks so much for responding


----------



## Cookiegal (Aug 27, 2003)

Go *here* to download AlcanShorty_en.exe and save it to your desktop.

Double click the *alcanShorty.exe* file and follow prompts. 
It will make a folder on desktop called *Alcan Shorty*
Open the Alcan Shorty folder & double click the *run.bat* file to run it.
This will download a file called BFU.exe and a BFU script. 
If your firewall asks for permission to connect to the internet you must allow it.
A message box will pop up saying "complete". 
Be patient and wait for the message box to appear as it may take some time.
Press OK then BFU.exe will open. 
Select the option to "Show log after script ends"
Execute the script by clicking the *Execute* button.
Note that you should see a progress bar while the script is being executed.
When the script has finished press "copy" and that will make a copy of the report in your clipboard. 
Paste the log into Notepad and save it to your desktop to post back here later.
*Note*: If you have any questions about the use of BFU please read *here*.

Download the trial version of *Ewido Anti-spyware* from *HERE* and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.


Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run Ewido and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*"
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.


Reboot your computer into *Safe Mode* now. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
*IMPORTANT:* Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
Ewido will now begin the scanning process. Be patient this may take a little time.
*Once the scan is complete do the following:*
If you have any infections you will prompted, then select "*Apply all actions*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close Ewido and reboot your system back into Normal Mode.

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.*


----------



## kim-smells (Oct 4, 2006)

here's my log for for AlcanShorty




BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 11:16:40 AM, on 6/10/2006

Option Unload Explorer: Yes
Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Deskbar\deskbar.dll|1 (file not found)
Failed: DllUnregister \asappsrv.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FolderDelete C:\Program Files\MediaPipe (folder not found)
Failed: FolderDelete C:\Program Files\p2pnetworks (folder not found)
Failed: FileDelete C:\DOCUME~1\THAONG~1\LOCALS~1\Temp\~DFE58E.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\simtest (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\Program Files\ipwins (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\Snowball Wars (folder not found)
Failed: FolderDelete C:\temp (folder not found)
Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)
Failed: FolderDelete C:\WINDOWS\system32\crunner (folder not found)
Failed: FolderDelete C:\Program Files\PECarlin (folder not found)
Failed: FolderDelete C:\Program Files\AXVenore (folder not found)
Failed: FolderDelete C:\Program Files\SDVita (folder not found)
Failed: FolderDelete C:\Program Files\EQBranch (folder not found)
Failed: FolderDelete C:\Program Files\EQArticle (folder not found)
Failed: FolderDelete C:\Program Files\PSHope (folder not found)
Failed: FolderDelete C:\Program Files\Batty (folder not found)
Failed: FolderDelete C:\Program Files\Batty2 (folder not found)
Failed: FolderDelete C:\Program Files\AXFibula (folder not found)
Failed: FolderDelete C:\Program Files\CMFibula (folder not found)
Failed: FolderDelete C:\Program Files\PSLister (folder not found)
Failed: FolderDelete C:\Program Files\PSCloner (folder not found)
Failed: FolderDelete C:\Program Files\cmapp (folder not found)
Failed: FolderDelete C:\Program Files\cmman (folder not found)
Failed: FolderDelete C:\Program Files\cmsystem (folder not found)
Failed: FolderDelete C:\Program Files\fcengine (folder not found)
Failed: FolderDelete C:\Program Files\wincmapp (folder not found)
Failed: FolderDelete C:\Program Files\Deskbar\Cache (folder not found)
Failed: FolderDelete C:\Program Files\popupwithcast (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\cloader (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
Failed: FolderCreate C:\bintheredunthat (folder already exists)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.


----------



## Cookiegal (Aug 27, 2003)

I assume you will be posting the other logs as well. I'm signing off for the night and will check back in the morning.


----------



## kim-smells (Oct 4, 2006)

yea sorry.. i was doing one thing at a time and whilst Ewido was loading i posted the log.... still more to come


----------



## kim-smells (Oct 4, 2006)

here's the report for Ewido Anti-Spyware::

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	11:59:07 AM 6/10/2006

+ Scan result:

C:\Program Files\Adverts\uninst.exe -> Adware.Lop : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0285970.exe -> Adware.Lop : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP422\A0283456.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP422\A0283471.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0283813.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0283853.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0283864.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0283871.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0284009.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0284370.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0284524.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0284535.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0284536.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0285038.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0285889.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP424\A0286456.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP424\A0287165.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP425\A0287412.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP422\A0283650.dll -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP422\A0283651.dll -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0283748.dll -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0283749.dll -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0283851.dll -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0283933.dll -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0284043.dll -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0284060.dll -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0284862.dll -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0284872.dll -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0285390.exe -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0285413.dll -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP423\A0285383.exe -> Dropper.Small : Cleaned.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned.
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.10:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.10:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.166:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.171:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.172:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.173:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.175:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.176:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.177:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.178:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.179:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.180:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.181:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.182:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.183:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.187:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.188:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.269:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.509:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.575:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.691:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.93:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.94:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.95:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.96:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.97:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.99:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][3].txt -> TrackingCookie.66.220.17.154 : Cleaned.
:mozilla.400:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.401:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.637:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.638:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.349:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.350:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.350:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.351:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.351:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.351:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.352:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.352:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.352:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.353:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.353:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.353:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.354:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.354:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.354:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.355:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.355:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.356:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Adrevolver : Cleaned.


----------



## kim-smells (Oct 4, 2006)

:mozilla.866:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.867:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.702:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.703:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.134:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Advertising : Cleaned.
:mozilla.135:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Advertising : Cleaned.
:mozilla.136:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Advertising : Cleaned.
:mozilla.136:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Advertising : Cleaned.
:mozilla.137:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Advertising : Cleaned.
:mozilla.137:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Advertising : Cleaned.
:mozilla.137:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Advertising : Cleaned.
:mozilla.138:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Advertising : Cleaned.
:mozilla.138:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Advertising : Cleaned.
:mozilla.139:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Advertising : Cleaned.
:mozilla.139:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Advertising : Cleaned.
:mozilla.140:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Advertising : Cleaned.
:mozilla.223:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.224:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.225:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.226:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.227:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.228:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Adviva : Cleaned.
:mozilla.49:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.58:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Atdmt : Cleaned.
:mozilla.66:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Atdmt : Cleaned.
:mozilla.67:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.144:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Bfast : Cleaned.
:mozilla.146:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Bfast : Cleaned.
:mozilla.146:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Bfast : Cleaned.
:mozilla.147:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Bfast : Cleaned.
:mozilla.148:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Bfast : Cleaned.
:mozilla.149:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Bfast : Cleaned.
:mozilla.659:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.660:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.23:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.32:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.33:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.508:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.154:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Burstnet : Cleaned.
:mozilla.155:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Burstnet : Cleaned.
:mozilla.156:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Burstnet : Cleaned.
:mozilla.157:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Burstnet : Cleaned.
:mozilla.157:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Burstnet : Cleaned.
:mozilla.158:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Burstnet : Cleaned.
:mozilla.203:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.204:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.205:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.24:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.25:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.26:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.27:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.28:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.28:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.29:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.30:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.31:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.32:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.37:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.38:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Casinodelrio : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Casinodelrio : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Casinoking : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Casinoking : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Casinolasvegas : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Casinolasvegas : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Casinotropez : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Casinotropez : Cleaned.
:mozilla.101:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Centrport : Cleaned.
:mozilla.102:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Centrport : Cleaned.
:mozilla.103:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Centrport : Cleaned.
:mozilla.104:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Centrport : Cleaned.
:mozilla.104:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Centrport : Cleaned.
:mozilla.105:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Centrport : Cleaned.
:mozilla.730:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.731:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Com : Cleaned.
:mozilla.32:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Com : Cleaned.
:mozilla.363:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.364:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.39:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Com : Cleaned.
:mozilla.40:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Com : Cleaned.
:mozilla.40:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Com : Cleaned.
:mozilla.41:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.21:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.37:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.45:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.46:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Doubleclick : Cleaned.


----------



## kim-smells (Oct 4, 2006)

C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.644:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected]2dj6wfloohdzgeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected]omniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.


----------



## kim-smells (Oct 4, 2006)

C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.320:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Estat : Cleaned.
:mozilla.321:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Estat : Cleaned.
:mozilla.322:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Estat : Cleaned.
:mozilla.610:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Estat : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Estat : Cleaned.
:mozilla.265:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.266:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.267:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.268:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.417:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.503:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.504:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.505:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Fastclick : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Fastclick : Cleaned.
:mozilla.21:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Fastclick : Cleaned.
:mozilla.22:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Fastclick : Cleaned.
:mozilla.22:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Fastclick : Cleaned.
:mozilla.23:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Fastclick : Cleaned.
:mozilla.33:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.34:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.35:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.36:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.38:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Goldenpalace : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Goldenpalace : Cleaned.
:mozilla.213:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.202:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.203:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.203:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.204:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.204:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.204:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.205:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.205:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.206:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.246:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.247:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.247:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.248:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.248:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.248:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.249:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.249:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.250:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.273:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.274:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.275:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.277:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.278:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.279:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.280:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.281:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.282:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.340:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.341:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.341:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.342:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.342:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.342:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.343:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.343:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitbox : Cleaned.
:mozilla.344:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitbox : Cleaned.


----------



## kim-smells (Oct 4, 2006)

:mozilla.373:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.374:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.375:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.376:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.443:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.444:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.445:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.446:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.447:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.619:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.620:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.694:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.334:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitslink : Cleaned.
:mozilla.335:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitslink : Cleaned.
:mozilla.335:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitslink : Cleaned.
:mozilla.336:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitslink : Cleaned.
:mozilla.336:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitslink : Cleaned.
:mozilla.336:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitslink : Cleaned.
:mozilla.337:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Hitslink : Cleaned.
:mozilla.337:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitslink : Cleaned.
:mozilla.337:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitslink : Cleaned.
:mozilla.338:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Hitslink : Cleaned.
:mozilla.338:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitslink : Cleaned.
:mozilla.339:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Hitslink : Cleaned.
:mozilla.598:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.599:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.600:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.601:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.607:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Hypertracker : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Linksynergy : Cleaned.
:mozilla.163:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.164:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.165:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.165:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.166:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.166:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.167:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.167:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.168:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.239:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.240:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.241:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.332:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.333:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.333:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.334:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.334:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Liveperson : Cleaned.
:mozilla.335:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Lop : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Lop : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Lop : Cleaned.
:mozilla.534:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.190:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.192:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.193:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.39:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.151:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Onestat : Cleaned.
:mozilla.152:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Onestat : Cleaned.
:mozilla.153:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Onestat : Cleaned.
:mozilla.153:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Onestat : Cleaned.
:mozilla.154:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Onestat : Cleaned.
:mozilla.154:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Onestat : Cleaned.
:mozilla.155:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Onestat : Cleaned.
:mozilla.155:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Onestat : Cleaned.
:mozilla.156:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Onestat : Cleaned.
:mozilla.759:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.760:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.761:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.235:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.236:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.363:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Overture : Cleaned.
:mozilla.364:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Overture : Cleaned.
:mozilla.365:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Overture : Cleaned.
:mozilla.487:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Planetactive : Cleaned.
:mozilla.227:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Pointroll : Cleaned.
:mozilla.228:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Pointroll : Cleaned.
:mozilla.228:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Pointroll : Cleaned.
:mozilla.229:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Pointroll : Cleaned.
:mozilla.229:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Pointroll : Cleaned.
:mozilla.229:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Pointroll : Cleaned.
:mozilla.230:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Pointroll : Cleaned.
:mozilla.230:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Pointroll : Cleaned.
:mozilla.231:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Pointroll : Cleaned.
:mozilla.420:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.421:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.422:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.423:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.283:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.284:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.215:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.216:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.217:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Questionmarket : Cleaned.


----------



## kim-smells (Oct 4, 2006)

:mozilla.273:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.274:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.275:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Realcastmedia : Cleaned.
:mozilla.254:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.255:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.256:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.257:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.258:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.259:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.260:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.261:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.262:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.263:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.264:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.160:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.176:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Ru4 : Cleaned.
:mozilla.178:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Ru4 : Cleaned.
:mozilla.179:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Ru4 : Cleaned.
:mozilla.772:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.146:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.147:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.148:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.149:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.150:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.151:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.164:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.48:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.49:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.50:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.51:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.54:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.56:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.57:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.57:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.58:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.58:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.59:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.59:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.60:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.62:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.63:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.313:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.376:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Sitestat : Cleaned.
:mozilla.377:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Sitestat : Cleaned.
:mozilla.378:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Sitestat : Cleaned.
:mozilla.880:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.608:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Starware : Cleaned.
:mozilla.129:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.130:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.131:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.132:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.133:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.134:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.135:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.136:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.137:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.138:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.139:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.140:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.141:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.142:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.15:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.16:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.17:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.18:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.19:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.20:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.23:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.24:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.24:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.25:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.25:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.26:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.26:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.27:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.27:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.28:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.28:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Statcounter : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.356:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.357:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.157:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.158:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.159:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.34:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Targetnet : Cleaned.
:mozilla.42:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Targetnet : Cleaned.
:mozilla.43:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.197:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.682:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.686:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.202:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.21:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.44:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.45:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.676:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.677:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.678:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.679:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.680:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.681:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.194:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Valueclick : Cleaned.
:mozilla.196:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Valueclick : Cleaned.
:mozilla.197:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Valueclick : Cleaned.
:mozilla.687:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.784:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Vegasred : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Vegasred : Cleaned.
:mozilla.463:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.464:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.321:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Weborama : Cleaned.
:mozilla.322:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Weborama : Cleaned.
:mozilla.322:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Weborama : Cleaned.
:mozilla.323:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Weborama : Cleaned.
:mozilla.323:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Weborama : Cleaned.
:mozilla.324:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Weborama : Cleaned.
:mozilla.852:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.853:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.196:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.197:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.198:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.379:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.380:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.381:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.692:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.883:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.11:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.12:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.13:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.14:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.15:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.16:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.35:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.36:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.38:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.43:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.44:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.44:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.45:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.46:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.47:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Yieldmanager : Cleaned.


----------



## kim-smells (Oct 4, 2006)

C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.252:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.253:C:\RECYCLER\NPROTECT\00081701.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.253:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.254:C:\RECYCLER\NPROTECT\00081702.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.254:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.255:C:\RECYCLER\NPROTECT\00081705.MOZ -> TrackingCookie.Zedo : Cleaned.
:mozilla.365:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.366:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Zedo : Cleaned.

::Report end


----------



## kim-smells (Oct 4, 2006)

here's the Panda's ActiveScan report

Incident Status Location

Adware:Adware/Lop Not disinfected c:\docume~1\thaong~1\applic~1\surfow~1\mapipo~1.exe 
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UDC6_0001_D19M1908NetInstaller.exe  
Adware:adware/abox Not disinfected Windows Registry 
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6} 
Potentially unwanted tool:application/zango Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} 
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\4 bolt.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\acidbody.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Build Road.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Chin Live.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\curb dvd.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\delete about.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\FlagHide.exe  
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Four Sign.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\greybarb.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\NewWin.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\OPTION OBJ.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Rdr Mags.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Sizepoll.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\View Skip.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Wma1.exe 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.doubleclick.net/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[ad.sensismediasmart.com.au/] 
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.maxserving.com/]  
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.go.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.realmedia.com/] 
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.errorsafe.com/] 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.atwola.com/] 
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.winfixer.com/] 
Spyware:Cookie/Match Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[promo.match.com/] 
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.versiontracker.com/] 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.belnk.com/] 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.apmebf.com/]  
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.tickle.com/] 
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.did-it.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.ath.belnk.com/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.xiti.com/] 
Spyware:Cookie/Clicktracks Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.stats1.clicktracks.com/] 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\ckofpgpo.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\gaoixwmj.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\gqmpfnzs.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\hvfbfizv.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\kzlkgxcf.exe  
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\lxbcahef.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\Mapi Poke.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\mdxahlar.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\nbajdkpf.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\omojsacb.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\pfawopvk.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\pqsuvcws.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\sqclchnl.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\xfusrriq.exe


----------



## kim-smells (Oct 4, 2006)

Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\ydkcfsmp.exe 
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart\zjlngmti.exe 
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][3].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][4].txt 
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Match Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Thao Nguyen\Desktop\mcs.exe[²ÜÇ\nsProcess.dll] 
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Thao Nguyen\Desktop\mny.exe[²ÜÇ\nsProcess.dll] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.belnk.com/]  
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.ath.belnk.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.ath.belnk.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.ath.belnk.com/]


----------



## kim-smells (Oct 4, 2006)

i dont think i was supposed to post the Ewido Anti-spyware log on but i just put it on just in case.


----------



## Cookiegal (Aug 27, 2003)

Yes, thanks.

You have a Lop infection that we need to address.

Download and unzip the following to a new folder:
http://metallica.geekstogo.com/findlop.zip

Inside the folder locate *findlop.bat*

Double click it and it will create the file C:\findlop.txt
Find that file and copy and paste the contents into your next post.


----------



## kim-smells (Oct 4, 2006)

here's the contents of "findlop.bat"

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AppleSoftwareUpdate.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Apple Software Update\SoftwareUpdate.exe'
Parameters: '-Task'
WorkingDirectory: ''
Comment: ''
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/06/2006 13:05:00
NextRun: 10/13/2006 13:05:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 09/27/2006
EndDate: 00/00/0000
StartTime: 13:05
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Thao Nguyen'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/07/2006 21:57:00
NextRun: 10/08/2006 1:57:00
StartError: S_OK
ExitCode: 0x65
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

2 Triggers

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/08/2006
EndDate: 00/00/0000
StartTime: 01:57
MinutesDuration: 1440
MinutesInterval: 5
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 1:
Type: AtLogon
StartDate: 12/30/2005
EndDate: 00/00/0000
StartTime: 10:51
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


----------



## Cookiegal (Aug 27, 2003)

I need to see a new HijackThis log before continuing please.


----------



## kim-smells (Oct 4, 2006)

no problems, here it is::

Logfile of HijackThis v1.99.1
Scan saved at 10:29:48 AM, on 8/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\THAONG~1\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {41B8344A-9921-1B30-6F75-590003E99AD2} - C:\DOCUME~1\THAONG~1\APPLIC~1\SETUPH~1\ONCE FAST.exe (file missing)
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{300B21EE-0BC6-1033-1123-04040924003d}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [first kind four rule] C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Chin Live.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SIGN PING] C:\DOCUME~1\THAONG~1\APPLIC~1\SURFOW~1\Mapi Poke.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## kim-smells (Oct 4, 2006)

could you possibly tell me the state of my computer?? is it really infected?? thanks


----------



## Cookiegal (Aug 27, 2003)

As I said, you are infected with LOP. I still need to get the folder name for one entry (we can go without it but I find it more effective to have the full path) so please do this:

Copy the part in bold below into notepad and save it as direxie.bat
Set File type to "All files"

*cd\
cd C:\Documents and Settings\%UserName%\Application Data
dir /x > C:\directory.txt
cd C:\Documents and Settings\All Users\Application Data
dir /x >> C:\directory.txt
cd C:\Program Files
dir /x >> C:\directory.txt
start notepad C:\directory.txt*

Start the file by double clicking direxie.bat
That will open a file called directory.txt. Post the content of that file.


