Help with spyware trojan removals [Archive]

View Full Version : Help with spyware trojan removals

fowler1416

2006-08-10, 03:42

i have done everything I know how to do. I disabled system restore, rebooted in safe mode. Ran norton antivirus, ran spybot, ran adaware, and I am still having the problems. help???

Hijack this...

Logfile of HijackThis v1.99.1
Scan saved at 8:36:42 PM, on 8/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 210.179.237.253:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bfvve.exe
F2 - REG:system.ini: UserInit=userinit.exe,madaogu.exe
O3 - Toolbar: IE Booster Toolbar - {38D2A281-0444-433C-9ED6-A2851795F32A} - C:\Program Files\IE Booster 2\iebbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PNAgent] "C:\Program Files\PhatNoise Media Manager\PNAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [defender] c:\\dfndrff_8.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_8.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [win3208127601205] C:\WINDOWS\win3208127601205.exe
O4 - HKLM\..\Run: [pizcuyaA] C:\WINDOWS\pizcuyaA.exe
O4 - HKLM\..\Run: [vzz1b7e3] RUNDLL32.EXE w0404f70.dll,n 0021b7e1000000030404f70
O4 - HKLM\..\Run: [w040d588.dll] RUNDLL32.EXE w040d588.dll,I2 0021b7e10040d588
O4 - HKLM\..\Run: [{39-9C-C1-13-ZN}] c:\windows\system32\dwdsregt.exe CORN003
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [rfkw] C:\PROGRA~1\COMMON~1\rfkw\rfkwm.exe
O4 - HKCU\..\Run: [Riam] "C:\DOCUME~1\Matt\APPLIC~1\PPPATC~1\wuauclt.exe" -vt yazr
O4 - HKCU\..\Run: [Tfjveuzr] C:\Program Files\Common Files\?ystem\r?gsvr32.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\twinkpez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\ojdsregq.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: IE Booster Copy Meister - res://C:\Program Files\IE Booster 2\ieb.dll/copy-wiz.ieb
O8 - Extra context menu item: IE Booster Interactive HTML Detective - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb
O8 - Extra context menu item: IE Booster Open Frame In New Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: IE Booster Open Frame In This Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: IE Booster Web Page Analyzer - res://C:\Program Files\IE Booster 2\ieb.dll/element.ieb
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Page Analysis - {4FA30F6C-ABCD-3586-DCAB-40E23FB53737} - res://C:\Program Files\IE Booster 2\ieb.dll/ieb2.ieb (file missing)
O9 - Extra 'Tools' menuitem: IE Booster Web Page Analyzer - {4FA30F6C-ABCD-3586-DCAB-40E23FB53737} - res://C:\Program Files\IE Booster 2\ieb.dll/ieb2.ieb (file missing)
O9 - Extra button: show/hide IEB Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - C:\Program Files\IE Booster 2\iebbar.dll
O9 - Extra 'Tools' menuitem: IE Booster Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - C:\Program Files\IE Booster 2\iebbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HTML Detective - {E1C111F0-6DDA-4200-B93E-8CA7AFA58D86} - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb (file missing)
O9 - Extra 'Tools' menuitem: IE Booster Interactive HTML Detective - {E1C111F0-6DDA-4200-B93E-8CA7AFA58D86} - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Page Analysis - {4FA30F6C-ABCD-3586-DCAB-40E23FB53737} - res://C:\Program Files\IE Booster 2\ieb.dll/ieb2.ieb (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: IE Booster Web Page Analyzer - {4FA30F6C-ABCD-3586-DCAB-40E23FB53737} - res://C:\Program Files\IE Booster 2\ieb.dll/ieb2.ieb (file missing) (HKCU)
O9 - Extra button: HTML Detective - {E1C111F0-6DDA-4200-B93E-8CA7AFA58D86} - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: IE Booster Interactive HTML Detective - {E1C111F0-6DDA-4200-B93E-8CA7AFA58D86} - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb (file missing) (HKCU)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/259747b8fc6b3a895f05/netzip/RdxIE2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121490531031
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - AppInit_DLLs: arpa.dll C:\WINDOWS\system32\taskmgr.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

tashi

2006-08-14, 07:46

If you are still in need of assistance we have this sticky topic:

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

LonnyRJones

2006-08-16, 02:37

Welcome to the forum

Since its been a few days post new Hijackthis log and an uninstall list please.

Create a hijackthis uninstall list
Start HiJackThis
Press 'Config'
Press 'Misc Tools'
Press 'Open Uninstall Manager'
Press 'Save List'
Save the log to a convenient location
Copy the log and post its contents in this thread

fowler1416

2006-08-16, 04:51

thanks for the welcome, and the help...

here is the new hijack log...