----------



## kim-smells (Oct 4, 2006)

Volume in drive C is DRIVE_C
Volume Serial Number is 600B-21EE

Directory of C:\Documents and Settings\Thao Nguyen\Application Data

08/10/2006 10:51 AM Adobe
02/06/2005 07:47 PM CYBERL~1 CyberLink
26/08/2006 12:04 AM EBookSys
10/07/2005 03:52 PM 41,816 GDIPFO~1.DAT GDIPFONTCACHEV1.DAT
05/07/2006 08:10 PM Google
16/04/2006 02:29 PM Help
02/06/2005 05:54 PM IDENTI~1 Identities
24/09/2006 01:09 AM IMVU
03/10/2006 05:32 PM MACROM~1 Macromedia
20/09/2005 04:27 PM Mozilla
01/04/2006 04:20 PM Nokia
27/03/2006 05:06 PM NOKIAM~1 Nokia Multimedia Player
04/10/2006 11:51 AM SETUPH~1 setup hide copy
18/08/2006 05:01 PM Sun
06/10/2006 12:18 PM SURFOW~1 Surf owns heart
07/11/2005 07:38 PM Symantec
02/06/2005 08:30 PM THUMBS~1 ThumbsPlus
1 File(s) 41,816 bytes
16 Dir(s) 24,228,732,928 bytes free
Volume in drive C is DRIVE_C
Volume Serial Number is 600B-21EE

Directory of C:\Documents and Settings\All Users\Application Data

08/10/2006 10:51 AM Adobe
27/09/2006 05:09 PM APPLEC~1 Apple Computer
31/07/2005 11:57 AM Canon
06/10/2006 12:16 PM CLOCKD~1 ClockDrvFirstKind
02/06/2005 07:10 PM CYBERL~1 CyberLink
06/10/2006 03:37 PM DOWNLO~1 Downloaded Installations
02/06/2005 06:49 PM KASPER~1 Kaspersky Anti-Virus Personal
27/09/2006 04:13 PM MACROM~1 Macromedia
02/06/2003 07:06 PM MACROV~1 Macrovision
06/10/2005 01:34 PM MESSEN~1 Messenger Plus!
04/11/2005 06:36 PM NFSUND~1 NFS Underground
04/07/2006 07:05 PM PopCap
30/12/2005 12:48 PM Symantec
30/12/2005 10:16 AM WINDOW~1 Windows Genuine Advantage
12/07/2006 07:49 PM YAHOO!~1 Yahoo! Companion
0 File(s) 0 bytes
15 Dir(s) 24,228,732,928 bytes free
Volume in drive C is DRIVE_C
Volume Serial Number is 600B-21EE

Directory of C:\Program Files

08/10/2006 10:38 PM .
08/10/2006 10:38 PM ..
04/06/2005 09:04 PM Adobe
06/10/2006 11:57 AM Adverts
02/06/2005 07:12 PM Ahead
27/09/2006 04:58 PM APPLES~1 Apple Software Update
02/06/2005 06:08 PM ATITEC~1 ATI Technologies
17/07/2005 04:39 PM Audacity
02/06/2005 06:03 PM AvRack
04/06/2005 12:27 PM BRITAN~1 Britannica
31/07/2005 11:57 AM Canon
06/10/2005 09:59 AM CODEMA~1 Codemasters
06/10/2006 03:37 PM COMMON~1 Common Files
02/06/2005 05:06 PM COMPLU~1 ComPlus Applications
02/06/2005 07:10 PM CYBERL~1 CyberLink
31/07/2005 11:40 AM D-Link
02/06/2005 08:36 PM E-BOOK~1 E-Book Systems
05/11/2005 11:44 AM EACom
02/06/2005 07:11 PM ELABOR~1 Elaborate Bytes
05/11/2005 11:42 AM ELECTR~1 Electronic Arts
02/06/2005 08:47 PM FORMOS~1 Formosoft
05/07/2006 08:09 PM  Google
06/10/2006 11:26 AM Grisoft
08/10/2006 10:29 AM HIJACK~1 Hijackthis
01/09/2006 07:43 PM IMVU
06/10/2006 12:27 PM INTERN~1 Internet Explorer
02/06/2005 08:42 PM iolo
26/07/2006 07:26 PM Java
02/06/2005 07:33 PM KASPER~1 Kaspersky Lab
24/08/2006 04:36 PM LimeWire
27/09/2006 04:13 PM MACROM~1 Macromedia
06/10/2006 12:31 PM MESSEN~1 Messenger
25/09/2006 09:22 PM MESSEN~3 Messenger Plus! Live
06/10/2006 12:31 PM MESSEN~2 MessengerPlus! 3
19/10/2005 07:30 PM MICROS~3 Microsoft ActiveSync
02/06/2005 05:10 PM MICROS~1 microsoft frontpage
19/10/2005 07:30 PM MICROS~2 Microsoft Office
19/10/2005 07:30 PM MICROS~1.NET Microsoft.NET
31/03/2006 07:08 PM MOVIEM~1 Movie Maker
25/02/2006 11:22 AM MOZILL~1 Mozilla Firefox
20/09/2005 04:27 PM mozilla.org
02/06/2005 05:06 PM MSN
23/03/2006 05:33 PM MSNAPP~1 MSN Apps
02/06/2005 05:06 PM MSNGAM~1 MSN Gaming Zone
06/10/2006 12:34 PM MSNMES~1 MSN Messenger
02/06/2005 06:39 PM NETMEE~1 NetMeeting
02/06/2005 05:08 PM ONLINE~1 Online Services
16/04/2006 09:38 AM OUTLOO~1 Outlook Express
02/06/2005 08:44 PM PICTUR~1 PicturesToExe
27/09/2006 05:14 PM QUICKT~1 QuickTime
02/06/2005 06:03 PM REALTE~1 Realtek Sound Manager
02/06/2005 06:04 PM SILICO~1 Silicon Integrated Systems
02/06/2005 06:01 PM SiSLan
02/06/2005 09:40 PM SIZEEX~1 SizeExplorer
04/10/2006 11:50 AM SURFOW~1 Surf owns heart
30/12/2005 12:50 PM Symantec
25/06/2005 04:32 PM Telstra
11/06/2006 11:45 AM Thumbs7
17/09/2005 12:59 PM VIRTUA~1 Virtual Makeover the Collection
06/10/2006 02:09 PM Winamp
11/06/2006 11:45 AM WINDOW~2 Windows Media Player
02/06/2005 06:39 PM WINDOW~1 Windows NT
02/06/2005 05:10 PM xerox
12/07/2006 07:16 PM Yahoo!
0 File(s) 0 bytes
64 Dir(s) 24,228,433,920 bytes free


----------



## kim-smells (Oct 4, 2006)

that was the context of direxie.bat


----------



## Cookiegal (Aug 27, 2003)

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
O2 - BHO: (no name) - {41B8344A-9921-1B30-6F75-590003E99AD2} - C:\DOCUME~1\THAONG~1\APPLIC~1\SETUPH~1\ONCE FAST.exe (file missing)

O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{300B21EE-0BC6-1033-1123-04040924003d}\MyToolBar.dll (file missing)

O4 - HKLM\..\Run: [first kind four rule] C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Chin Live.exe

O4 - HKCU\..\Run: [SIGN PING] C:\DOCUME~1\THAONG~1\APPLIC~1\SURFOW~1\Mapi Poke.exe

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind
C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart
C:\Documents and Settings\All Users\Application Data\setup hide copy
C:\Documents and Settings\Thao Nguyen\Desktop\mcs.exe
C:\Documents and Settings\Thao Nguyen\Desktop\mny.exe
*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Boot back to Windows normally and post another HijackThis log please.


----------



## kim-smells (Oct 4, 2006)

There was 1 file that did not exist when using killbox.exe
This was:
C:\Documents and Settings\All Users\Application Data\setup hide copy


----------



## kim-smells (Oct 4, 2006)

Here's the most recent HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:34:32 PM, on 9/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## Cookiegal (Aug 27, 2003)

The log looks good.

Please run another Panda scan so I can see if anything remains that needs to be addressed.


----------



## kim-smells (Oct 4, 2006)

here's the latest Panda scan



Incident Status Location 

Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UDC6_0001_D19M1908NetInstaller.exe 
Adware:adware/abox Not disinfected Windows Registry 
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6} 
Potentially unwanted tool:application/zango Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}  
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\4 bolt.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\acidbody.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Build Road.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Chin Live.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\curb dvd.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\delete about.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\FlagHide.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Four Sign.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\greybarb.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\NewWin.exe  
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\OPTION OBJ.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Rdr Mags.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Sizepoll.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\View Skip.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Wma1.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\mcs.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\mny.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\ckofpgpo.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\gaoixwmj.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\gqmpfnzs.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\hvfbfizv.exe  
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\kzlkgxcf.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\lxbcahef.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\Mapi Poke.exe  
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\mdxahlar.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\nbajdkpf.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\omojsacb.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\pfawopvk.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\pqsuvcws.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\sqclchnl.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\xfusrriq.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\ydkcfsmp.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\zjlngmti.exe


----------



## kim-smells (Oct 4, 2006)

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.statcounter.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[ad.yieldmanager.com/] 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.doubleclick.net/] 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.serving-sys.com/] 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.bs.serving-sys.com/] 
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fastclick.net/] 
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.casalemedia.com/] 
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fastclick.net/] 
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.casalemedia.com/] 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.atdmt.com/] 
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.tradedoubler.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[ad.sensismediasmart.com.au/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.maxserving.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.go.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.realmedia.com/] 
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.errorsafe.com/] 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.atwola.com/] 
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.winfixer.com/] 
Spyware:Cookie/Match Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[promo.match.com/] 
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.versiontracker.com/] 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.belnk.com/] 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.apmebf.com/] 
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.tickle.com/] 
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.did-it.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.ath.belnk.com/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.xiti.com/] 
Spyware:Cookie/Clicktracks Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.stats1.clicktracks.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.ath.belnk.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.ath.belnk.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.ath.belnk.com/]  
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.exe


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a FixKim.zip file. Save it to your desktop. Unzip it and double click on the FixKim.reg file and allow it to enter into the registry.

Boot to safe mode and run Killbox on these files:

*c:\windows\downloaded program files\UDC6_0001_D19M1908NetInstaller.exe 
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller*

Reboot and post a new Panda scan please.


----------



## kim-smells (Oct 4, 2006)

Whilst in Killbox, i tried to delete :
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller
but it said that the file did not exist. The other file was deleted


----------



## kim-smells (Oct 4, 2006)

Incident Status Location

Adware:adware/abox Not disinfected Windows Registry 
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6} 
Potentially unwanted tool:application/zango Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} 
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\4 bolt.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\acidbody.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Build Road.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Chin Live.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\curb dvd.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\delete about.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\FlagHide.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Four Sign.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\greybarb.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\NewWin.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\OPTION OBJ.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Rdr Mags.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Sizepoll.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\View Skip.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Wma1.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\mcs.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\mny.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\ckofpgpo.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\gaoixwmj.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\gqmpfnzs.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\hvfbfizv.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\kzlkgxcf.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\lxbcahef.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\Mapi Poke.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\mdxahlar.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\nbajdkpf.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\omojsacb.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\pfawopvk.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\pqsuvcws.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\sqclchnl.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\xfusrriq.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\ydkcfsmp.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\zjlngmti.exe 
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\!KillBox\UDC6_0001_D19M1908NetInstaller.exe 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.statcounter.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[ad.yieldmanager.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.go.com/] 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.atdmt.com/] 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.doubleclick.net/] 
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.mediaplex.com/] 
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fastclick.net/] 
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.casalemedia.com/] 
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fastclick.net/] 
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.casalemedia.com/] 
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fastclick.net/] 
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.casalemedia.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[ad.sensismediasmart.com.au/] 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.serving-sys.com/] 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.bs.serving-sys.com/] 
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.tradedoubler.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.maxserving.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.realmedia.com/] 
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.errorsafe.com/] 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.atwola.com/] 
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.winfixer.com/] 
Spyware:Cookie/Match Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[promo.match.com/] 
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.versiontracker.com/] 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.belnk.com/] 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.apmebf.com/] 
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.tickle.com/] 
Spyware:Cookie/did-it Not disinfected


----------



## kim-smells (Oct 4, 2006)

C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.did-it.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.ath.belnk.com/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.xiti.com/] 
Spyware:Cookie/Clicktracks Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.stats1.clicktracks.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.ath.belnk.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.ath.belnk.com/]  
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.ath.belnk.com/] 
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.exe


----------



## kim-smells (Oct 4, 2006)

That was the latest Panda scan


----------



## kim-smells (Oct 4, 2006)

could you possibly tell me about the state of my computer?? is it getting better or worse??

thanks


----------



## Cookiegal (Aug 27, 2003)

We're almost done but it looks like there may be a permissions issue in the registry. We will have to do some manual edits. Are you up for that?


----------



## kim-smells (Oct 4, 2006)

yep, sure am.. anything to make my computer better... thanks


----------



## Cookiegal (Aug 27, 2003)

Go to Start > Run
Type:
*regedit*
Click OK.
On the leftside, click to highlight *My Computer* at the top. 
Go up to "*File > Export*"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put *backup*

Choose to save it to *C:\* or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Expand the following registry keys/sub-keys by clicking on the + to their left:

HKEY_CURRENT_USER
Software
Microsoft
Windows
CurrentVersion
Ext
Stats

Under Stats you will see several folders (also in the left-hand pane).

Locate these three and right click on them and select "delete". Be careful to select the correct ones as they are several and someimtes there is only one digit that is different. If you do that and it won't delete let me know. We may have to change permissions.

*{A142 6AC5-8CE5-4A00-B71E-011D35709AC6}

{8FCD F9D9-A28B-480F-8C3D-581F119A8AB8}

{1D4D B7D2-6EC9-47A3-BD87-1E41684E07BB} 
*

When you're done, reboot and run another Panda scan and post the results please.


----------



## kim-smells (Oct 4, 2006)

i was able to delete all three objects....

panda is doing a scan now


----------



## kim-smells (Oct 4, 2006)

Incident Status Location

Adware:adware/abox Not disinfected Windows Registry 
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D62A517-E7C6-4E1F-A577-07D4AC549A48} 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\4 bolt.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\acidbody.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Build Road.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Chin Live.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\curb dvd.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\delete about.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\FlagHide.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Four Sign.exe  
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\greybarb.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\NewWin.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\OPTION OBJ.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Rdr Mags.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Sizepoll.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\View Skip.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Wma1.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\mcs.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\mny.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\ckofpgpo.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\gaoixwmj.exe  
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\gqmpfnzs.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\hvfbfizv.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\kzlkgxcf.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\lxbcahef.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\Mapi Poke.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\mdxahlar.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\nbajdkpf.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\omojsacb.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\pfawopvk.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\pqsuvcws.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\sqclchnl.exe  
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\xfusrriq.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\ydkcfsmp.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\zjlngmti.exe 
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\!KillBox\UDC6_0001_D19M1908NetInstaller.exe 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.statcounter.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[ad.yieldmanager.com/] 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.doubleclick.net/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[ad.sensismediasmart.com.au/] 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.atdmt.com/] 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.perf.overture.com/] 
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fastclick.net/]  
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.casalemedia.com/] 
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fastclick.net/] 
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.casalemedia.com/] 
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fastclick.net/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.tribalfusion.com/] 
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.targetnet.com/] 
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.revenue.net/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.realmedia.com/] 
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.tradedoubler.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.go.com/] 
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.mediaplex.com/]  
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.serving-sys.com/] 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.bs.serving-sys.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.maxserving.com/] 
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.errorsafe.com/] 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.atwola.com/] 
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.winfixer.com/]  
Spyware:Cookie/Match Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[promo.match.com/] 
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.versiontracker.com/] 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.belnk.com/] 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.apmebf.com/] 
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.tickle.com/] 
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.did-it.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.ath.belnk.com/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.xiti.com/] 
Spyware:Cookie/Clicktracks Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.stats1.clicktracks.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Doubleclick Not disinfected


----------



## kim-smells (Oct 4, 2006)

C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.ath.belnk.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.ath.belnk.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.fortunecity.com/]  
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.ath.belnk.com/] 
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.exe


----------



## kim-smells (Oct 4, 2006)

i hope everything will be ok soon


----------



## Cookiegal (Aug 27, 2003)

Boot to safe mode and run Killbox on this file:

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.exe

Again you need to delete an entry in the registry (the bolded one), the same way you did before.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\

*{0D62 A517-E7C6-4E1F-A577-07D4AC549A48} *

Let me know how that goes please.

Then do another Panda scan and post the results.


----------



## kim-smells (Oct 4, 2006)

sorry, i wasnt quite sure about the instructions of that.

so when i run killbox, do i paste:
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.exe
in the "Full path to file to delete" section? and then click the "x"?

and also, for the second part, do i go to run and type in regedit and then follow the same instructions as before??

sorry about that, i just wanted to be 100% sure just incase i made any mistakes.

thanks heaps


----------



## Cookiegal (Aug 27, 2003)

The answer is yes to both questions.


----------



## kim-smells (Oct 4, 2006)

here's the most recent panda scan 

Incident Status Location

Adware:adware/abox Not disinfected Windows Registry 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\4 bolt.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\acidbody.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Build Road.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Chin Live.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\curb dvd.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\delete about.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\FlagHide.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Four Sign.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\greybarb.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\NewWin.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\OPTION OBJ.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Rdr Mags.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Sizepoll.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\View Skip.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\ClockDrvFirstKind\Wma1.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\mcs.exe 
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\mny.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\ckofpgpo.exe 
Adware:Adware/Lop Not disinfected  C:\!KillBox\Surf owns heart\gaoixwmj.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\gqmpfnzs.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\hvfbfizv.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\kzlkgxcf.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\lxbcahef.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\Mapi Poke.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\mdxahlar.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\nbajdkpf.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\omojsacb.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\pfawopvk.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\pqsuvcws.exe 
Adware:Adware/Lop Not disinfected  C:\!KillBox\Surf owns heart\sqclchnl.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\xfusrriq.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\ydkcfsmp.exe 
Adware:Adware/Lop Not disinfected C:\!KillBox\Surf owns heart\zjlngmti.exe 
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\!KillBox\UDC6_0001_D19M1908NetInstaller.exe 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.doubleclick.net/] 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.statcounter.com/] 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[ad.yieldmanager.com/] 
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fastclick.net/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[ad.sensismediasmart.com.au/] 
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.advertising.com/] 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.tribalfusion.com/] 
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.advertising.com/] 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.atdmt.com/] 
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.perf.overture.com/] 
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.casalemedia.com/] 
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.targetnet.com/] 
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.revenue.net/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.realmedia.com/] 
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.tradedoubler.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.go.com/] 
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.mediaplex.com/] 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.serving-sys.com/] 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.bs.serving-sys.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.drivecleaner.com/] 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[stats.drivecleaner.com/] 
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.maxserving.com/] 
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.errorsafe.com/] 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.atwola.com/] 
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.winfixer.com/] 
Spyware:Cookie/Match Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[promo.match.com/] 
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.versiontracker.com/] 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.belnk.com/] 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.apmebf.com/] 
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.tickle.com/] 
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.did-it.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.ath.belnk.com/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.xiti.com/] 
Spyware:Cookie/Clicktracks Not disinfected C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt[.stats1.clicktracks.com/] 
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Doubleclick Not disinfected


----------



## kim-smells (Oct 4, 2006)

C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt 
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081701.MOZ[.ath.belnk.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081702.MOZ[.ath.belnk.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.belnk.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.fortunecity.com/] 
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00081705.MOZ[.ath.belnk.com/]


----------



## Cookiegal (Aug 27, 2003)

How are things running now?


----------



## kim-smells (Oct 4, 2006)

i was able to delete both items in your previous post


----------



## Cookiegal (Aug 27, 2003)

Yes, I saw that. Is everything fine now?


----------



## kim-smells (Oct 4, 2006)

yes, i think so. I never thought that there were that many problems in the first place. My only problem was deleting yinstall. i dont see it on my desktop anymore. Does that mean that it has been removed permanently?


----------



## Cookiegal (Aug 27, 2003)

You should be fine now.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.

If I asked you to enable everything via Msconfig at the beginning then you should go back and set it the way it was before. Otheriwise, you should trim down your start-ups as there are too many running. You can research them at these sites and if they arent required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig and then click on the start-up tab.

http://castlecops.com/StartupList.html
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php


----------



## kim-smells (Oct 4, 2006)

for the msconfig, is there any way to know how it was before? because im not sure. 

and could i ask what are start-ups?? sorry, very computer illiterate..

thanks a lot


----------



## Cookiegal (Aug 27, 2003)

See my post no. 2. I have no way of knowing if anything had been taken out of startups before. These are items that load when your computer starts up.


----------



## kim-smells (Oct 4, 2006)

so do i disable all of those things?


----------



## Cookiegal (Aug 27, 2003)

No.


> You can research them at these sites and* if they aren't required at start-up* then you can uncheck them in msconfig via Start - Run - type msconfig and then click on the start-up tab.


----------



## kim-smells (Oct 4, 2006)

i made some changes to System Configuration Utility... and then restarted my computer. This message came up:

You have used System Configuration Utility to make changes to the way Windows starts.

The System Configuration Utility is currently in Diagnostic or Selective Start up mode, causing this message to be displayed and the utility to run every time Windows starts. 

Choose the Normal Startup mode on the General Tab to start windows normally and undo the changes you made using System Configuration Utility. 



now im not sure what to do, should i undo the changes to System Configuration Utility that i made previously? 

thanks.


----------



## Cookiegal (Aug 27, 2003)

No, that is normal. You just need to check the box that says something to the effect of not showing this message again.


----------



## kim-smells (Oct 4, 2006)

oh okay, thanks, is there anything else i need to do?


----------



## kim-smells (Oct 4, 2006)

oh no, i think something bad has happened to my computer again. Sorry about this. Popups keep coming up and there's a small toolbar on my taskbar for searching and i dont seem to know how to get rid of it..

here's my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:17:22 PM, on 19/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\in.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\msrg.exe
C:\Program Files\Common Files\{600B21EE-0BC6-1033-1123-04040924003d}\Update.exe
c:\ac3_0010.exe
c:\ac3_0010.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\VGhhbw\command.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\FNTS~1\notepad.exe
c:\dfndrff_e33.exe
c:\kybrdff_e33.exe
c:\nwnmff_e33.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{300B21EE-0BC6-1033-1123-04040924003d}\MyToolBar.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{300B21EE-0BC6-1033-1123-04040924003d}\MyToolBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\in.exe
O4 - HKLM\..\Run: [fws02a49] RUNDLL32.EXE w14f981c.dll,n 00602a430000000a14f981c
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e33.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e33.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e33.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Edtm] "C:\WINDOWS\system32\FNTS~1\notepad.exe" -vt yazr
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\kudhela3.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VGhhbw\command.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

again, im terribly sorry to do this to you..


----------



## kim-smells (Oct 4, 2006)

anyway, im off to bed, have an early start tomorrow. Hope that it can be fixed easily.


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download Look2Me-Destroyer.exe and save it to your desktop.

Close all windows before continuing.
Double-click *Look2Me-Destroyer.exe* to run it.
Put a check next to *Run this program as a task.* 
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click *OK*
When Look2Me-Destroyer re-opens, click the *Scan for L2M* button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the *Remove L2M* button.
You will receive a *Done Scanning* message, click *OK*.
When completed, you will receive this message: *Done removing infected files! Look2Me-Destroyer will now shutdown your computer*, click *OK*.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\*Look2Me-Destroyer.txt* and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a *runtime error '339'* please download MSWINSCK.OCX from the link below and place it in your *C:\Windows\System32* Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


----------



## kim-smells (Oct 4, 2006)

Here are the contents from Look2Me-Destroyer:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 06-10-20 18:57:10

Infected! C:\WINDOWS\system32\kudhela3.dll
Infected! C:\WINDOWS\system32\kudhela3.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\kudhela3.dll
C:\WINDOWS\system32\kudhela3.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kudhela3.dll
C:\WINDOWS\system32\kudhela3.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9F1003B2-180A-4C45-9A09-AE494D6BCB6E}"
HKCR\Clsid\{9F1003B2-180A-4C45-9A09-AE494D6BCB6E}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


----------



## kim-smells (Oct 4, 2006)

Here's the HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:03:21 PM, on 20/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\VGhhbw\command.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Mozilla Firefox\in.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\dfndrff_e33.exe
C:\kybrdff_e33.exe
C:\nwnmff_e33.exe
C:\Program Files\Common Files\{600B21EE-0BC6-1033-1123-04040924003d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\FNTS~1\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{300B21EE-0BC6-1033-1123-04040924003d}\MyToolBar.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{300B21EE-0BC6-1033-1123-04040924003d}\MyToolBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\in.exe
O4 - HKLM\..\Run: [fws02a49] RUNDLL32.EXE w14f981c.dll,n 00602a430000000a14f981c
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e33.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e33.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e33.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Edtm] "C:\WINDOWS\system32\FNTS~1\notepad.exe" -vt yazr
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VGhhbw\command.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


----------



## kim-smells (Oct 4, 2006)

Look2Me-Destroyer did not reopen automatically after turning it back on again. I tried rebooting yet it still would not reopen.


----------



## Cookiegal (Aug 27, 2003)

Close Internet Explorer and keep it closed throughout the entire removal process.


Go to Control Panel  Add/Remove program and remove:

*DeluxeCommunications*

If there is no Add or Remove Programs entry for this program, click on *Start*, then *Run* and type the following in the open field:

*C:\Program Files\DeluxeCommunications\Dxc.exe /u*

Then press the OK button.

The DeluxeCommunications uninstall program will load and you will be asked to enter a security code. Enter the following security code in that field and then press OK: *21fb28*

The uninstall process will then tell you that all browser windows will be closed if you continue. Press the Yes button to continue uninstalling DeluxeCommunications.

When it asks if you would to reboot, press the Yes button so that your computer reboots.

Download the *FixDXC.reg* and save it on your desktop.

When the *FixDCX.reg* file has finished downloading, double-click on the file. When it asks if you would like to add the information into the registry, click on the Yes button and then on the OK button at next prompt.

Finally search for the following files. If they exist, they will be in the C:\Documents and Settings\Application Data folder. When you find these files, delete them:

*Dxcknwrd.dll
Dxccwrd.dll*

Reboot and post a new HijackThis log please.


----------



## kim-smells (Oct 4, 2006)

When you said to do this::
The DeluxeCommunications uninstall program will load and you will be asked to enter a security code. Enter the following security code in that field and then press OK: 21fb28

there was a different code for it and it given. Im not sure if you wanted to know that, but i just wanted to tell you just in case.


----------



## kim-smells (Oct 4, 2006)

Also, the link you gave me in this instruction did not work: 
Download the FixDXC.reg and save it on your desktop.

It came up a new window and contained the following:
REGEDIT4

[-HKEY_CURRENT_USER\Software\DeluxeCommunications]
[-HKEY_LOCAL_MACHINE\SOFTWARE\DeluxeCommunications]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks]
"{A8BD6820-6ED7-423E-9558-2D1486B0FEEA}"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks]
"{A8BD6820-6ED7-423E-9558-2D1486B0FEEA}"=-
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

that was all there was.

&& is there any possible way of getting rid of the virus quickly?? other people have told me to system restore.. or format.. but i said that i would continue this just to be 100% sure, but the virus is really frustrating me.

thanks.


----------



## kim-smells (Oct 4, 2006)

also, another thing, again not sure if this is relevant to the viruses, there is a pop up that comes up just before, whilst on msn, the virus link is sent to everyone.  

it says:
Run-time error'-214746759 (80004005)
Method '~' object '~' failed 


&& could you possibly tell me the state of my computer?


----------



## Cookiegal (Aug 27, 2003)

That's fine about the code. It's whatever the code is that is given by the uninstaller.

You didn't use the reg file properly. You just opened it in Notepad. You were supposed to double click on it. This would trigger an alert box asking if you want to add it to the registry. Please do that now and then post a new HijackThis log.


----------



## kim-smells (Oct 4, 2006)

the reg file has not been saved yet. i just clicked on the link you gave me and it came up what i wrote on my previous post.


----------



## kim-smells (Oct 4, 2006)

well, i'm half way there. I was able to run the program that was given because i was using Mozilla before and then when i changed to Internet Explorer, it was able to work. 


Also, when i tried to locate:
Dxcknwrd.dll
and Dxckwrd.dll

the folder: 'Application Data folder' was not found in Documents and Settings
The folders that were in there were : All Users and Thao Nguyen

im not sure what to do now. && again.... im very sorie about all this


----------



## Cookiegal (Aug 27, 2003)

Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Then you should be able to see the Application Data folder to locate those files.


Please post a new HijackThis log.


----------



## kim-smells (Oct 4, 2006)

i was able to find:
Dxcknwrd.dll but there were two files of the same name, so i deleted both.

yet i was not able to find:
Dxccwrd.dll

here is the new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 5:14:23 PM, on 23/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\VGhhbw\command.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Mozilla Firefox\in.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\dfndrff_e34.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\{600B21EE-0BC6-1033-1123-04040924003d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\FNTS~1\notepad.exe
C:\Program Files\?asks\??plorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\dfndrff_e35.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {153BC013-57D0-0627-DEDB-72B59BC5DECA} - C:\WINDOWS\system32\gaaexmd.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{300B21EE-0BC6-1033-1123-04040924003d}\MyToolBar.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{300B21EE-0BC6-1033-1123-04040924003d}\MyToolBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\in.exe
O4 - HKLM\..\Run: [fws02a49] RUNDLL32.EXE w14f981c.dll,n 00602a430000000a14f981c
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e35.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e35.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e35.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Edtm] "C:\WINDOWS\system32\FNTS~1\notepad.exe" -vt yazr
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [Flaaoffo] C:\Program Files\?asks\??plorer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VGhhbw\command.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


----------



## kim-smells (Oct 4, 2006)

i have come across, yet another, problem. i am not able to turn my windows firewall on due to an unknown problem


----------



## Cookiegal (Aug 27, 2003)

The infection has regenerated so please do this and follow the instructions very carefully:


Open the Alcan Shorty folder & double click the *run.bat* file to run it.
This will download a file called BFU.exe and a BFU script. 
If your firewall asks for permission to connect to the Internet you must allow it.
A message box will pop up saying "complete". 
Be patient and wait for the message box to appear as it may take some time.
Press OK then BFU.exe will open. 
Select the option to "Show log after script ends"
Execute the script by clicking the *Execute* button.
Note that you should see a progress bar while the script is being executed.
When the script has finished press "copy" and that will make a copy of the report in your clipboard. 
Paste the log into Notepad and save it to your desktop to post back here later.
*Note*: If you have any questions about the use of BFU please read *here*.

Close Internet Explorer and keep it closed throughout the entire removal process.


Go to Control Panel  Add/Remove program and remove:

*DeluxeCommunications*

If there is no Add or Remove Programs entry for this program, click on *Start*, then *Run* and type the following in the open field:

*C:\Program Files\DeluxeCommunications\Dxc.exe /u*

Then press the OK button.

The DeluxeCommunications uninstall program will load and you will be asked to enter a security code. Enter the security code in that field and then press OK.

The uninstall process will then tell you that all browser windows will be closed if you continue. Press the Yes button to continue uninstalling DeluxeCommunications.

When it asks if you would to reboot, press the Yes button so that your computer reboots.

Download the *FixDXC.reg* and save it on your desktop.

When the *FixDCX.reg* file has finished downloading, double-click on the file. When it asks if you would like to add the information into the registry, click on the Yes button and then on the OK button at next prompt.

Finally search for the following files. If they exist, they will be in the C:\Documents and Settings\Application Data folder. When you find these files, delete them:

*Dxcknwrd.dll
Dxccwrd.dll*

Download *WinPFind.exe* to your desktop and double click on it to extract the files. This will create a folder named *WinPFind* on your desktop.

*Start in Safe Mode Using the F8 method:*


Restart the computer.
As soon as the BIOS is loaded begin tapping the *F8* key until the boot menu appears.
Use the arrow keys to select the *Safe Mode* menu item.
Press the *Enter* key.

Double click on the WinPFind folder on your desktop to open it and then double click on the *WinPFind.exe* file to start the program.


Click Configure scan options
Under Run AdOns select the following:
Policies.def
Security.def

Click apply
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

When the scan is complete reboot normally and post the *WinPFind.txt* file (located in the WinPFind folder) back here.

Rescan with AVG Anti-Spyware and post the results of that scan.

Rescan with Panda and post the results of that scan.

Post a new HijackThis log after having done all of the above.


----------



## kim-smells (Oct 4, 2006)

Again, i was unable to find: Dxccwrd.dll yet i found: Dxcuknwrd.dll

Dxcuknwrd.dll was deleted. 

When i clicked on the link you gave me, a folder was not created on my desktop yet the file itself. On my desktop was "winpfind.exe". When i double clicked on it, WinPFind.exe did not contain the instructions that you told me to do...
it contained things such as: 
"ZipCentral Self Extracting Archive (Freeware)" for the title, 
a list of many different winpfind files
and
the buttons on the right hand side had "Extract", "Close" and "About"

i'm not sure what to do now..  
thankyou for your patience.


----------



## Cookiegal (Aug 27, 2003)

You did not extract the files. Double click on the winpfind.exe and select "extract". This will create the Winpfind folder.


----------



## kim-smells (Oct 4, 2006)

oh i see now... sorry about that.... logs are still to come


----------



## kim-smells (Oct 4, 2006)

i encountered another problem with winpfind.exe 

the scan would take hours and would not complete... could you please give me an approximation of when the scan should finish and also, is there any indication of when the scan would finish?? 

thanks.


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis log.


----------



## kim-smells (Oct 4, 2006)

here's the Hijackthis log as requested:

Logfile of HijackThis v1.99.1
Scan saved at 4:30:54 PM, on 26/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\{600B21EE-0BC6-1033-1123-04040924003d}\Update.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\FNTS~1\notepad.exe
C:\Program Files\?asks\??plorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\taskdir~.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {153BC013-57D0-0627-DEDB-72B59BC5DECA} - C:\WINDOWS\system32\gaaexmd.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [fws02a49] RUNDLL32.EXE w14f981c.dll,n 00602a430000000a14f981c
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Edtm] "C:\WINDOWS\system32\FNTS~1\notepad.exe" -vt ndrv
O4 - HKCU\..\Run: [Flaaoffo] C:\Program Files\?asks\??plorer.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: kbddir - C:\WINDOWS\SYSTEM32\kbddir.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## kim-smells (Oct 4, 2006)

another problem, my computer would also restart suddenly. This has happened a few times today.

a message comes up when the computer restarts saying:
"the system has recovered from a serious error."

and "please tell microsoft about this problem".... etc etc...

just wanted to tell you about that.


----------



## Cookiegal (Aug 27, 2003)

Go *here* and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and *attach* it to your next reply along with a new Hijack This log..

*Note:* You have to use Internet Explorer to do the online scan.


----------



## kim-smells (Oct 4, 2006)

here's the new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:24:06 AM, on 29/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\{600B21EE-0BC6-1033-1123-04040924003d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\FNTS~1\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\?asks\??plorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - {A560484B-898D-D077-8BDB-A2289255639A} - C:\WINDOWS\system32\ryafcwu.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A560484B-898D-D077-8BDB-A2289255639A} - C:\WINDOWS\system32\ryafcwu.dll
O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [fws02a49] RUNDLL32.EXE w14f981c.dll,n 00602a430000000a14f981c
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Edtm] "C:\WINDOWS\system32\FNTS~1\notepad.exe" -vt ndrv
O4 - HKCU\..\Run: [Flaaoffo] C:\Program Files\?asks\??plorer.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: kbddir - C:\WINDOWS\SYSTEM32\kbddir.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE

the bitdender log is attatched.


----------



## Cookiegal (Aug 27, 2003)

It's difficult to read that log. Please try to post it again. You can zip it up, if necessary.


----------



## kim-smells (Oct 4, 2006)

here it is again...


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis and fix these entries:

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R3 - URLSearchHook: (no name) - {A560484B-898D-D077-8BDB-A2289255639A} - C:\WINDOWS\system32\ryafcwu.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {A560484B-898D-D077-8BDB-A2289255639A} - C:\WINDOWS\system32\ryafcwu.dll

O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dll

O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)

O4 - HKLM\..\Run: [fws02a49] RUNDLL32.EXE w14f981c.dll,n 00602a430000000a14f981c

O4 - HKCU\..\Run: [Edtm] "C:\WINDOWS\system32\FNTS~1\notepad.exe" -vt ndrv

O4 - HKCU\..\Run: [Flaaoffo] C:\Program Files\?asks\??plorer.exe

O20 - AppInit_DLLs:

O20 - Winlogon Notify: kbddir - C:\WINDOWS\SYSTEM32\kbddir.dll*

Boot to safe mode and run Killbox on these files:

*C:\WINDOWS\system32\ryafcwu.dll
C:\WINDOWS\system32\kbddir.dll
C:\WINDOWS\system32\w14f981c.dll,
C:\WINDOWS\system32\FNTS~1\notepad.exe
C:\WINDOWS\system32\FNTS~1
C:\Program Files\?asks\??plorer.exe
C:\Program Files\?asks*

Reboot and post a new HijackThis log please.


----------



## kim-smells (Oct 4, 2006)

some of the entries were not found.. i TOTALLY FORGOT to post a log containing them before i closed the window.. SORRY!! i think there were around 4 that i didnt find. i have one that i didn't find though:

O20 - AppInit_DLLs: 

hijackthis log still to come.


----------



## kim-smells (Oct 4, 2006)

Most of the files "did not exist". These include:

C:\WINDOWS\system32\ryafcwu.dll
C:\WINDOWS\system32\w14f981c.dll,
C:\WINDOWS\system32\FNTS~1\notepad.exe
C:\Program Files\?asks\??plorer.exe
C:\Program Files\?asks

One file could not delete:
C:\WINDOWS\system32\kbddir.dll

here's the HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 5:21:14 PM, on 31/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\{600B21EE-0BC6-1033-1123-04040924003d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\RACLE~1\dexplore.exe
C:\Program Files\?icrosoft\?vchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - {C8767FEC-BC2B-E7DC-7F91-C69E8914059B} - C:\WINDOWS\system32\ddbkt.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: (no name) - {C8767FEC-BC2B-E7DC-7F91-C69E8914059B} - C:\WINDOWS\system32\ddbkt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Edtm] "C:\WINDOWS\RACLE~1\dexplore.exe" -vt ndrv
O4 - HKCU\..\Run: [Dtwo] C:\Program Files\?icrosoft\?vchost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: kbddir - C:\WINDOWS\SYSTEM32\kbddir.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## Cookiegal (Aug 27, 2003)

Please run a new log from Combofix. If you need the instructions, I'll repost them here. Remove the one you have a redownload it to be sure to get the latest version.

Download *Combofix* to your desktop.

Doubleclick *combo.exe*and follow the prompts.

*Do NOT click on the window while the fix is running because that will cause your system to hang.*

When finished and after reboot, it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.