Logfile of HijackThis v1.99.1
Scan saved at 9:50:07 PM, on 8/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\PhatNoise Media Manager\PNAgent.exe
C:\dfndrfh_10.exe
C:\kybrdfh_10.exe
C:\WINDOWS\ms06051276012.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\sys03012051276.exe
C:\WINDOWS\sys09276012051.exe
C:\Program Files\Common Files\{10739C13-0296-1033-0810-000111270001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\rfkw\rfkwm.exe
C:\DOCUME~1\Matt\APPLIC~1\PPPATC~1\wuauclt.exe
C:\Program Files\Common Files\?ystem\r?gsvr32.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\COMMON~1\rfkw\rfkwa.exe
c:\windows\system32\opdsregq.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\twinqpex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 210.179.237.253:8080
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bfvve.exe
F2 - REG:system.ini: UserInit=userinit.exe,madaogu.exe
O3 - Toolbar: IE Booster Toolbar - {38D2A281-0444-433C-9ED6-A2851795F32A} - C:\Program Files\IE Booster 2\iebbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PNAgent] "C:\Program Files\PhatNoise Media Manager\PNAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndrfh_10.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdfh_10.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [pizcuyaA] C:\WINDOWS\pizcuyaA.exe
O4 - HKLM\..\Run: [vzz1b7e3] RUNDLL32.EXE w0404f70.dll,n 0021b7e1000000030404f70
O4 - HKLM\..\Run: [w040d588.dll] RUNDLL32.EXE w040d588.dll,I2 0021b7e10040d588
O4 - HKLM\..\Run: [{39-9C-C1-13-ZN}] c:\windows\system32\opdsregq.exe CORN003
O4 - HKLM\..\Run: [ms06051276012] C:\WINDOWS\ms06051276012.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\twinqpex.exe CORN003
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [sys03012051276] C:\WINDOWS\sys03012051276.exe
O4 - HKLM\..\Run: [sys09276012051] C:\WINDOWS\sys09276012051.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [rfkw] C:\PROGRA~1\COMMON~1\rfkw\rfkwm.exe
O4 - HKCU\..\Run: [Riam] "C:\DOCUME~1\Matt\APPLIC~1\PPPATC~1\wuauclt.exe" -vt yazr
O4 - HKCU\..\Run: [Tfjveuzr] C:\Program Files\Common Files\?ystem\r?gsvr32.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinqpex.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: IE Booster Copy Meister - res://C:\Program Files\IE Booster 2\ieb.dll/copy-wiz.ieb
O8 - Extra context menu item: IE Booster Interactive HTML Detective - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb
O8 - Extra context menu item: IE Booster Open Frame In New Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: IE Booster Open Frame In This Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: IE Booster Web Page Analyzer - res://C:\Program Files\IE Booster 2\ieb.dll/element.ieb
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Page Analysis - {4FA30F6C-ABCD-3586-DCAB-40E23FB53737} - res://C:\Program Files\IE Booster 2\ieb.dll/ieb2.ieb (file missing)
O9 - Extra 'Tools' menuitem: IE Booster Web Page Analyzer - {4FA30F6C-ABCD-3586-DCAB-40E23FB53737} - res://C:\Program Files\IE Booster 2\ieb.dll/ieb2.ieb (file missing)
O9 - Extra button: show/hide IEB Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - C:\Program Files\IE Booster 2\iebbar.dll
O9 - Extra 'Tools' menuitem: IE Booster Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - C:\Program Files\IE Booster 2\iebbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HTML Detective - {E1C111F0-6DDA-4200-B93E-8CA7AFA58D86} - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb (file missing)
O9 - Extra 'Tools' menuitem: IE Booster Interactive HTML Detective - {E1C111F0-6DDA-4200-B93E-8CA7AFA58D86} - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Page Analysis - {4FA30F6C-ABCD-3586-DCAB-40E23FB53737} - res://C:\Program Files\IE Booster 2\ieb.dll/ieb2.ieb (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: IE Booster Web Page Analyzer - {4FA30F6C-ABCD-3586-DCAB-40E23FB53737} - res://C:\Program Files\IE Booster 2\ieb.dll/ieb2.ieb (file missing) (HKCU)
O9 - Extra button: HTML Detective - {E1C111F0-6DDA-4200-B93E-8CA7AFA58D86} - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: IE Booster Interactive HTML Detective - {E1C111F0-6DDA-4200-B93E-8CA7AFA58D86} - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb (file missing) (HKCU)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/259747b8fc6b3a895f05/netzip/RdxIE2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121490531031
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - AppInit_DLLs: arpa.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

fowler1416

2006-08-16, 04:53

and here is the uninstall list.