----------



## kim-smells (Oct 4, 2006)

here's the combofix.txt:

Thao Nguyen - Wed 01/11/2006 16:48:19.71 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Thao Nguyen\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\teller2.chk
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Deskbar
C:\Program Files\Cowabanga
C:\Program Files\Common Files\{300B21EE-0BC6-1033-1123-04040924003d}
C:\Program Files\Common Files\{600B21EE-0BC6-1033-1123-04040924003d}

((((((((((((((((((((((((((((((( Files Created from 2001-10-06 to 2001/11/2006 ))))))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

*Rootkit driver pe386 is present. A rootkit scan is required*

2014/08/2006 09:34 PM	332928	--a------	C:\WINDOWS\system32\drivers\srv.sys
2014/06/2006 08:00 PM	82944	--a------	C:\WINDOWS\system32\drivers\wdmaud.sys
2014/06/2006 07:47 PM	6400	--a------	C:\WINDOWS\system32\drivers\splitter.sys
2014/06/2006 07:47 PM	172416	--a------	C:\WINDOWS\system32\drivers\kmixer.sys
2013/07/2006 07:48 PM	202240	--a------	C:\WINDOWS\system32\drivers\rmcast.sys
2011/07/2002 02:39 AM	32256	-ra------	C:\WINDOWS\system32\drivers\sisnic.sys
2011/06/2004 01:57 AM	746496	--a------	C:\WINDOWS\system32\drivers\ati2mtag.sys
2010/06/2005 03:09 PM	139528	--a------	C:\WINDOWS\system32\drivers\rdpwd.sys
2009/10/2003 03:46 PM	44544	-ra------	C:\WINDOWS\system32\drivers\SiSRaid.sys
2009/06/2004 09:13 AM	3968	--a------	C:\WINDOWS\system32\drivers\ElbyDelay.sys
2007/05/2004 03:59 PM	36992	-ra------	C:\WINDOWS\system32\drivers\SISAGPX.SYS
2006/09/2006 03:03 AM	3968	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2005/05/2006 08:47 PM	174592	--a------	C:\WINDOWS\system32\drivers\rdbss.sys
2005/05/2006 08:41 PM	453120	--a------	C:\WINDOWS\system32\drivers\mrxsmb.sys
2004/11/2005 04:51 PM	12400	--a------	C:\WINDOWS\system32\drivers\secdrv.sys
2004/08/2004 12:15 AM	64896	--a------	C:\WINDOWS\system32\drivers\serial.sys
2004/08/2004 12:15 AM	60800	--a------	C:\WINDOWS\system32\drivers\sysaudio.sys
2004/08/2004 12:15 AM	574592	--a------	C:\WINDOWS\system32\drivers\ntfs.sys
2004/08/2004 12:15 AM	145792	--a------	C:\WINDOWS\system32\drivers\portcls.sys
2004/08/2004 12:15 AM	140928	--a------	C:\WINDOWS\system32\drivers\ks.sys
2004/08/2004 12:15 AM	107904	--a------	C:\WINDOWS\system32\drivers\mup.sys
2004/08/2004 12:14 AM	91776	--a------	C:\WINDOWS\system32\drivers\ndiswan.sys
2004/08/2004 12:14 AM	74752	--a------	C:\WINDOWS\system32\drivers\ipsec.sys
2004/08/2004 12:14 AM	63744	--a------	C:\WINDOWS\system32\drivers\cdfs.sys
2004/08/2004 12:14 AM	52736	--a------	C:\WINDOWS\system32\drivers\i8042prt.sys
2004/08/2004 12:14 AM	51328	--a------	C:\WINDOWS\system32\drivers\rasl2tp.sys
2004/08/2004 12:14 AM	49664	--a------	C:\WINDOWS\system32\drivers\classpnp.sys
2004/08/2004 12:14 AM	48384	--a------	C:\WINDOWS\system32\drivers\raspptp.sys
2004/08/2004 12:14 AM	182912	--a------	C:\WINDOWS\system32\drivers\ndis.sys
2004/08/2004 12:14 AM	162816	--a------	C:\WINDOWS\system32\drivers\netbt.sys
2004/08/2004 12:14 AM	143360	--a------	C:\WINDOWS\system32\drivers\fastfat.sys
2004/08/2004 12:14 AM	138496	--a------	C:\WINDOWS\system32\drivers\afd.sys
2004/08/2004 12:10 AM	85376	--a------	C:\WINDOWS\system32\drivers\nabtsfec.sys
2004/08/2004 12:10 AM	78464	--a------	C:\WINDOWS\system32\drivers\usbvideo.sys
2004/08/2004 12:10 AM	59648	--a------	C:\WINDOWS\system32\drivers\rfcomm.sys
2004/08/2004 12:10 AM	51328	--a------	C:\WINDOWS\system32\drivers\msdv.sys
2004/08/2004 12:10 AM	38016	--a------	C:\WINDOWS\system32\drivers\bthmodem.sys
2004/08/2004 12:10 AM	35456	--a------	C:\WINDOWS\system32\drivers\bthprint.sys
2004/08/2004 12:10 AM	274304	--a------	C:\WINDOWS\system32\drivers\bthport.sys
2004/08/2004 12:10 AM	25600	--a------	C:\WINDOWS\system32\drivers\hidbth.sys
2004/08/2004 12:10 AM	19328	--a------	C:\WINDOWS\system32\drivers\wstcodec.sys
2004/08/2004 12:10 AM	18944	--a------	C:\WINDOWS\system32\drivers\bthusb.sys
2004/08/2004 12:10 AM	17024	--a------	C:\WINDOWS\system32\drivers\ccdecode.sys
2004/08/2004 12:10 AM	17024	--a------	C:\WINDOWS\system32\drivers\bthenum.sys
2004/08/2004 12:10 AM	15360	--a------	C:\WINDOWS\system32\drivers\streamip.sys
2004/08/2004 12:10 AM	15360	--a------	C:\WINDOWS\system32\drivers\mpe.sys
2004/08/2004 12:10 AM	11776	--a------	C:\WINDOWS\system32\drivers\bdasup.sys
2004/08/2004 12:10 AM	11136	--a------	C:\WINDOWS\system32\drivers\slip.sys
2004/08/2004 12:10 AM	10880	--a------	C:\WINDOWS\system32\drivers\ndisip.sys
2004/08/2004 12:09 AM	25472	--a------	C:\WINDOWS\system32\drivers\sonydcam.sys
2004/08/2004 12:08 AM	60288	--a------	C:\WINDOWS\system32\drivers\drmk.sys
2004/08/2004 12:08 AM	57600	--a------	C:\WINDOWS\system32\drivers\usbhub.sys
2004/08/2004 12:08 AM	48640	--a------	C:\WINDOWS\system32\drivers\stream.sys
2004/08/2004 12:08 AM	40832	--a------	C:\WINDOWS\system32\drivers\irbus.sys
2004/08/2004 12:08 AM	36224	--a------	C:\WINDOWS\system32\drivers\hidclass.sys
2004/08/2004 12:08 AM	30080	--a------	C:\WINDOWS\system32\drivers\modem.sys
2004/08/2004 12:08 AM	26624	--a------	C:\WINDOWS\system32\drivers\usbehci.sys
2004/08/2004 12:08 AM	26496	--a------	C:\WINDOWS\system32\drivers\USBSTOR.SYS
2004/08/2004 12:08 AM	24960	--a------	C:\WINDOWS\system32\drivers\hidparse.sys
2004/08/2004 12:08 AM	17024	--a------	C:\WINDOWS\system32\drivers\usbohci.sys
2004/08/2004 12:08 AM	16000	--a------	C:\WINDOWS\system32\drivers\usbintel.sys
2004/08/2004 12:08 AM	15104	--a------	C:\WINDOWS\system32\drivers\hidir.sys
2004/08/2004 12:08 AM	142976	--a------	C:\WINDOWS\system32\drivers\usbport.sys
2004/08/2004 12:07 AM	799744	--a------	C:\WINDOWS\system32\drivers\dmboot.sys
2004/08/2004 12:07 AM	79744	--a------	C:\WINDOWS\system32\drivers\videoprt.sys
2004/08/2004 12:07 AM	68224	--a------	C:\WINDOWS\system32\drivers\pci.sys
2004/08/2004 12:07 AM	67584	--a------	C:\WINDOWS\system32\drivers\sdbus.sys
2004/08/2004 12:07 AM	63744	--a------	C:\WINDOWS\system32\drivers\mf.sys
2004/08/2004 12:07 AM	6016	--a------	C:\WINDOWS\system32\drivers\smbali.sys
2004/08/2004 12:07 AM	52864	--a------	C:\WINDOWS\system32\drivers\dmusic.sys
2004/08/2004 12:07 AM	46464	--a------	C:\WINDOWS\system32\drivers\gagp30kx.sys
2004/08/2004 12:07 AM	44928	--a------	C:\WINDOWS\system32\drivers\agpcpq.sys
2004/08/2004 12:07 AM	44672	--a------	C:\WINDOWS\system32\drivers\uagp35.sys
2004/08/2004 12:07 AM	43008	--a------	C:\WINDOWS\system32\drivers\amdagp.sys
2004/08/2004 12:07 AM	42752	--a------	C:\WINDOWS\system32\drivers\alim1541.sys
2004/08/2004 12:07 AM	42368	--a------	C:\WINDOWS\system32\drivers\agp440.sys
2004/08/2004 12:07 AM	42240	--a------	C:\WINDOWS\system32\drivers\viaagp.sys
2004/08/2004 12:07 AM	41088	--a------	C:\WINDOWS\system32\drivers\sisagp.sys
2004/08/2004 12:07 AM	2944	--a------	C:\WINDOWS\system32\drivers\drmkaud.sys
2004/08/2004 12:07 AM	20992	--a------	C:\WINDOWS\system32\drivers\vga.sys
2004/08/2004 12:07 AM	187776	--a------	C:\WINDOWS\system32\drivers\acpi.sys
2004/08/2004 12:07 AM	18560	--a------	C:\WINDOWS\system32\drivers\tdi.sys
2004/08/2004 12:07 AM	15488	--a------	C:\WINDOWS\system32\drivers\mssmbios.sys
2004/08/2004 12:07 AM	153344	--a------	C:\WINDOWS\system32\drivers\dmio.sys
2004/08/2004 12:07 AM	119936	--a------	C:\WINDOWS\system32\drivers\pcmcia.sys
2004/08/2004 12:06 AM	73472	--a------	C:\WINDOWS\system32\drivers\sr.sys
2004/08/2004 12:05 AM	41472	--a------	C:\WINDOWS\system32\drivers\raspppoe.sys
2004/08/2004 12:05 AM	14336	--a------	C:\WINDOWS\system32\drivers\asyncmac.sys
2004/08/2004 12:04 AM	69120	--a------	C:\WINDOWS\system32\drivers\psched.sys
2004/08/2004 12:04 AM	35072	--a------	C:\WINDOWS\system32\drivers\msgpc.sys
2004/08/2004 12:04 AM	34560	--a------	C:\WINDOWS\system32\drivers\wanarp.sys
2004/08/2004 12:04 AM	30080	--a------	C:\WINDOWS\system32\drivers\rndismpx.sys
2004/08/2004 12:04 AM	30080	--a------	C:\WINDOWS\system32\drivers\rndismp.sys
2004/08/2004 12:04 AM	20992	--a------	C:\WINDOWS\system32\drivers\ipinip.sys
2004/08/2004 12:04 AM	13568	--a------	C:\WINDOWS\system32\drivers\wacompen.sys
2004/08/2004 12:04 AM	12672	--a------	C:\WINDOWS\system32\drivers\usb8023x.sys
2004/08/2004 12:04 AM	12672	--a------	C:\WINDOWS\system32\drivers\usb8023.sys
2004/08/2004 12:04 AM	12672	--a------	C:\WINDOWS\system32\drivers\mutohpen.sys
2004/08/2004 12:03 AM	88448	--a------	C:\WINDOWS\system32\drivers\nwlnkipx.sys
2004/08/2004 12:03 AM	34560	--a------	C:\WINDOWS\system32\drivers\netbios.sys
2004/08/2004 12:03 AM	12928	--a------	C:\WINDOWS\system32\drivers\ndisuio.sys
2004/08/2004 12:03 AM	12416	--a------	C:\WINDOWS\system32\drivers\tunmp.sys
2004/08/2004 12:02 AM	163584	--a------	C:\WINDOWS\system32\drivers\nwrdr.sys
2004/08/2004 12:01 AM	196864	--a------	C:\WINDOWS\system32\drivers\rdpdr.sys
2004/08/2004 12:00 AM	71040	--a------	C:\WINDOWS\system32\drivers\dxg.sys
2004/08/2004 12:00 AM	66176	--a------	C:\WINDOWS\system32\drivers\udfs.sys
2004/08/2004 12:00 AM	52352	--a------	C:\WINDOWS\system32\drivers\volsnap.sys
2004/08/2004 12:00 AM	41856	--a------	C:\WINDOWS\system32\drivers\imapi.sys
2004/08/2004 12:00 AM	30848	--a------	C:\WINDOWS\system32\drivers\npfs.sys
2004/08/2004 12:00 AM	29056	--a------	C:\WINDOWS\system32\drivers\ip6fw.sys
2004/08/2004 12:00 AM	19072	--a------	C:\WINDOWS\system32\drivers\msfs.sys
2004/08/2004 12:00 AM	181248	--a------	C:\WINDOWS\system32\drivers\mrxdav.sys
2004/08/2004 12:00 AM	14976	--a------	C:\WINDOWS\system32\drivers\tape.sys
2004/08/2004 12:00 AM	11264	--a------	C:\WINDOWS\system32\drivers\irenum.sys
2004/08/2004 02:01 AM	40840	--a------	C:\WINDOWS\system32\drivers\termdd.sys
2004/08/2004 02:01 AM	21896	--a------	C:\WINDOWS\system32\drivers\tdtcp.sys
2004/08/2004 02:01 AM	12040	--a------	C:\WINDOWS\system32\drivers\tdpipe.sys
2003/08/2004 12:09 AM	635281	--a------	C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2003/08/2004 11:59 PM	96256	--a------	C:\WINDOWS\system32\drivers\scsiport.sys
2003/08/2004 11:59 PM	95360	--a------	C:\WINDOWS\system32\drivers\atapi.sys
2003/08/2004 11:59 PM	92032	--a------	C:\WINDOWS\system32\drivers\ksecdd.sys
2003/08/2004 11:59 PM	80128	--a------	C:\WINDOWS\system32\drivers\parport.sys
2003/08/2004 11:59 PM	71552	--a------	C:\WINDOWS\system32\drivers\bridge.sys
2003/08/2004 11:59 PM	57472	--a------	C:\WINDOWS\system32\drivers\redbook.sys
2003/08/2004 11:59 PM	49536	--a------	C:\WINDOWS\system32\drivers\cdrom.sys
2003/08/2004 11:59 PM	42496	--a------	C:\WINDOWS\system32\drivers\p3.sys
2003/08/2004 11:59 PM	40320	--a------	C:\WINDOWS\system32\drivers\nmnt.sys
2003/08/2004 11:59 PM	37376	--a------	C:\WINDOWS\system32\drivers\amdk7.sys
2003/08/2004 11:59 PM	36992	--a------	C:\WINDOWS\system32\drivers\amdk6.sys
2003/08/2004 11:59 PM	36480	--a------	C:\WINDOWS\system32\drivers\crusoe.sys
2003/08/2004 11:59 PM	36352	--a------	C:\WINDOWS\system32\drivers\disk.sys
2003/08/2004 11:59 PM	36096	--a------	C:\WINDOWS\system32\drivers\intelppm.sys
2003/08/2004 11:59 PM	35328	--a------	C:\WINDOWS\system32\drivers\processr.sys
2003/08/2004 11:59 PM	27392	--a------	C:\WINDOWS\system32\drivers\fdc.sys
2003/08/2004 11:59 PM	25088	--a------	C:\WINDOWS\system32\drivers\pciidex.sys
2003/08/2004 11:59 PM	20480	--a------	C:\WINDOWS\system32\drivers\flpydisk.sys
2003/08/2004 11:59 PM	15488	--a------	C:\WINDOWS\system32\drivers\serenum.sys
2003/08/2004 11:59 PM	14208	--a------	C:\WINDOWS\system32\drivers\diskdump.sys
2003/08/2004 11:59 PM	11392	--a------	C:\WINDOWS\system32\drivers\sfloppy.sys
2003/08/2004 11:59 PM	11136	--a------	C:\WINDOWS\system32\drivers\sffdisk.sys
2003/08/2004 11:59 PM	10240	--a------	C:\WINDOWS\system32\drivers\sffp_sd.sys
2003/08/2004 11:58 PM	7552	--a------	C:\WINDOWS\system32\drivers\mskssrv.sys
2003/08/2004 11:58 PM	72960	--a------	C:\WINDOWS\system32\drivers\mqac.sys
2003/08/2004 11:58 PM	61824	--a------	C:\WINDOWS\system32\drivers\nic1394.sys
2003/08/2004 11:58 PM	60800	--a------	C:\WINDOWS\system32\drivers\arp1394.sys
2003/08/2004 11:58 PM	59904	--a------	C:\WINDOWS\system32\drivers\atmarpc.sys
2003/08/2004 11:58 PM	55936	--a------	C:\WINDOWS\system32\drivers\atmlane.sys
2003/08/2004 11:58 PM	5504	--a------	C:\WINDOWS\system32\drivers\mstee.sys
2003/08/2004 11:58 PM	5376	--a------	C:\WINDOWS\system32\drivers\mspclock.sys
2003/08/2004 11:58 PM	4992	--a------	C:\WINDOWS\system32\drivers\mspqm.sys
2003/08/2004 11:58 PM	4352	--a------	C:\WINDOWS\system32\drivers\swenum.sys
2003/08/2004 11:58 PM	42240	--a------	C:\WINDOWS\system32\drivers\mountmgr.sys
2003/08/2004 11:58 PM	24576	--a------	C:\WINDOWS\system32\drivers\kbdclass.sys
2003/08/2004 11:58 PM	23040	--a------	C:\WINDOWS\system32\drivers\mouclass.sys
2003/08/2004 11:58 PM	209408	--a------	C:\WINDOWS\system32\drivers\update.sys
2003/08/2004 11:58 PM	15104	--a------	C:\WINDOWS\system32\drivers\usbscan.sys
2003/08/2004 11:58 PM	100992	--a------	C:\WINDOWS\system32\drivers\bthpan.sys
2003/08/2004 11:41 PM	95424	--a------	C:\WINDOWS\system32\drivers\slnthal.sys
2003/08/2004 11:41 PM	685056	--a------	C:\WINDOWS\system32\drivers\hsfcxts2.sys
2003/08/2004 11:41 PM	404990	--a------	C:\WINDOWS\system32\drivers\slntamr.sys
2003/08/2004 11:41 PM	220032	--a------	C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2003/08/2004 11:41 PM	180360	--a------	C:\WINDOWS\system32\drivers\ntmtlfax.sys
2003/08/2004 11:41 PM	13776	--a------	C:\WINDOWS\system32\drivers\recagent.sys
2003/08/2004 11:41 PM	13240	--a------	C:\WINDOWS\system32\drivers\slwdmsup.sys
2003/08/2004 11:41 PM	1309184	--a------	C:\WINDOWS\system32\drivers\mtlstrm.sys
2003/08/2004 11:41 PM	129535	--a------	C:\WINDOWS\system32\drivers\slnt7554.sys
2003/08/2004 11:41 PM	126686	--a------	C:\WINDOWS\system32\drivers\mtlmnt5.sys
2003/08/2004 11:41 PM	11868	--a------	C:\WINDOWS\system32\drivers\mdmxsdk.sys
2003/08/2004 11:41 PM	1041536	--a------	C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2003/08/2004 11:29 PM	73216	--a------	C:\WINDOWS\system32\drivers\atintuxx.sys
2003/08/2004 11:29 PM	63663	--a------	C:\WINDOWS\system32\drivers\ati1rvxx.sys
2003/08/2004 11:29 PM	63488	--a------	C:\WINDOWS\system32\drivers\atinxsxx.sys
2003/08/2004 11:29 PM	57856	--a------	C:\WINDOWS\system32\drivers\atinbtxx.sys
2003/08/2004 11:29 PM	56623	--a------	C:\WINDOWS\system32\drivers\ati1btxx.sys
2003/08/2004 11:29 PM	52224	--a------	C:\WINDOWS\system32\drivers\atinraxx.sys
2003/08/2004 11:29 PM	452736	--a------	C:\WINDOWS\system32\drivers\mtxparhm.sys
2003/08/2004 11:29 PM	36463	--a------	C:\WINDOWS\system32\drivers\ati1tuxx.sys
2003/08/2004 11:29 PM	34735	--a------	C:\WINDOWS\system32\drivers\ati1xsxx.sys
2003/08/2004 11:29 PM	327040	--a------	C:\WINDOWS\system32\drivers\ati2mtaa.sys
2003/08/2004 11:29 PM	31744	--a------	C:\WINDOWS\system32\drivers\atinxbxx.sys
2003/08/2004 11:29 PM	30671	--a------	C:\WINDOWS\system32\drivers\ati1raxx.sys
2003/08/2004 11:29 PM	29455	--a------	C:\WINDOWS\system32\drivers\ati1xbxx.sys
2003/08/2004 11:29 PM	28672	--a------	C:\WINDOWS\system32\drivers\atinsnxx.sys
2003/08/2004 11:29 PM	26367	--a------	C:\WINDOWS\system32\drivers\ati1snxx.sys
2003/08/2004 11:29 PM	25471	--a------	C:\WINDOWS\system32\drivers\watv10nt.sys
2003/08/2004 11:29 PM	22271	--a------	C:\WINDOWS\system32\drivers\watv06nt.sys
2003/08/2004 11:29 PM	21343	--a------	C:\WINDOWS\system32\drivers\ati1ttxx.sys
2003/08/2004 11:29 PM	1897408	--a------	C:\WINDOWS\system32\drivers\nv4_mini.sys
2003/08/2004 11:29 PM	166912	--a------	C:\WINDOWS\system32\drivers\s3gnbm.sys
2003/08/2004 11:29 PM	14336	--a------	C:\WINDOWS\system32\drivers\atinpdxx.sys
2003/08/2004 11:29 PM	13824	--a------	C:\WINDOWS\system32\drivers\atinttxx.sys
2003/08/2004 11:29 PM	13824	--a------	C:\WINDOWS\system32\drivers\atinmdxx.sys
2003/08/2004 11:29 PM	12047	--a------	C:\WINDOWS\system32\drivers\ati1pdxx.sys
2003/08/2004 11:29 PM	11935	--a------	C:\WINDOWS\system32\drivers\wadv11nt.sys
2003/08/2004 11:29 PM	11871	--a------	C:\WINDOWS\system32\drivers\wadv09nt.sys
2003/08/2004 11:29 PM	11807	--a------	C:\WINDOWS\system32\drivers\wadv07nt.sys
2003/08/2004 11:29 PM	11615	--a------	C:\WINDOWS\system32\drivers\ati1mdxx.sys
2003/08/2004 11:29 PM	11295	--a------	C:\WINDOWS\system32\drivers\wadv08nt.sys
2003/08/2004 11:29 PM	104960	--a------	C:\WINDOWS\system32\drivers\atinrvxx.sys
2003/03/2004 10:30 PM	5504	--a------	C:\WINDOWS\system32\drivers\imagedrv.sys
2003/03/2004 10:30 PM	125184	--a------	C:\WINDOWS\system32\drivers\imagesrv.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"taskdir"="C:\\WINDOWS\\system32\\taskdir.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Edtm"="\"C:\\WINDOWS\\RACLE~1\\dexplore.exe\" -vt ndrv"
"Dtwo"="C:\\Program Files\\?icrosoft\\?vchost.exe"
"UpdateService"="C:\\WINDOWS\\system32\\wservice.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"SMSERIAL"="sm56hlpr.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"BigPond Toolbar"="\"C:\\Program Files\\Telstra\\Toolbar\\bpumTray.exe\""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"KAVPersonal50"="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe /minimize"
"adir"="C:\\WINDOWS\\system32\\adirss.exe"
"UpdateService"="C:\\WINDOWS\\system32\\wservice.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="7db39a0d-580f-4be9-9195-8bfcd226f6c2"
"SubscribedURL"="C:\\Program Files\\Formosoft\\Aqua Real\\AquaReal.ocx"
"FriendlyName"="Aqua Real"
"Flags"=dword:00004003
"Position"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,00,04,00,00,e1,02,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,01,00,00,00,00,04,00,00,e1,02,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbddir

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]	
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Wed 01/11/2006 17:06:43.25 
C:\ComboFix.txt ... 01/11/2006 05:06 PM
C:\ComboFix2.txt ... 01/11/2006 04:34 PM
C:\ComboFix3.txt ... 04/10/2006 02:22 PM


----------



## kim-smells (Oct 4, 2006)

here's the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 5:09:53 PM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\RACLE~1\dexplore.exe
C:\Program Files\?icrosoft\?vchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - {C8767FEC-BC2B-E7DC-7F91-C69E8914059B} - C:\WINDOWS\system32\ddbkt.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: (no name) - {C8767FEC-BC2B-E7DC-7F91-C69E8914059B} - C:\WINDOWS\system32\ddbkt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Edtm] "C:\WINDOWS\RACLE~1\dexplore.exe" -vt ndrv
O4 - HKCU\..\Run: [Dtwo] C:\Program Files\?icrosoft\?vchost.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: kbddir - C:\WINDOWS\SYSTEM32\kbddir.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## Cookiegal (Aug 27, 2003)

You may be looking at a reformat which may be the best way to go. The dates are all off in that scan but it does indicate a rootkit is present so let's address that and then take it from there.

Download GMER from http://www.gmer.net

Save it somewhere safe & unzip it to desktop

Double click the gmer.exe to run it and select the rootkit tab, press scan and when it has finished press save and copy the log back here please.


----------



## kim-smells (Oct 4, 2006)

yea ok... i just don't want to lose all my files and all. i would do it, but that's just the problem. Most of my files are in D drive. If i put all my files in there, and reformat my computer... would i lose all my files?

log soon to come.

Thanks


----------



## kim-smells (Oct 4, 2006)

here's the log:
GMER 1.0.12.11867 - http://www.gmer.net
Rootkit scan 2006-11-02 22:23:33
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\drivers\klif.sys ZwClose
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateProcess
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateSection
SSDT \SystemRoot\System32\drivers\klif.sys ZwCreateThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \SystemRoot\System32\drivers\klif.sys ZwQueryInformationFile
SSDT \SystemRoot\System32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[284]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[285]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[286]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[287]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[288]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[289]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[290]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[291]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[292]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[293]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[294]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[295]
SSDT \SystemRoot\System32\drivers\klif.sys SSDT[296]

SYSENTER ? B09A1390

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KiDispatchInterrupt + 256 804DC962 7 Bytes JMP B081CF28 \SystemRoot\System32\drivers\klif.sys
.text ntoskrnl.exe!Kei386EoiHelper + 1255 804DE710 3 Bytes 
.text tcpip.sys!IPTransmit + 4284 B0914CFA 6 Bytes 
.text tcpip.sys!IPTransmit + 10256 B091644E 6 Bytes 
.text tcpip.sys!ARPRcv + 20589 B091B4E0 6 Bytes 
.text wanarp.sys B4BA43FD 7 Bytes

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\SOUNDMAN.EXE[160] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00FA083C 
.text C:\WINDOWS\SOUNDMAN.EXE[160] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00FA07B6 
.text C:\WINDOWS\SOUNDMAN.EXE[160] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00FA05E4 
.text C:\WINDOWS\SOUNDMAN.EXE[160] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00FA045D 
.text C:\WINDOWS\SOUNDMAN.EXE[160] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00FA0505 
.text C:\Program Files\MessengerPlus! 3\MsgPlus.exe[272] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 003E083C 
.text C:\Program Files\MessengerPlus! 3\MsgPlus.exe[272] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 003E07B6 
.text C:\Program Files\MessengerPlus! 3\MsgPlus.exe[272] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 003E05E4 
.text C:\Program Files\MessengerPlus! 3\MsgPlus.exe[272] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 003E045D 
.text C:\Program Files\MessengerPlus! 3\MsgPlus.exe[272] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 003E0505 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[332] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 03FF083C 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[332] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 03FF07B6 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[332] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 03FF05E4 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[332] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 03FF045D 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[332] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 03FF0505 
.text C:\WINDOWS\system32\ctfmon.exe[428] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A0083C 
.text C:\WINDOWS\system32\ctfmon.exe[428] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00A007B6 
.text C:\WINDOWS\system32\ctfmon.exe[428] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00A005E4 
.text C:\WINDOWS\system32\ctfmon.exe[428] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A0045D 
.text C:\WINDOWS\system32\ctfmon.exe[428] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00A00505 
.text C:\WINDOWS\system32\csrss.exe[540] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0112083C 
.text C:\WINDOWS\system32\csrss.exe[540] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 011207B6 
.text C:\WINDOWS\system32\csrss.exe[540] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 011205E4 
.text C:\WINDOWS\system32\csrss.exe[540] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0112045D 
.text C:\WINDOWS\system32\csrss.exe[540] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01120505 
.text C:\WINDOWS\system32\winlogon.exe[564] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00CC083C 
.text C:\WINDOWS\system32\winlogon.exe[564] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00CC07B6 
.text C:\WINDOWS\system32\winlogon.exe[564] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00CC05E4 
.text C:\WINDOWS\system32\winlogon.exe[564] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00CC045D 
.text C:\WINDOWS\system32\winlogon.exe[564] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00CC0505 
.text C:\WINDOWS\system32\services.exe[608] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00D2083C 
.text C:\WINDOWS\system32\services.exe[608] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00D207B6 
.text C:\WINDOWS\system32\services.exe[608] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00D205E4 
.text C:\WINDOWS\system32\services.exe[608] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00D2045D 
.text C:\WINDOWS\system32\services.exe[608] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00D20505 
.text C:\WINDOWS\system32\lsass.exe[636] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00E9083C 
.text C:\WINDOWS\system32\lsass.exe[636] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00E907B6 
.text C:\WINDOWS\system32\lsass.exe[636] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00E905E4 
.text C:\WINDOWS\system32\lsass.exe[636] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00E9045D 
.text C:\WINDOWS\system32\lsass.exe[636] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00E90505 
.text C:\WINDOWS\system32\ati2evxx.exe[780] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00C3083C 
.text C:\WINDOWS\system32\ati2evxx.exe[780] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00C307B6 
.text C:\WINDOWS\system32\ati2evxx.exe[780] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00C305E4 
.text C:\WINDOWS\system32\ati2evxx.exe[780] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00C3045D 
.text C:\WINDOWS\system32\ati2evxx.exe[780] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00C30505 
.text C:\WINDOWS\system32\svchost.exe[796] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0080083C 
.text C:\WINDOWS\system32\svchost.exe[796] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 008007B6 
.text C:\WINDOWS\system32\svchost.exe[796] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 008005E4 
.text C:\WINDOWS\system32\svchost.exe[796] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0080045D 
.text C:\WINDOWS\system32\svchost.exe[796] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00800505 
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0093083C 
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 009307B6 
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 009305E4 
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0093045D 
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00930505 
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 039D083C 
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 039D07B6 
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 039D05E4 
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 039D045D 
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 039D0505 
.text C:\WINDOWS\system32\adirss.exe[1044] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00FC083C 
.text C:\WINDOWS\system32\adirss.exe[1044] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00FC07B6 
.text C:\WINDOWS\system32\adirss.exe[1044] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00FC05E4 
.text C:\WINDOWS\system32\adirss.exe[1044] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00FC045D 
.text C:\WINDOWS\system32\adirss.exe[1044] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00FC0505 
.text C:\Program Files\QuickTime\qttask.exe[1084] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0094083C 
.text C:\Program Files\QuickTime\qttask.exe[1084] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 009407B6 
.text C:\Program Files\QuickTime\qttask.exe[1084] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 009405E4 
.text C:\Program Files\QuickTime\qttask.exe[1084] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0094045D 
.text C:\Program Files\QuickTime\qttask.exe[1084] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00940505 
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0095083C 
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 009507B6 
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 009505E4 
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0095045D 
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00950505 
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00DB083C 
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00DB07B6 
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00DB05E4 
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00DB045D 
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00DB0505 
.text C:\WINDOWS\system32\spoolsv.exe[1316] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00FA083C 
.text C:\WINDOWS\system32\spoolsv.exe[1316] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00FA07B6 
.text C:\WINDOWS\system32\spoolsv.exe[1316] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00FA05E4 
.text C:\WINDOWS\system32\spoolsv.exe[1316] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00FA045D 
.text C:\WINDOWS\system32\spoolsv.exe[1316] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00FA0505 
.text C:\Program Files\Messenger\msmsgs.exe[1372] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00D5083C 
.text C:\Program Files\Messenger\msmsgs.exe[1372] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00D507B6 
.text C:\Program Files\Messenger\msmsgs.exe[1372] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00D505E4 
.text C:\Program Files\Messenger\msmsgs.exe[1372] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00D5045D 
.text C:\Program Files\Messenger\msmsgs.exe[1372] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00D50505 
.text C:\WINDOWS\system32\ati2evxx.exe[1432] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00B4083C 
.text C:\WINDOWS\system32\ati2evxx.exe[1432] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00B407B6 
.text C:\WINDOWS\system32\ati2evxx.exe[1432] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00B405E4 
.text C:\WINDOWS\system32\ati2evxx.exe[1432] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00B4045D 
.text C:\WINDOWS\system32\ati2evxx.exe[1432] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00B40505 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1436] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 006C083C 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1436] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 006C07B6 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1436] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 006C05E4 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1436] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 006C045D 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1436] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 006C0505 
.text C:\Program Files\Canon\MultiPASS4\mpservic.exe[1508] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0111083C 
.text C:\Program Files\Canon\MultiPASS4\mpservic.exe[1508] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 011107B6 
.text C:\Program Files\Canon\MultiPASS4\mpservic.exe[1508] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 011105E4 
.text C:\Program Files\Canon\MultiPASS4\mpservic.exe[1508] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0111045D 
.text C:\Program Files\Canon\MultiPASS4\mpservic.exe[1508] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01110505 
.text C:\WINDOWS\system32\taskdir.exe[1632] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00A0083C 
.text C:\WINDOWS\system32\taskdir.exe[1632] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00A007B6


----------



## kim-smells (Oct 4, 2006)

.text C:\WINDOWS\system32\taskdir.exe[1632] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00A005E4 
.text C:\WINDOWS\system32\taskdir.exe[1632] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00A0045D 
.text C:\WINDOWS\system32\taskdir.exe[1632] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00A00505 
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 008D083C 
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 008D07B6 
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 008D05E4 
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008D045D 
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008D0505 
.text C:\WINDOWS\system32\wdfmgr.exe[1756] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0085083C 
.text C:\WINDOWS\system32\wdfmgr.exe[1756] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 008507B6 
.text C:\WINDOWS\system32\wdfmgr.exe[1756] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 008505E4 
.text C:\WINDOWS\system32\wdfmgr.exe[1756] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0085045D 
.text C:\WINDOWS\system32\wdfmgr.exe[1756] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00850505 
.text C:\WINDOWS\sm56hlpr.exe[1892] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 003E083C 
.text C:\WINDOWS\sm56hlpr.exe[1892] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 003E07B6 
.text C:\WINDOWS\sm56hlpr.exe[1892] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 003E05E4 
.text C:\WINDOWS\sm56hlpr.exe[1892] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 003E045D 
.text C:\WINDOWS\sm56hlpr.exe[1892] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 003E0505 
.text C:\WINDOWS\system32\NeroCheck.exe[1996] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0090083C 
.text C:\WINDOWS\system32\NeroCheck.exe[1996] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 009007B6 
.text C:\WINDOWS\system32\NeroCheck.exe[1996] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 009005E4 
.text C:\WINDOWS\system32\NeroCheck.exe[1996] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0090045D 
.text C:\WINDOWS\system32\NeroCheck.exe[1996] ntdll.dll!NtQuerySystemInformation  7C90E1AA 5 Bytes JMP 00900505 
.text C:\WINDOWS\RACLE~1\dexplore.exe[2032] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00F3083C 
.text C:\WINDOWS\RACLE~1\dexplore.exe[2032] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F307B6 
.text C:\WINDOWS\RACLE~1\dexplore.exe[2032] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F305E4 
.text C:\WINDOWS\RACLE~1\dexplore.exe[2032] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F3045D 
.text C:\WINDOWS\RACLE~1\dexplore.exe[2032] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F30505 
.text C:\Program Files\?icrosoft\?vchost.exe[2064] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0159083C 
.text C:\Program Files\?icrosoft\?vchost.exe[2064] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 015907B6 
.text C:\Program Files\?icrosoft\?vchost.exe[2064] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 015905E4 
.text C:\Program Files\?icrosoft\?vchost.exe[2064] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0159045D 
.text C:\Program Files\?icrosoft\?vchost.exe[2064] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01590505 
.text C:\WINDOWS\explorer.exe[2072] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0008083C 
.text C:\WINDOWS\explorer.exe[2072] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 000807B6 
.text C:\WINDOWS\explorer.exe[2072] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 000805E4 
.text C:\WINDOWS\explorer.exe[2072] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0008045D 
.text C:\WINDOWS\explorer.exe[2072] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00080505 
.text D:\gmer\gmer.exe[2088] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text D:\gmer\gmer.exe[2088] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text D:\gmer\gmer.exe[2088] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text D:\gmer\gmer.exe[2088] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text D:\gmer\gmer.exe[2088] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\WINDOWS\system32\svchost.exe[2104] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 006A083C 
.text C:\WINDOWS\system32\svchost.exe[2104] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 006A07B6 
.text C:\WINDOWS\system32\svchost.exe[2104] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 006A05E4 
.text C:\WINDOWS\system32\svchost.exe[2104] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 006A045D 
.text C:\WINDOWS\system32\svchost.exe[2104] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 006A0505 
.text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe[2360] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe[2360] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe[2360] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe[2360] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe[2360] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\WINDOWS\system32\notepad.exe[3064] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0008083C 
.text C:\WINDOWS\system32\notepad.exe[3064] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 000807B6 
.text C:\WINDOWS\system32\notepad.exe[3064] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 000805E4 
.text C:\WINDOWS\system32\notepad.exe[3064] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0008045D 
.text C:\WINDOWS\system32\notepad.exe[3064] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00080505 
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3200] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0007083C 
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3200] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 000707B6 
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3200] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 000705E4 
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3200] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0007045D 
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3200] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00070505 
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3200] WS2_32.dll!send 71AB428A 5 Bytes JMP 01794941 C:\Program Files\MessengerPlus! 3\MsgPlusH.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3200] WS2_32.dll!recv 71AB615A 5 Bytes JMP 017948FF C:\Program Files\MessengerPlus! 3\MsgPlusH.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3200] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01794461 C:\Program Files\MessengerPlus! 3\MsgPlusH.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3200] SHELL32.dll!Shell_NotifyIcon 7CA20C69 5 Bytes JMP 01791163 C:\Program Files\MessengerPlus! 3\MsgPlusH.dll
.text C:\Program Files\Winamp\winamp.exe[3276] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\Program Files\Winamp\winamp.exe[3276] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\Program Files\Winamp\winamp.exe[3276] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\Program Files\Winamp\winamp.exe[3276] ntdll.dll!NtQueryDirectoryFile  7C90DF5E 5 Bytes JMP 0013045D 
.text C:\Program Files\Winamp\winamp.exe[3276] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\Program Files\Winamp\winamp.exe[3276] USER32.dll!SetScrollInfo 77D49056 7 Bytes JMP 02199B03 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3276] USER32.dll!GetScrollInfo 77D517F8 7 Bytes JMP 02199A8B C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3276] USER32.dll!ShowScrollBar 77D5F2CA 5 Bytes JMP 02199B87 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3276] USER32.dll!GetScrollPos 77D5F6DC 5 Bytes JMP 02199AB3 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3276] USER32.dll!SetScrollPos 77D5F728 5 Bytes JMP 02199B2E C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3276] USER32.dll!GetScrollRange 77D5F75F 5 Bytes JMP 02199AD8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3276] USER32.dll!SetScrollRange 77D5F973 5 Bytes JMP 02199B59 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3276] USER32.dll!EnableScrollBar 77D97BC5 7 Bytes JMP 02199A63 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[3920] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[3920] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[3920] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[3920] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[3920] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505

---- Processes - GMER 1.0.12 ----

Process C:\WINDOWS\system32\adirss.exe (*** hidden *** ) 1044 
Process C:\WINDOWS\system32\taskdir.exe (*** hidden *** ) 1632 
Library C:\Program Files\ (*** hidden *** ) @ C:\Program Files\?icrosoft\?vchost.exe [2064] 0x00400000

---- Threads - GMER 1.0.12 ----

Thread 2072:1080 0008006C
Thread 2088:3980 0013006C
Thread 2296:2284 0013006C
Thread 2360:2396 0013006C
Thread 3064:4092 0008006C
Thread 3200:3204 0007006C
Thread 3276:3280 0013006C
Thread 3920:3612 0013006C

---- Services - GMER 1.0.12 ----

Service C:\WINDOWS\system32:lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!


----------



## Cookiegal (Aug 27, 2003)

If you have partitioned your hard drive and redirected your documents to the D drive then you can reformat the C drive without affecting them. However, having said that, you should still back them up as things can go wrong.

But first, let's attack this rootkit.

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Drivers to unload:
> lzx32
> 
> Files to unload:
> ...


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HijackThis log and a new GMER log. *


----------



## kim-smells (Oct 4, 2006)

here's the content of c:\avenger.text
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\djbygycc

*******************

Script file located at: \??\C:\WINDOWS\hgmmsuhg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key \Registry\Machine\System\CurrentControlSet\Services\lzx32 not found!
Unload of driver lzx32 failed!

Could not process line:
lzx32
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\Files to unload: not found!
Unload of driver Files to unload: failed!

Could not process line:
Files to unload:
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\lzx32.sys not found!
Unload of driver C:\WINDOWS\system32\lzx32.sys failed!

Could not process line:
C:\WINDOWS\system32\lzx32.sys
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\adirss.exe not found!
Unload of driver C:\WINDOWS\system32\adirss.exe failed!

Could not process line:
C:\WINDOWS\system32\adirss.exe
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\taskdir.exe not found!
Unload of driver C:\WINDOWS\system32\taskdir.exe failed!

Could not process line:
C:\WINDOWS\system32\taskdir.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


----------



## kim-smells (Oct 4, 2006)

here's the new GMER log:

GMER 1.0.12.11867 - http://www.gmer.net
Rootkit scan 2006-11-03 18:13:41
Windows 5.1.2600 Service Pack 2

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\csrss.exe[544] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0136083C 
.text C:\WINDOWS\system32\csrss.exe[544] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 013607B6 
.text C:\WINDOWS\system32\csrss.exe[544] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 013605E4 
.text C:\WINDOWS\system32\csrss.exe[544] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0136045D 
.text C:\WINDOWS\system32\csrss.exe[544] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01360505 
.text C:\WINDOWS\system32\winlogon.exe[568] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0142083C 
.text C:\WINDOWS\system32\winlogon.exe[568] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 014207B6 
.text C:\WINDOWS\system32\winlogon.exe[568] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 014205E4 
.text C:\WINDOWS\system32\winlogon.exe[568] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0142045D 
.text C:\WINDOWS\system32\winlogon.exe[568] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01420505 
.text C:\WINDOWS\system32\services.exe[612] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00F2083C 
.text C:\WINDOWS\system32\services.exe[612] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F207B6 
.text C:\WINDOWS\system32\services.exe[612] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F205E4 
.text C:\WINDOWS\system32\services.exe[612] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F2045D 
.text C:\WINDOWS\system32\services.exe[612] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F20505 
.text C:\WINDOWS\system32\lsass.exe[624] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00ED083C 
.text C:\WINDOWS\system32\lsass.exe[624] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00ED07B6 
.text C:\WINDOWS\system32\lsass.exe[624] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00ED05E4 
.text C:\WINDOWS\system32\lsass.exe[624] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00ED045D 
.text C:\WINDOWS\system32\lsass.exe[624] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00ED0505 
.text C:\WINDOWS\system32\ati2evxx.exe[776] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00C3083C 
.text C:\WINDOWS\system32\ati2evxx.exe[776] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00C307B6 
.text C:\WINDOWS\system32\ati2evxx.exe[776] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00C305E4 
.text C:\WINDOWS\system32\ati2evxx.exe[776] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00C3045D 
.text C:\WINDOWS\system32\ati2evxx.exe[776] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00C30505 
.text C:\WINDOWS\system32\svchost.exe[804] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00DA083C 
.text C:\WINDOWS\system32\svchost.exe[804] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00DA07B6 
.text C:\WINDOWS\system32\svchost.exe[804] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00DA05E4 
.text C:\WINDOWS\system32\svchost.exe[804] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00DA045D 
.text C:\WINDOWS\system32\svchost.exe[804] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00DA0505 
.text C:\WINDOWS\system32\svchost.exe[860] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 008F083C 
.text C:\WINDOWS\system32\svchost.exe[860] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 008F07B6 
.text C:\WINDOWS\system32\svchost.exe[860] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 008F05E4 
.text C:\WINDOWS\system32\svchost.exe[860] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008F045D 
.text C:\WINDOWS\system32\svchost.exe[860] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008F0505 
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 02BE083C 
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 02BE07B6 
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 02BE05E4 
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 02BE045D 
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 02BE0505 
.text C:\WINDOWS\system32\ati2evxx.exe[936] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\WINDOWS\system32\ati2evxx.exe[936] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\WINDOWS\system32\ati2evxx.exe[936] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\WINDOWS\system32\ati2evxx.exe[936] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\WINDOWS\system32\ati2evxx.exe[936] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0081083C 
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 008107B6 
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 008105E4 
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0081045D 
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00810505 
.text C:\WINDOWS\system32\svchost.exe[1140] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00DB083C 
.text C:\WINDOWS\system32\svchost.exe[1140] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00DB07B6 
.text C:\WINDOWS\system32\svchost.exe[1140] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00DB05E4 
.text C:\WINDOWS\system32\svchost.exe[1140] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00DB045D 
.text C:\WINDOWS\system32\svchost.exe[1140] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00DB0505 
.text C:\WINDOWS\system32\spoolsv.exe[1280] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00F2083C 
.text C:\WINDOWS\system32\spoolsv.exe[1280] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F207B6 
.text C:\WINDOWS\system32\spoolsv.exe[1280] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F205E4 
.text C:\WINDOWS\system32\spoolsv.exe[1280] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F2045D 
.text C:\WINDOWS\system32\spoolsv.exe[1280] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F20505 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1432] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 006C083C 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1432] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 006C07B6 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1432] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 006C05E4 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1432] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 006C045D 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1432] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 006C0505 
.text C:\Program Files\Canon\MultiPASS4\mpservic.exe[1512] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0111083C 
.text C:\Program Files\Canon\MultiPASS4\mpservic.exe[1512] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 011107B6 
.text C:\Program Files\Canon\MultiPASS4\mpservic.exe[1512] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 011105E4 
.text C:\Program Files\Canon\MultiPASS4\mpservic.exe[1512] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0111045D 
.text C:\Program Files\Canon\MultiPASS4\mpservic.exe[1512] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01110505 
.text C:\Program Files\QuickTime\qttask.exe[1580] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\Program Files\QuickTime\qttask.exe[1580] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\Program Files\QuickTime\qttask.exe[1580] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\Program Files\QuickTime\qttask.exe[1580] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\Program Files\QuickTime\qttask.exe[1580] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 008D083C 
.text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 008D07B6 
.text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 008D05E4 
.text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 008D045D 
.text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 008D0505 
.text C:\WINDOWS\system32\wdfmgr.exe[1760] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0065083C 
.text C:\WINDOWS\system32\wdfmgr.exe[1760] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 006507B6 
.text C:\WINDOWS\system32\wdfmgr.exe[1760] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 006505E4 
.text C:\WINDOWS\system32\wdfmgr.exe[1760] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0065045D 
.text C:\WINDOWS\system32\wdfmgr.exe[1760] ntdll.dll!NtQuerySystemInformation  7C90E1AA 5 Bytes JMP 00650505 
.text C:\WINDOWS\explorer.exe[1916] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0008083C 
.text C:\WINDOWS\explorer.exe[1916] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 000807B6 
.text C:\WINDOWS\explorer.exe[1916] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 000805E4 
.text C:\WINDOWS\explorer.exe[1916] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0008045D 
.text C:\WINDOWS\explorer.exe[1916] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00080505 
.text C:\WINDOWS\sm56hlpr.exe[2156] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\WINDOWS\sm56hlpr.exe[2156] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\WINDOWS\sm56hlpr.exe[2156] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\WINDOWS\sm56hlpr.exe[2156] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\WINDOWS\sm56hlpr.exe[2156] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\WINDOWS\system32\svchost.exe[2236] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 006A083C 
.text C:\WINDOWS\system32\svchost.exe[2236] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 006A07B6 
.text C:\WINDOWS\system32\svchost.exe[2236] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 006A05E4 
.text C:\WINDOWS\system32\svchost.exe[2236] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 006A045D 
.text C:\WINDOWS\system32\svchost.exe[2236] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 006A0505 
.text C:\WINDOWS\SOUNDMAN.EXE[2416] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\WINDOWS\SOUNDMAN.EXE[2416] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\WINDOWS\SOUNDMAN.EXE[2416] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\WINDOWS\SOUNDMAN.EXE[2416] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\WINDOWS\SOUNDMAN.EXE[2416] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\WINDOWS\RACLE~1\dexplore.exe[2440] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\WINDOWS\RACLE~1\dexplore.exe[2440] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\WINDOWS\RACLE~1\dexplore.exe[2440] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\WINDOWS\RACLE~1\dexplore.exe[2440] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\WINDOWS\RACLE~1\dexplore.exe[2440] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\WINDOWS\system32\NeroCheck.exe[2488] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\WINDOWS\system32\NeroCheck.exe[2488] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\WINDOWS\system32\NeroCheck.exe[2488] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\WINDOWS\system32\NeroCheck.exe[2488] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\WINDOWS\system32\NeroCheck.exe[2488] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\Program Files\MessengerPlus! 3\MsgPlus.exe[2520] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\Program Files\MessengerPlus! 3\MsgPlus.exe[2520] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\Program Files\MessengerPlus! 3\MsgPlus.exe[2520] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\Program Files\MessengerPlus! 3\MsgPlus.exe[2520] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\Program Files\MessengerPlus! 3\MsgPlus.exe[2520] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[2532] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[2532] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[2532] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[2532] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[2532] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\WINDOWS\system32\ctfmon.exe[2628] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0008083C 
.text C:\WINDOWS\system32\ctfmon.exe[2628] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 000807B6 
.text C:\WINDOWS\system32\ctfmon.exe[2628] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 000805E4 
.text C:\WINDOWS\system32\ctfmon.exe[2628] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0008045D 
.text C:\WINDOWS\system32\ctfmon.exe[2628] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00080505 
.text C:\Program Files\Messenger\msmsgs.exe[2636] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0007083C 
.text C:\Program Files\Messenger\msmsgs.exe[2636] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 000707B6 
.text C:\Program Files\Messenger\msmsgs.exe[2636] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 000705E4 
.text C:\Program Files\Messenger\msmsgs.exe[2636] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0007045D 
.text C:\Program Files\Messenger\msmsgs.exe[2636] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00070505 
.text C:\Program Files\?icrosoft\?vchost.exe[2820] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\Program Files\?icrosoft\?vchost.exe[2820] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\Program Files\?icrosoft\?vchost.exe[2820] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\Program Files\?icrosoft\?vchost.exe[2820] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\Program Files\?icrosoft\?vchost.exe[2820] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text D:\gmer\gmer.exe[2960] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text D:\gmer\gmer.exe[2960] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text D:\gmer\gmer.exe[2960] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text D:\gmer\gmer.exe[2960] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text D:\gmer\gmer.exe[2960] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text D:\gmer\aaaaaaos.t[3032] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 001B083C 
.text D:\gmer\aaaaaaos.t[3032] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001B07B6 
.text D:\gmer\aaaaaaos.t[3032] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001B05E4 
.text D:\gmer\aaaaaaos.t[3032] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 001B045D 
.text D:\gmer\aaaaaaos.t[3032] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 001B0505 
.text C:\WINDOWS\system32\notepad.exe[3244] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0008083C 
.text C:\WINDOWS\system32\notepad.exe[3244] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 000807B6 
.text C:\WINDOWS\system32\notepad.exe[3244] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 000805E4 
.text C:\WINDOWS\system32\notepad.exe[3244] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0008045D 
.text C:\WINDOWS\system32\notepad.exe[3244] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00080505 
.text C:\Program Files\Mozilla Firefox\firefox.exe[3680] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\Program Files\Mozilla Firefox\firefox.exe[3680] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\Program Files\Mozilla Firefox\firefox.exe[3680] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\Program Files\Mozilla Firefox\firefox.exe[3680] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\Program Files\Mozilla Firefox\firefox.exe[3680] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\Program Files\Winamp\winamp.exe[3784] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0013083C 
.text C:\Program Files\Winamp\winamp.exe[3784] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 001307B6 
.text C:\Program Files\Winamp\winamp.exe[3784] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 001305E4 
.text C:\Program Files\Winamp\winamp.exe[3784] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 0013045D 
.text C:\Program Files\Winamp\winamp.exe[3784] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00130505 
.text C:\Program Files\Winamp\winamp.exe[3784] USER32.dll!SetScrollInfo 77D49056 7 Bytes JMP 01D99B03 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3784] USER32.dll!GetScrollInfo 77D517F8 7 Bytes JMP 01D99A8B C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3784] USER32.dll!ShowScrollBar 77D5F2CA 5 Bytes JMP 01D99B87 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3784] USER32.dll!GetScrollPos 77D5F6DC 5 Bytes JMP 01D99AB3 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3784] USER32.dll!SetScrollPos 77D5F728 5 Bytes JMP 01D99B2E C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3784] USER32.dll!GetScrollRange 77D5F75F 5 Bytes JMP 01D99AD8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3784] USER32.dll!SetScrollRange 77D5F973 5 Bytes JMP 01D99B59 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3784] USER32.dll!EnableScrollBar 77D97BC5 7 Bytes JMP 01D99A63 C:\Program Files\Winamp\Plugins\gen_jumpex.dll

---- Threads - GMER 1.0.12 ----

Thread 936:1080 0013006C
Thread 1580:2596 0013006C
Thread 1916:1984 0008006C
Thread 2156:2152 0013006C
Thread 2416:2360 0013006C
Thread 2440:2428 0013006C
Thread 2488:2472 0013006C
Thread 2520:2524 0013006C
Thread 2532:2544 0013006C
Thread 2552:2560 0013006C
Thread 2628:2632 0008006C
Thread 2636:2640 0007006C
---- Processes - GMER 1.0.12 ----

Library C:\Program Files\ (*** hidden *** ) @ C:\Program Files\?icrosoft\?vchost.exe [2820] 0x00400000

---- Threads - GMER 1.0.12 ----

Thread 2820:2452 0013006C
Thread 2960:2068 0013006C
Thread 3032:2316 001B006C
Thread 3244:3248 0008006C
Thread 3680:2896 0013006C
Thread 3784:3768 0013006C

---- Services - GMER 1.0.12 ----

Service C:\WINDOWS\system32:lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- EOF - GMER 1.0.12 ----


----------



## kim-smells (Oct 4, 2006)

OH! im sorry, but i forgot to ask if D drive is a safe place for GMER as you told me to save it somewhere safe, but i wasnt quite sure.

here's the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:14:49 PM, on 3/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\RACLE~1\dexplore.exe
C:\Program Files\?icrosoft\?vchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - {9E2A76B9-BB7C-E08D-7D91-C69E891402C0} - C:\WINDOWS\system32\zpw.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {9E2A76B9-BB7C-E08D-7D91-C69E891402C0} - C:\WINDOWS\system32\zpw.dll
O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Edtm] "C:\WINDOWS\RACLE~1\dexplore.exe" -vt ndrv
O4 - HKCU\..\Run: [Dtwo] C:\Program Files\?icrosoft\?vchost.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: kbddir - C:\WINDOWS\SYSTEM32\kbddir.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## Cookiegal (Aug 27, 2003)

GMER should be fine on the D drive.

I'm sorry but I made a mistake in the script to run. Please run Avenger again but with the following script:



> Drivers to unload:
> Pe386
> 
> Files to delete:
> ...


Reboot and run another GMER scan and post the results please.


----------



## kim-smells (Oct 4, 2006)

my computer has practically died now. everytime i turn it on, it restarts less than a minute after it has started.... im using another computer at the moment. is there ANYTHING that i can do in safe mode or anything??? im really desperate not to reformat my computer..

thanks


also, ive moved some of my documents to D drive, but im not sure about partitioning my hard drive and redirecting my documents to the D drive.


----------



## Cookiegal (Aug 27, 2003)

Try doing a system restore. Let me know how that goes.


----------



## kim-smells (Oct 4, 2006)

i got a system restore date of nov 1... but that's as far as i can go..


----------



## Cookiegal (Aug 27, 2003)

Try it and see if that improves your situation. My goal is just to get you to be able to function better it is right now. If you don't find any improvement, go back and undo the system restore.


----------



## kim-smells (Oct 4, 2006)

that date is the best i can do... but if i undo the system restore... my computer will constant restart... 

and im not sure how to undo it either.... thanks


----------



## Cookiegal (Aug 27, 2003)

Did you try it? 

If you want to undo it, just go back into the system restore wizard and you will see an option asking if you want to undo your last restoration.


----------



## kim-smells (Oct 4, 2006)

yes i tried it... but it didnt work...... would you like me to change it back??


----------



## Cookiegal (Aug 27, 2003)

What do you mean "it didn't work?" Were you not able top do the system restore or did it work but not improve the situation?


----------



## kim-smells (Oct 4, 2006)

i was not able to improve the situation...



sorry


----------



## Cookiegal (Aug 27, 2003)

Then yes, undo the system restore please.

Download rustbfix.exe from *here* and save it to your desktop.

Double click on *rustbfix.exe*. If a Rustock.b infection is found, you will be asked to reboot your computer. The reboot will probably take quite a while and perhaps two reboots will be needed but this will happen automatically so please be patient and allow the process to complete.

After the reboot, two log files will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these log files along with a new HijackThis log please.


----------



## kim-smells (Oct 4, 2006)

to undo the restoration.. you had to check a point underneath the heading.. "to begin, select the task you want to perfom" right???

well, under that heading.. there was no task about undoing restoration. 



OR .. would i go to system in control panel and turn off system restore?


thanks.


----------



## Cookiegal (Aug 27, 2003)

Open system restore the same way you did when you restored to the earlier date. You will see an option there to "undo my last restoration."


Did you run the Rustbfix?


----------



## kim-smells (Oct 4, 2006)

well.. when i tried that,... there was no option to "undo my last restoration"


sorie!!! again... this must be a pain in the neck...


i havent ran Rustbfix.. ive saved it though..


----------



## Cookiegal (Aug 27, 2003)

Please run the Rustbfix and post the results.


----------



## kim-smells (Oct 4, 2006)

this is what came up:

************************* Rustock.b-fix -- By ejvindh *************************
Sat 11/11/2006 10:58:48.48

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 69500
Total size: 69500 bytes.
Attempting to remove ADS...
system32: deleted 69500 bytes in 1 streams.

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.

******************************* End of Logfile ********************************

here's a hijackthis scan, not sure if yu wanted it but yu requested it last time:

Logfile of HijackThis v1.99.1
Scan saved at 12:20:40 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sltchgnj.t
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\MessengerPlus! 3\vrstehga.t
C:\WINDOWS\system32\wservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\RACLE~1\dexplore.exe
C:\Program Files\?icrosoft\?vchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\aaaameqd.t
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\Canon\MultiPASS4\dgyrjifl.t
C:\Program Files\Canon\MultiPASS4\dgyrjifl.t
C:\Program Files\Canon\MultiPASS4\dgyrjifl.t
C:\Program Files\Canon\MultiPASS4\dgyrjifl.t
C:\Program Files\Canon\MultiPASS4\dgyrjifl.t
C:\Program Files\Canon\MultiPASS4\sltctdkp.t
C:\Program Files\Canon\MultiPASS4\sltctdkp.t
C:\Program Files\Canon\MultiPASS4\sltctdkp.t
C:\Program Files\Canon\MultiPASS4\dgyrjifl.t
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - {C8767FEC-BC2B-E7DC-7F91-C69E8914059B} - C:\WINDOWS\system32\ddbkt.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0676CC61-CDC5-447e-AAFC-9D886EC820EB} - C:\WINDOWS\system32\tmp41.tmp.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O2 - BHO: (no name) - {C8767FEC-BC2B-E7DC-7F91-C69E8914059B} - C:\WINDOWS\system32\ddbkt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Edtm] "C:\WINDOWS\RACLE~1\dexplore.exe" -vt ndrv
O4 - HKCU\..\Run: [Dtwo] C:\Program Files\?icrosoft\?vchost.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: kbddir - C:\WINDOWS\SYSTEM32\kbddir.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## Cookiegal (Aug 27, 2003)

Click *Start - Control Panel - Add/Remove Programs*
 In the list of installed software, look for:
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin 
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga 
 If you find any:
 Click on it and click *Remove*.
 Reboot and delete the folder *C:\Program Files\PurityScan* (if it's still there).

 If not:
 Download and run the Oiuninstaller
There is a tutorial for the uninstaller available
 When the uninstaller is done, *reboot* and delete the folder *C:\Program Files\PurityScan*


Rescan with HijackThis and fix these entries:

*R3 - URLSearchHook: (no name) - {C8767FEC-BC2B-E7DC-7F91-C69E8914059B} - C:\WINDOWS\system32\ddbkt.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {0676CC61-CDC5-447e-AAFC-9D886EC820EB} - C:\WINDOWS\system32\tmp41.tmp.dll

O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dlll

O2 - BHO: (no name) - {C8767FEC-BC2B-E7DC-7F91-C69E8914059B} - C:\WINDOWS\system32\ddbkt.dll

O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe

O4 - HKCU\..\Run: [Edtm] "C:\WINDOWS\RACLE~1\dexplore.exe" -vt ndrv

O4 - HKCU\..\Run: [Dtwo] C:\Program Files\?icrosoft\?vchost.exe

O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe

O20 - Winlogon Notify: kbddir - C:\WINDOWS\SYSTEM32\kbddir.dll*

Reboot to safe mode and run Killbox on these files:

*C:\WINDOWS\system32\ddbkt.dll
C:\WINDOWS\system32\tmp41.tmp.dll
C:\WINDOWS\system32\kbddir.dlll
C:\WINDOWS\system32\wservice.exe
C:\WINDOWS\RACLE~1\dexplore.exe
C:\Program Files\?icrosoft\?vchost.exe*

Reboot and post a new HijackThis log please.


----------



## kim-smells (Oct 4, 2006)

i did exactly what you told me to.. and i was unable to find the purityscan folder.


----------



## kim-smells (Oct 4, 2006)

O2 - BHO: (no name) - {C8767FEC-BC2B-E7DC-7F91-C69E8914059B} - C:\WINDOWS\system32\ddbkt.dll

R3 - URLSearchHook: (no name) - {C8767FEC-BC2B-E7DC-7F91-C69E8914059B} - C:\WINDOWS\system32\ddbkt.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKCU\..\Run: [Dtwo] C:\Program Files\?icrosoft\?vchost.exe

were not found in hijackthis


----------



## kim-smells (Oct 4, 2006)

C:\WINDOWS\system32\ddbkt.dll
C:\WINDOWS\system32\kbddir.dlll
C:\WINDOWS\RACLE~1\dexplore.exe
C:\Program Files\?icrosoft\?vchost.exe

were not found on kill box

here's the new hijack this scan:
Logfile of HijackThis v1.99.1
Scan saved at 3:00:06 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\pfukklsr.t
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\wservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MessengerPlus! 3\vrstehga.t
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\myvsnuea.t
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wservice.exe
C:\Program Files\Microsoft Office\Office10\aaaameqd.t
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\system32\wservice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: kbddir - C:\WINDOWS\SYSTEM32\kbddir.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## Cookiegal (Aug 27, 2003)

You have a worm now. Run your Kaspersky anti-virus program with the latest virus definitions and post the log please.


----------



## kim-smells (Oct 4, 2006)

arghh! now im having trouble with kaspersky.... i run a scan.. and during it... it would just suddenly close... 

ive tried scanning it multiple times, and none of the attempts have been successful.


----------



## Cookiegal (Aug 27, 2003)

Try running it in safe mode.


----------



## kim-smells (Oct 4, 2006)

i tried that and it came up:

"Error while starting the service part of Kaspersky Anti-Virus Personal. It is recommended to reinstall the program"

i reinstalled it & still, it would come up the same thing


----------



## Cookiegal (Aug 27, 2003)

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report


----------



## kim-smells (Oct 4, 2006)

umm.. i dont know.. but somehow "DriveCleaner 2006 Free" downloaded itself in my computer.. im not sure if it is safe or not... i just wanted to ask you what it is. thanks


----------



## Cookiegal (Aug 27, 2003)

No, it's not. Uninstall it via the Control Panel - Add/Remove programs.

Please run the Panda scan.

Then post a new HijackThis log along with the result of the Panda scan.


----------



## kim-smells (Oct 4, 2006)

ive done the pandascan.... and the file ended up to be very extensive and also the size is 200 000kbs+ what should i do to get it to you?????

here;s the new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:02:10 PM, on 15/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Common Files\DriveCleaner 2006 Free\udcsdr.exe
C:\Program Files\Common Files\DriveCleaner 2006 Free\udcpas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcsdr.exe"
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcpas.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: kbddir - C:\WINDOWS\SYSTEM32\kbddir.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## Cookiegal (Aug 27, 2003)

Upload it as an attachment and if it's too large for one then create two or three.


----------



## kim-smells (Oct 4, 2006)

there's another problem that i have come across... the log size is so big that i've already made 20 smaller posts and im no where near finishing.  is there any other method to get my file to you?

i'll post a few of the files now...


----------



## Cookiegal (Aug 27, 2003)

Here's what I'd like you to do.

Delete this folder:

C:\*!KillBox*

Reboot and scan again with Panda and it should be much smaller.


----------



## kim-smells (Oct 4, 2006)

sure thing.... i'll do that know


thanks


----------



## kim-smells (Oct 4, 2006)

here's the log for the pandascan


----------



## Cookiegal (Aug 27, 2003)

Boot to safe mode and run Killbox on these files:
C:\WINDOWS\system32\kbddir.dll 
c:\windows\downloaded program files\UDC6_0001_D19M1908NetInstaller.exe
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\ICD2.tmp 
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\ICD3.tmp
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\ICD4.tmp 
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\ICD5.tmp 
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\tmp41.tmp.exe 
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\tmp5A.tmp.exe
C:\Documents and Settings\Thao Nguyen\one.exe 
C:\DXC9.exe 
C:\Program Files\Adverts 
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_0001_N91M2007NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe 
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N91M1807NetInstaller.exe 
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exe 
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UERS_0001_N91M2007NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe 
C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N91M1508NetInstaller.exe
C:\WINDOWS\hide_evr2.sys
C:\WINDOWS\system32\tmp5A.tmp.dll 
C:\WINDOWS\VGhhbw\asappsrv.dll
C:\WINDOWS\VGhhbw\command.exe 
C:\WINDOWS\VGhhbw\p311vT.vbs
D:\My DocQumentZ\mOOsiQ\moOsiQ_i_dL\SnoopDogg.rar


Also, please post a new AVG Anti-Spyware scan and a new Panda scan after AVG.


----------



## kim-smells (Oct 4, 2006)

there were some files that could not be deleted... ::
C:\WINDOWS\system32\kbddir.dll 
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\ICD2.tmp 
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\ICD4.tmp 
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\ICD5.tmp 
C:\Program Files\Adverts 



i'm doing the avg scan now


----------



## Cookiegal (Aug 27, 2003)

:up:


----------



## kim-smells (Oct 4, 2006)

here's the log for avg antispyware:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	1:49:58 PM 19/11/2006

+ Scan result:

C:\!KillBox\command.exe -> Adware.CommAd : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168047.exe -> Adware.CommAd : No action taken.
C:\WINDOWS\VGhhbw\asappsrv.dll -> Adware.CommAd : No action taken.
C:\Program Files\Common Files\DriveCleaner 2006 Free\udcpas.exe -> Adware.DriveCleaner : No action taken.
C:\Program Files\Common Files\DriveCleaner 2006 Free\udcsdr.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163510.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163539.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163540.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163541.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0164739.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0164740.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0164741.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0164854.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP26\A0164920.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP26\A0165049.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP26\A0165052.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP27\A0165677.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP27\A0165681.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP27\A0165781.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP27\A0165786.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0166152.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0166155.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0166588.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0166589.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0167030.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0167032.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0167433.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0167436.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0167523.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0167524.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168177.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168180.exe -> Adware.DriveCleaner : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0164857.dll -> Adware.ErrorSafe : No action taken.
HKU\S-1-5-21-484763869-2139871995-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8B28872-3324-4CD2-8AA3-7D555C872D96} -> Adware.Softomate : No action taken.
C:\!KillBox\DXC9.exe -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163471.exe -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0164846.exe -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP26\A0165142.exe -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP27\A0165608.exe -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP27\A0165971.exe -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0166175.exe -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0166699.exe -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0167111.exe -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0167325.exe -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168035.exe -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168044.exe -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168347.exe -> Adware.SurfSide : No action taken.
HKLM\SOFTWARE\WinAntiVirus Pro 2006 -> Adware.WinAntiVirus : No action taken.
C:\!KillBox\kbddir.dll -> Downloader.ConHook.ao : No action taken.
C:\Program Files\Hijackthis\backups\backup-20061031-170035-883.dll -> Downloader.ConHook.ao : No action taken.
C:\Program Files\Hijackthis\backups\backup-20061111-144556-432.dll -> Downloader.ConHook.ao : No action taken.
C:\RECYCLER\S-1-5-21-484763869-2139871995-839522115-1003\Dc10110\kbddir.dll -> Downloader.ConHook.ao : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163771.dll -> Downloader.ConHook.ao : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0164508.dll -> Downloader.ConHook.ao : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP26\A0165010.dll -> Downloader.ConHook.ao : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP27\A0165598.dll -> Downloader.ConHook.ao : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP27\A0165867.dll -> Downloader.ConHook.ao : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0166412.dll -> Downloader.ConHook.ao : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0166524.dll -> Downloader.ConHook.ao : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0166920.dll -> Downloader.ConHook.ao : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0167405.dll -> Downloader.ConHook.ao : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0167735.dll -> Downloader.ConHook.ao : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168054.dll -> Downloader.ConHook.ao : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168351.dll -> Downloader.ConHook.ao : No action taken.
C:\WINDOWS\system32\kbddir.dll -> Downloader.ConHook.ao : No action taken.
C:\RECYCLER\S-1-5-21-484763869-2139871995-839522115-1003\Dc10110\FNTS~1\notepad.exe -> Downloader.PurityScan.co : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163516.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163534.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163663.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163664.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163695.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163696.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163697.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163698.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163706.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163707.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163716.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163743.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163744.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163745.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163746.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163747.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163748.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163749.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163750.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163751.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163752.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163753.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163754.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163756.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163758.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163759.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163762.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163763.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163764.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163768.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163769.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163770.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163774.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163775.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163776.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163777.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163778.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163779.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163780.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163781.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163782.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163790.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163797.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163803.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163804.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163805.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163807.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163808.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163810.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163811.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163813.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163814.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163824.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163825.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163826.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163827.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163829.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163830.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163831.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163832.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163834.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163835.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163836.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163838.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163842.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163843.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163848.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163849.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163850.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163851.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163852.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163853.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163855.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163857.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163858.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163859.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163863.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163865.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163866.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163869.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163870.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163871.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163873.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163882.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163889.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163890.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163891.exe -> Downloader.Small.ciw : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163894.exe -> Downloader.Small.ciw : No action taken.
C:\!KillBox\UDC6_0001_D19M1908NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.m : No action taken.
C:\RECYCLER\S-1-5-21-484763869-2139871995-839522115-1003\Dc10110\UDC6_0001_D19M1908NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.m : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168353.exe -> Not-A-Virus.Downloader.Win32.WinFixer.m : No action taken.
C:\!KillBox\ICD3\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\!KillBox\UERS_0001_N91M2007NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\!KillBox\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\!KillBox\UWAS6_0001_N91M1508NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\ICD2.tmp\UWAS6_0001_N91M1508NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\ICD4.tmp\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\ICD5.tmp\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\ICD6.tmp\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168349.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168354.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168355.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168356.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : No action taken.
C:\Program Files\Adobe\Photoshop CS\crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
:mozilla.356:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.357:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.384:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.107:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.108:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.100:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.101:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.99:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.365:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.366:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.367:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.368:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.354:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.361:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.362:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.363:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Burstnet : No action taken.


----------



## kim-smells (Oct 4, 2006)

continued:

C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.194:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.195:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.196:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.198:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.199:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.200:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Casinotropez : No action taken.
:mozilla.270:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.263:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.
:mozilla.264:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.
:mozilla.265:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.
:mozilla.267:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Cpvfeed : No action taken.
:mozilla.353:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.243:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Enhance : No action taken.
:mozilla.244:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Enhance : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Enhance : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Enhance : No action taken.
:mozilla.327:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Estat : No action taken.
:mozilla.372:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.373:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.10:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\epkxru76.default\cookies.txt -> TrackingCookie.Goclick : No action taken.
:mozilla.271:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Goclick : No action taken.
:mozilla.272:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Goclick : No action taken.
:mozilla.9:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\epkxru76.default\cookies.txt -> TrackingCookie.Goclick : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.410:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.390:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.358:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.359:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.276:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.277:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.278:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.279:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.280:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][2].txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.190:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.53:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.54:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.55:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.56:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.57:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.58:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.33:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.40:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.42:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.43:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.44:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.47:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\Cookies\thao [email protected][2].txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.259:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.260:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.396:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Targetnet : No action taken.
:mozilla.407:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Tradedoubler : No action taken.
:mozilla.364:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.22:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.23:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.24:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.25:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.26:C:\Documents and Settings\Thao Nguyen\Application Data\Mozilla\Firefox\Profiles\fos10co8.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][3].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Thao Nguyen\Cookies\thao [email protected][4].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Thao Nguyen\Local Settings\Temp\Cookies\thao [email protected][2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\!KillBox\hide_evr2.sys -> Trojan.Small.bs : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163544.exe -> Trojan.Small.bs : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0163550.sys -> Trojan.Small.bs : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168045.sys -> Trojan.Small.bs : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168348.sys -> Trojan.Small.bs : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP25\A0164635.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP26\A0165089.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP27\A0165656.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP27\A0165862.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0166170.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0166790.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0167094.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP28\A0167475.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{8D61627C-AD85-4102-9438-3121FE4618A9}\RP29\A0168253.dll -> Worm.Banwarum.f : No action taken.

::Report end


----------



## kim-smells (Oct 4, 2006)

im going out for a while now, but when i come back i'll post the results of panda.


----------



## kim-smells (Oct 4, 2006)

ive attatched the panda scans :


----------



## kim-smells (Oct 4, 2006)

ive come across another problem... my internet explorer will freeze everytime i open it... i'm on another computer at the moment..... my mozilla has not been working for a long time also...


----------



## kim-smells (Oct 4, 2006)

problem solved.... it suddenly works now.. 


sorry about that


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a FixKim.zip file. Save it to your desktop. Unzip it and double click the FixKim.reg file and allow it to enter into the registry.

Go to Control Panel - Add/Remove programs and remove:

*DriveCleaner 2006 Free*

Rescan with HijackThis and fix these:

O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcsdr.exe"

O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcpas.exe"

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab

Reboot to safe mode and run Killbox on these:

*C:\WINDOWS\system32\kbddir.dll
C:\Program Files\Adverts
C:\Program Files\Common Files\DriveCleaner 2006 Free*

Clear out all of your cookies in both IE:

Clean your Cache and Cookies in IE: 
Close all instances of Outlook Express and Internet Explorer 
Go to Control Panel > Internet Options > General tab 
Click the "Delete Cookies" button 
Next to it, Click the "Delete Files" button 
When prompted, place a check in: "Delete all offline content", click OK

and then reset them as follows:

In IE click on Tools - Internet Options - privacy tab and select "advanced". Set both First Party and Third Party cookies to "prompt" and check "always allow session cookies".

Basically, you should refuse all cookies except those from sites you trust or need to log in to. In those cases, you can add the sites to the Trusted Zone or simply choose to "always accept" them.

You can refuse a cookie each time it asks (if you're not sure and don't want to block it all the time) or you can select the option to "apply my decision to all cookies from this website" and then select "block or allow". If you block a cookie and later find it's needed, you can go back into Internet Options, under the privacy tab and click on "advanced" and remove it from the list of blocked cookies there.

Clear out all your cookies in Firefox:

Clean your Cache and Cookies in Firefox: 
Click Privacy in the menu on the left side of the Options window. 
Click the Clear button located to the right of each option (History, Cookies, Cache). 
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All. 
A confirmation dialog box will be shown before clearing the information

See the following link for the proper settings for cookies in Firefox:

http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

Reboot and post a new HijackThis log please.


----------



## kim-smells (Oct 4, 2006)

i have already removed "DriveCleaner 2006 Free" as in post #130 and #131


----------



## kim-smells (Oct 4, 2006)

i dont have mozilla at the moment because it's not working.. but usually i would use it...should i download mozilla again and follow ur instructions for mozilla?

also, on killbox, 

C:\WINDOWS\system32\kbddir.dll

could not be deleted.


----------



## kim-smells (Oct 4, 2006)

drivecleaner 2006 free downloaded itself onto my computer again.. i've uninstalled it

here's my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 5:20:03 PM, on 20/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [first kind four rule] C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Great Dead.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SIGN PING] C:\DOCUME~1\THAONG~1\APPLIC~1\SURFOW~1\Mapi Poke.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: kbddir - C:\WINDOWS\SYSTEM32\kbddir.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## Cookiegal (Aug 27, 2003)

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> C:\WINDOWS\SYSTEM32\kbddir.dll


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger's actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HijackThis log. *

I see LOP is back too so please do this:

Go here and follow the instructions to uninstall MessengerPlus

http://msghelp.net/showthread.php?tid=21598

You can reinstall it later if you want but do NOT accept the sponsor files when prompted. Don't do this yet though. I think we need to concentrate on getting clean before installing/reinstalling anything.

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## Cookiegal (Aug 27, 2003)

I edited my previous post so please be sure to refresh your browser before continuing. I had left a line out of the Avenger script. It should read:



> Files to delete:
> C:\WINDOWS\SYSTEM32\kbddir.dll


----------



## kim-smells (Oct 4, 2006)

heres the avenger file:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nfxrqjkc

*******************

Script file located at: \??\C:\rgyeaabs.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\kbddir.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

here's the hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:31:41 PM, on 22/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [first kind four rule] C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Great Dead.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SIGN PING] C:\DOCUME~1\THAONG~1\APPLIC~1\SURFOW~1\Mapi Poke.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: kbddir - kbddir.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## kim-smells (Oct 4, 2006)

here's the StartupList Log.

StartupList report, 22/11/2006, 8:36:31 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
SMSERIAL = sm56hlpr.exe
WinampAgent = C:\Program Files\Winamp\winampa.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
MessengerPlus3 = "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
BigPond Toolbar = "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
KAVPersonal50 = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
first kind four rule = C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Great Dead.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
SIGN PING = C:\DOCUME~1\THAONG~1\APPLIC~1\SURFOW~1\Mapi Poke.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden


----------



## kim-smells (Oct 4, 2006)

cont...

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25}
(no name) - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - C:\WINDOWS\system32\kbddir.dll (file missing) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734}
(no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

--------------------------------------------------

Enumerating Task Scheduler jobs:

A82B50FB9190CF9F.job
AppleSoftwareUpdate.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

[{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}]
CODEBASE = http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\popcaploader.dll
CODEBASE = http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Service for WDM 3D Audio Driver: system32\drivers\ALCXSENS.SYS (manual start)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
EIO: \??\C:\WINDOWS\system32\drivers\EIO.sys (autostart)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
ElbyDelay: System32\Drivers\ElbyDelay.sys (manual start)
Speedstream Ethernet USB Adapter: system32\DRIVERS\enethusb.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
!!!!: \??\C:\WINDOWS\hide_evr2.sys (manual start)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
kavsvc: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Klif: System32\drivers\klif.sys (system)
Klmc: System32\drivers\klmc.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MpService: C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE (autostart)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Client Service for NetWare: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: system32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: system32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: system32\DRIVERS\nwlnkspx.sys (autostart)
NetWare Rdr: system32\DRIVERS\nwrdr.sys (manual start)
SAP Agent: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: system32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiSide: System32\DRIVERS\siside.sys (system)
sisidex: system32\drivers\sisidex.sys (system)
SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start)
Add Performance Filter Driver: system32\drivers\sisperf.sys (system)
SiSRaid: System32\DRIVERS\SiSRaid.sys (system)
smserial: System32\DRIVERS\smserial.sys (manual start)
Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{B26F5E26-32F1-406A-8414-5EB61197E2DF} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Automatic Updates: %systemRoot%\System32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 35,111 bytes
Report generated in 0.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Cookiegal (Aug 27, 2003)

Copy the part in bold below into notepad and save it as direxie.bat
Set File type to "All files"

*cd\
cd C:\Documents and Settings\%UserName%\Application Data
dir /x > C:\directory.txt
cd C:\Documents and Settings\All Users\Application Data
dir /x >> C:\directory.txt
cd C:\Program Files
dir /x >> C:\directory.txt
start notepad C:\directory.txt*


----------



## kim-smells (Oct 4, 2006)

done


----------



## Cookiegal (Aug 27, 2003)

Sorry but I had cut off the bottom part of my instructions.

Start the file by double clicking direxie.bat

That will open a file called directory.txt. Post the content of that file.


----------



## kim-smells (Oct 4, 2006)

that's ok... here's what was in the file:

Volume in drive C is DRIVE_C
Volume Serial Number is 600B-21EE

Directory of C:\Documents and Settings\Thao Nguyen\Application Data

18/11/2006 08:34 PM Adobe
02/06/2005 08:47 PM CYBERL~1 CyberLink
26/08/2006 01:04 AM EBookSys
20/10/2006 08:15 PM FASTST~1 FastStone
10/07/2005 04:52 PM 41,816 GDIPFO~1.DAT GDIPFONTCACHEV1.DAT
05/07/2006 09:10 PM Google
16/04/2006 03:29 PM Help
02/06/2005 06:54 PM IDENTI~1 Identities
24/09/2006 02:09 AM IMVU
03/10/2006 06:32 PM MACROM~1 Macromedia
20/09/2005 05:27 PM Mozilla
01/04/2006 05:20 PM Nokia
27/03/2006 06:06 PM NOKIAM~1 Nokia Multimedia Player
18/08/2006 06:01 PM Sun
16/11/2006 06:51 PM SURFOW~1 Surf owns heart
07/11/2005 08:38 PM Symantec
02/06/2005 09:30 PM THUMBS~1 ThumbsPlus
1 File(s) 41,816 bytes
16 Dir(s) 23,708,774,400 bytes free
Volume in drive C is DRIVE_C
Volume Serial Number is 600B-21EE

Directory of C:\Documents and Settings\All Users\Application Data

18/11/2006 10:22 PM Adobe
27/09/2006 06:09 PM APPLEC~1 Apple Computer
31/07/2005 12:57 PM Canon
19/11/2006 01:56 PM CLOCKD~1 ClockDrvFirstKind
02/06/2005 08:10 PM CYBERL~1 CyberLink
06/10/2006 04:37 PM DOWNLO~1 Downloaded Installations
02/06/2005 07:49 PM KASPER~1 Kaspersky Anti-Virus Personal
27/09/2006 05:13 PM MACROM~1 Macromedia
02/06/2003 08:06 PM MACROV~1 Macrovision
06/10/2005 02:34 PM MESSEN~1 Messenger Plus!
04/11/2005 07:36 PM NFSUND~1 NFS Underground
04/07/2006 08:05 PM PopCap
30/12/2005 01:48 PM Symantec
30/12/2005 11:16 AM WINDOW~1 Windows Genuine Advantage
12/07/2006 08:49 PM YAHOO!~1 Yahoo! Companion
0 File(s) 0 bytes
15 Dir(s) 23,708,774,400 bytes free
Volume in drive C is DRIVE_C
Volume Serial Number is 600B-21EE

Directory of C:\Program Files

24/11/2006 04:53 PM .
24/11/2006 04:53 PM ..
04/06/2005 10:04 PM Adobe
02/06/2005 08:12 PM Ahead
14/11/2006 07:50 PM APPLES~1 Apple Software Update
02/06/2005 07:08 PM ATITEC~1 ATI Technologies
14/11/2006 07:52 PM Audacity
14/11/2006 07:52 PM AvRack
04/06/2005 01:27 PM BRITAN~1 Britannica
31/07/2005 12:57 PM Canon
06/10/2005 10:59 AM CODEMA~1 Codemasters
20/11/2006 05:18 PM COMMON~1 Common Files
02/06/2005 06:06 PM COMPLU~1 ComPlus Applications
02/06/2005 08:10 PM CYBERL~1 CyberLink
31/07/2005 12:40 PM D-Link
20/11/2006 05:18 PM DRIVEC~1 DriveCleaner 2006 Free
02/06/2005 09:36 PM E-BOOK~1 E-Book Systems
05/11/2005 12:44 PM EACom
02/06/2005 08:11 PM ELABOR~1 Elaborate Bytes
05/11/2005 12:42 PM ELECTR~1 Electronic Arts
14/11/2006 08:22 PM FASTST~1 FastStone Image Viewer
02/06/2005 09:47 PM FORMOS~1 Formosoft
05/07/2006 09:09 PM Google
06/10/2006 12:26 PM Grisoft
22/11/2006 08:36 PM HIJACK~1 Hijackthis
14/11/2006 08:26 PM IMVU
19/11/2006 02:03 PM INTERN~1 Internet Explorer
02/06/2005 09:42 PM iolo
26/07/2006 08:26 PM Java
02/06/2005 08:33 PM KASPER~1 Kaspersky Lab
14/11/2006 08:38 PM LimeWire
27/09/2006 05:13 PM MACROM~1 Macromedia
19/11/2006 02:05 PM MESSEN~1 Messenger
14/11/2006 08:44 PM MESSEN~3 Messenger Plus! Live
19/11/2006 02:05 PM MESSEN~2 MessengerPlus! 3
19/10/2005 08:30 PM MICROS~3 Microsoft ActiveSync
02/06/2005 06:10 PM MICROS~1 microsoft frontpage
19/10/2005 08:30 PM MICROS~2 Microsoft Office
19/10/2005 08:30 PM MICROS~1.NET Microsoft.NET
14/11/2006 08:54 PM MOVIEM~1 Movie Maker
14/11/2006 08:56 PM MOZILL~1 Mozilla Firefox
20/09/2005 05:27 PM mozilla.org
02/06/2005 06:06 PM MSN
23/03/2006 06:33 PM MSNAPP~1 MSN Apps
18/10/2006 04:32 PM MSNGAM~2 MSN Games
02/06/2005 06:06 PM MSNGAM~1 MSN Gaming Zone
19/11/2006 02:07 PM MSNMES~1 MSN Messenger
14/11/2006 09:01 PM NETMEE~1 NetMeeting
02/06/2005 06:08 PM ONLINE~1 Online Services
14/11/2006 09:01 PM OUTLOO~1 Outlook Express
14/11/2006 09:01 PM PICTUR~1 PicturesToExe
14/11/2006 09:01 PM QUICKT~1 QuickTime
02/06/2005 07:03 PM REALTE~1 Realtek Sound Manager
02/06/2005 07:04 PM SILICO~1 Silicon Integrated Systems
02/06/2005 07:01 PM SiSLan
14/11/2006 09:02 PM SIZEEX~1 SizeExplorer
14/11/2006 09:03 PM SPYWAR~1 SpywareBlaster
16/11/2006 06:46 PM SURFOW~1 Surf owns heart
30/12/2005 01:50 PM Symantec
25/06/2005 05:32 PM Telstra
14/11/2006 09:05 PM Thumbs7
14/11/2006 09:06 PM VIRTUA~1 Virtual Makeover the Collection
14/11/2006 09:07 PM Winamp
14/11/2006 09:07 PM WINDOW~2 Windows Media Player
14/11/2006 09:08 PM WINDOW~1 Windows NT
02/06/2005 06:10 PM xerox
12/07/2006 08:16 PM Yahoo!
11/11/2006 02:24 PM ICROSO~1 ?icrosoft
31/10/2006 05:20 PM ASKS~1 ?asks
0 File(s) 0 bytes
69 Dir(s) 23,708,770,304 bytes free


----------



## Cookiegal (Aug 27, 2003)

Copy everything inside the quote box below (starting with @)and paste it into notepad. Go up to "File > Save As", click the drop-down box to change the "Save As Type" to "All Files". Save it as *remlop.bat* on your desktop.



> @echo off
> cd C:\WINDOWS\Tasks
> attrib -r -s -h A82B50FB9190CF9F.job
> del A82B50FB9190CF9F.job
> exit


Double-click remlop.bat A window will open a close quickly, this is normal.

Rescan with HijackThis and fix these entries:

*R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {b9ec7ddc-7d9c-4ff5-be1f-814964a7c734} - C:\WINDOWS\system32\kbddir.dll (file missing)

O4 - HKLM\..\Run: [first kind four rule] C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind\Great Dead.exe

O4 - HKCU\..\Run: [SIGN PING] C:\DOCUME~1\THAONG~1\APPLIC~1\SURFOW~1\Mapi Poke.exe

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab

O20 - Winlogon Notify: kbddir - kbddir.dll (file missing)*

Boot to safe mode and run Killbox on these folders/file:

*C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart
C:\Documents and Settings\All Users\Application Data\ClockDrvFirstKind
C:\Program Files\DriveCleaner 2006 Free
C:\Program Files\?icrosoft
C:\Program Files\?asks
C:\Program Files\Surf owns heart
C:\WINDOWS\hide_evr2.sys*

While still in safe mode, please do this:

Go to *Start *- Run  type in *CMD *and click OK. The MSDOS window will be displayed. At the prompt type the following:

Type:

*SC Delete !!!!*

Then press Enter

Reboot and post a new HijackThis log along with a new HijackThis startup log please.


----------



## kim-smells (Oct 4, 2006)

* all entries were fixed in HijackThis

* These files did not exist for Killbox:
C:\Program Files\?icrosoft
C:\Program Files\?asks
C:\WINDOWS\hide_evr2.sys

* The instructions you gave me for:
*Go to Start - Run - type in CMD and click OK. The MSDOS window will be displayed. At the prompt type the following:

Type:

SC Delete !!!!

Then press Enter*

did not work. Is the MSDOS window the black window??? that was all that came up... and i typed in SC Delete !!!! It came up:
The specified service does not exist as an installed service.


----------



## Cookiegal (Aug 27, 2003)

> Reboot and post a new HijackThis log along with a new HijackThis startup log please.


----------



## kim-smells (Oct 4, 2006)

here's the hijackthis log::

Logfile of HijackThis v1.99.1
Scan saved at 11:50:31 AM, on 26/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SIGN PING] C:\DOCUME~1\THAONG~1\APPLIC~1\SURFOW~1\Mapi Poke.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## kim-smells (Oct 4, 2006)

here's the startup log:

StartupList report, 26/11/2006, 11:51:52 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
SMSERIAL = sm56hlpr.exe
WinampAgent = C:\Program Files\Winamp\winampa.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
MessengerPlus3 = "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
BigPond Toolbar = "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
KAVPersonal50 = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
SIGN PING = C:\DOCUME~1\THAONG~1\APPLIC~1\SURFOW~1\Mapi Poke.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25}
(no name) - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\popcaploader.dll
CODEBASE = http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab


----------



## kim-smells (Oct 4, 2006)

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Service for WDM 3D Audio Driver: system32\drivers\ALCXSENS.SYS (manual start)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
EIO: \??\C:\WINDOWS\system32\drivers\EIO.sys (autostart)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
ElbyDelay: System32\Drivers\ElbyDelay.sys (manual start)
Speedstream Ethernet USB Adapter: system32\DRIVERS\enethusb.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
!!!!: \??\C:\WINDOWS\hide_evr2.sys (manual start)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
kavsvc: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Klif: System32\drivers\klif.sys (system)
Klmc: System32\drivers\klmc.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MpService: C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE (autostart)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Client Service for NetWare: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: system32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: system32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: system32\DRIVERS\nwlnkspx.sys (autostart)
NetWare Rdr: system32\DRIVERS\nwrdr.sys (manual start)
SAP Agent: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: system32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiSide: System32\DRIVERS\siside.sys (system)
sisidex: system32\drivers\sisidex.sys (system)
SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start)
Add Performance Filter Driver: system32\drivers\sisperf.sys (system)
SiSRaid: System32\DRIVERS\SiSRaid.sys (system)
smserial: System32\DRIVERS\smserial.sys (manual start)
Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{B26F5E26-32F1-406A-8414-5EB61197E2DF} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Automatic Updates: %systemRoot%\System32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34,675 bytes
Report generated in 0.172 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis and fix this entry:

*O4 - HKCU\..\Run: [SIGN PING] C:\DOCUME~1\THAONG~1\APPLIC~1\SURFOW~1\Mapi Poke.exe*

Boot to safe mode and run Killbox on this folder:

*C:\Documents and Settings\Thao Nguyen\Application Data\Surf owns heart*

Reboot and post a new HijackThis log please.

Also, please do this:

Open the Registry Editor by clicking Start - Run - type in regedit and click OK.

Expand each of these keys by clicking on the + that appears to their left.

*HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet*

Below CurrentControlSet, right click on *Services *and select "export" and save it to your desktop as Services.reg. Right click on the Services.reg file that you exported to your desktop and select "open with" and "NotePad" and then save it with a .txt extension and upload it as an attachment here please.


----------



## kim-smells (Oct 4, 2006)

here's the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:00:21 PM, on 27/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## Cookiegal (Aug 27, 2003)

Did you export the services key from the registry, as requested?


----------



## kim-smells (Oct 4, 2006)

yes i did.. sorry about that..

i had to make a few files because the one file is too big..


----------



## Cookiegal (Aug 27, 2003)

OK, that's good.

I'm attaching a FixKim2.zip file. Save it to your desktop. Unzip it and double click the FixKim2.reg file and allow it to enter into the registry.


Reboot and post a new HijackThis startup log along with a new HijackiThis scan log.


----------



## kim-smells (Oct 4, 2006)

here's the hijackthis startup log:
StartupList report, 29/11/2006, 4:51:48 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
SMSERIAL = sm56hlpr.exe
WinampAgent = C:\Program Files\Winamp\winampa.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
MessengerPlus3 = "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
BigPond Toolbar = "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
KAVPersonal50 = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25}
(no name) - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\popcaploader.dll
CODEBASE = http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab


----------



## kim-smells (Oct 4, 2006)

continued:


--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Service for WDM 3D Audio Driver: system32\drivers\ALCXSENS.SYS (manual start)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
EIO: \??\C:\WINDOWS\system32\drivers\EIO.sys (autostart)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
ElbyDelay: System32\Drivers\ElbyDelay.sys (manual start)
Speedstream Ethernet USB Adapter: system32\DRIVERS\enethusb.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
kavsvc: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Klif: System32\drivers\klif.sys (system)
Klmc: System32\drivers\klmc.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MpService: C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE (autostart)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Client Service for NetWare: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: system32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: system32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: system32\DRIVERS\nwlnkspx.sys (autostart)
NetWare Rdr: system32\DRIVERS\nwrdr.sys (manual start)
SAP Agent: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: system32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiSide: System32\DRIVERS\siside.sys (system)
sisidex: system32\drivers\sisidex.sys (system)
SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start)
Add Performance Filter Driver: system32\drivers\sisperf.sys (system)
SiSRaid: System32\DRIVERS\SiSRaid.sys (system)
smserial: System32\DRIVERS\smserial.sys (manual start)
Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{B26F5E26-32F1-406A-8414-5EB61197E2DF} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Automatic Updates: %systemRoot%\System32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34,507 bytes
Report generated in 0.188 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## kim-smells (Oct 4, 2006)

here's the hijackthis scan log:

Logfile of HijackThis v1.99.1
Scan saved at 4:54:28 PM, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: ActivateBand Class - {4C7B6DE1-99A4-4CF1-8B44-68889900E1D0} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thao Nguyen\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kimoi27.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0668400-5EA4-4D46-9A3A-7C7300CD8829}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8857D-0DD6-4AB2-8D6B-8842AA293C77}: Domain = nsw.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE


----------



## Cookiegal (Aug 27, 2003)

Bravo! We finally got rid of that service and your HijackThis log is clean. :up: 

How are things running now?


----------



## kim-smells (Oct 4, 2006)

i guess everything's perfect now!! :up:  

i cant express how much i want to thank you!!  


thankyou sooooooooooooooooooooooooooooooooo much for everything & i promise i'll try my best to keep out of trouble... 


also, now do i uninstall msnplus & reinstall it but NOT accept the sponsor files? 



THANKYOU SOOOOO MUCH!!


----------



## kim-smells (Oct 4, 2006)

also... before my winamp and mozilla stopped working..... should i reinstall them? && with my windows explorer... whenever i open it, it says that "MSN Search Toolbar Updater has encountered a problem and needs to close." etc, etc. is there any way to fix it?


thanks


----------



## Cookiegal (Aug 27, 2003)

kim-smells said:


> also, now do i uninstall msnplus & reinstall it but NOT accept the sponsor files?


There should be an option that you either have to check or uncheck that you should see during installation.

I would uninstall and reinstall those applications that are not working.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## kim-smells (Oct 4, 2006)

for these instructions: "Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK."

i found "Temporary Internet Files" this way: internet properties- under browsing history heading- click delete.... -under the heading "temporary internet files" click delete files.... then ok

i did not find "Delete Offline Content"

I also went to the Programs tab and could not find the "Reset Web Settings" button


----------



## Cookiegal (Aug 27, 2003)

What browser are you using?


----------



## kim-smells (Oct 4, 2006)

i use both mozilla and windows, but usually i would use mozilla


----------



## Cookiegal (Aug 27, 2003)

Those things I mention pertain to IE6.


----------



## kim-smells (Oct 4, 2006)

okays.. so everything's all good now?


----------



## kim-smells (Oct 4, 2006)

i forgot.. but there's another problem...


when i go into windows explorer, it would occasionally freeze at different places.. i was just wondering if there was something to make it stop.. thanks


----------



## Cookiegal (Aug 27, 2003)

How long does it freeze for?

Are you able to continue after or does it shutdown IE?

Does it happen on certain sites?


----------



## kim-smells (Oct 4, 2006)

this is when i go into my documents, d drive and all that.... not internet explorer...

sorie


----------



## Cookiegal (Aug 27, 2003)

When did this start happening?


----------



## kim-smells (Oct 4, 2006)

im not sure when about the exact date...and i didnt think much of it back then.. but it started around when i had the many viruses.... the second time round...


----------



## Cookiegal (Aug 27, 2003)

What are you doing when it freezes, i.e. typing a document in Word or just when opening up Word?


----------



## kim-smells (Oct 4, 2006)

im usually chatting on msn and using mozilla....


----------



## Cookiegal (Aug 27, 2003)

What version of MSN Messenger are you using?


----------



## kim-smells (Oct 4, 2006)

im currently using MSN Messenger 7.5


----------



## Cookiegal (Aug 27, 2003)

Perhaps try uninstalling MSN Messenger and reinstalling it.


----------



## kim-smells (Oct 4, 2006)

um.. now there's not much of a problem anymore.. it hasnt been freezing lately... i'll let you know if it occurs again


----------



## Cookiegal (Aug 27, 2003)

Alright then. Good luck!


----------



## kim-smells (Oct 4, 2006)

thanks heaps!!! 

thank you so much for everything! fixing my comp and all!!!!!! 

much appreciated!!




ohh! and happy birthday for today!



do i check problem solved?


----------



## Cookiegal (Aug 27, 2003)

You're welcome.  


Yes, please mark it solved.


----------



## Ennyaa (Apr 3, 2007)

*I wasn't a member of this forum prior to today but I joined just so I could say THANK YOU!!!

I was afflicted with that same lzx.sys problem (though not as badly as the lady in the thread) and when I found this thread on Google I read though it carefully and I was able to fix it! Unfortunately not before $1200 was stolen from my checking account  but at least now I'm protecting my system properly with a firewall and Spyware Blaster. So again... THANK YOU THANK YOU THANK YOU!!!*


----------



## Cookiegal (Aug 27, 2003)

Thanks for the kind words Ennyaa. We're always glad to help, even if indirectly. :up:


----------