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
Adobe Reader 7.0.5
America Online (Choose which version to remove)
AOL Connectivity Services
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Bandwidth Monitor
BJC-4300 Series
Bodog Poker Version 2.3.1.5
BSPlayer
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
DAEMON Tools
Diskeeper Professional Edition
DivX
DivX Converter
DivX Player
DivX Web Player
Dr. DivX Trial
Driver Cleaner 3
Elecard MPEG2 Decoder Package 2.0
EMCO MoveOnBoot
Enhanced Ads by Think-Adz removal
FreeRIP v2.60
Gaim (remove only)
Google Toolbar for Internet Explorer
GTK+ Runtime 2.6.9 rev a (remove only)
Haali Media Splitter
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
IE Booster 2 - Web Browser Extensions for IE
Image Resizer
InterVideo WinDVD
Ipswitch WS_FTP Pro
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment Standard Edition v1.3.1_04
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
Java 2 SDK Standard Edition v1.3.1_04
K-Lite Mega Codec Pack 1.03
Learn2 Player (Uninstall Only)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia FreeHand 10
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Bootvis
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft Windows Journal Viewer
MoviePlace
Mozilla Firefox (0.8.)
Mozilla Firefox (1.5.0.6)
MSN Music Assistant
Nero - Burning Rom (Web installer)
Nimo Codecs Pack v5.0 (Remove Only)
Norton AntiVirus Corporate Edition
NuonSoft Wallpaper Cycler 2.0.2
Panda ActiveScan
PartyPoker
PenCam SD Manager
PhatNoise CAS Speech Support
PhatNoise Media Manager
Pure Networks Port Magic
QuickTime
RealPlayer
Red Eye Remover 1.5
RegSupreme Pro 1.0
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Server Viewer Plugin 1.0
Shockwave
Spybot - Search & Destroy 1.4
Think-Adz Search Assistant removal
Trillian
ubi.com
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
VideoLAN VLC media player 0.8.4a
WIDCOMM Bluetooth Software
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec
Yahoo! Messenger
Zuma Deluxe 1.0

LonnyRJones

2006-08-16, 06:02

What are these programs ?
Think-Adz Search Assistant removal
ubi.com

Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

fowler1416

2006-08-16, 20:08

I have no idea what Think-Adz is. I removed all the spyware in the add/remove list when I tried to clean this up originally but I guess it got thrown back in there. Ubi.com i believe is the software used to play Ghost Recon online.

Here is the log from combo fix...

Start Time= Wed 08/16/2006 12:56:39.56
Running from: C:\Documents and Settings\Matt\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log

))))))))))))))))))))))))))))))))))))))))))))))))))

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

* * *

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{6BED3A18-A917-4444-8104-92D4BD54C9C0}]
@=""

[HKEY_CLASSES_ROOT\clsid\{6BED3A18-A917-4444-8104-92D4BD54C9C0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{6BED3A18-A917-4444-8104-92D4BD54C9C0}\Implemented

Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{6BED3A18-A917-4444-8104-92D4BD54C9C0}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

* * *

FILES REMOVED:

C:\WINDOWS\SYSTEM32\jrl0253mg.dll
C:\WINDOWS\SYSTEM32\s8puli7918.dll

Granting sedebugprivilege to Administrators ... successful

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log

)))))))))))))))))))))))))))))))))))))))))))))))))))

12:59:27.06

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst

* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * *

*

C:\WINDOWS\system32\lufrea.exe
C:\WINDOWS\system32\bfvve.exe
C:\WINDOWS\system32\madaogu.exe

* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

*

2006-06-12 14:22:08 520,192 "C:\WINDOWS\system32\DivXsm.exe"
2006-07-26 21:36:08 127,488 "C:\WINDOWS\system32\lufrea.exe"
2006-07-26 21:36:08 28,672 "C:\WINDOWS\system32\bfvve.exe"
2006-07-27 00:07:20 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-05-24 17:46:44 90,112 "C:\WINDOWS\system32\dpl100.dll"
2006-05-24 17:46:44 344,064 "C:\WINDOWS\system32\dpus11.dll"
2006-05-24 17:46:44 200,704 "C:\WINDOWS\system32\dtu100.dll"
2006-07-27 00:07:36 159,744 "C:\WINDOWS\system32\redist.dll"
2006-07-26 21:36:08 23,552 "C:\WINDOWS\system32\madaogu.exe"
2006-08-16 12:55:02 2 "C:\WINDOWS\system32\wtssvtr.exe"
2006-05-24 17:43:44 1,044,480 "C:\WINDOWS\system32\libdivx.dll"
2006-07-26 21:57:44 24,576 "C:\WINDOWS\system32\msxml3a.dll"
2006-07-26 21:36:08 51,712 "C:\WINDOWS\system32\rceruif.dll"
2006-05-24 17:43:44 200,704 "C:\WINDOWS\system32\ssldivx.dll"
2006-05-24 17:43:40 245,408 "C:\WINDOWS\system32\unicows.dll"
2006-07-26 21:36:36 380,928 "C:\WINDOWS\system32\WinNB58.dll"
2006-05-24 17:46:44 294,912 "C:\WINDOWS\system32\dpu10.dll"
2006-05-24 17:46:44 294,912 "C:\WINDOWS\system32\dpu11.dll"
2006-05-24 17:46:44 57,344 "C:\WINDOWS\system32\dpv11.dll"
2006-06-29 04:24:10 83,456 "C:\WINDOWS\system32\nsz4A.dll"
2006-08-15 13:04:08 127,488 "C:\WINDOWS\system32\qstup.dat"
2006-08-16 12:54:34 386 "C:\WINDOWS\jqlyu.dll"
2006-07-30 19:35:02 53 "C:\WINDOWS\bqocvb.dat"
2006-07-26 21:36:08 127,488 "C:\Documents and Settings\All Users\Start

Menu\Programs\Startup\ddqsk.exe"

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * *

*

08/15/2006 01:04 PM 127,488 qstup.dat.vir
07/26/2006 09:36 PM 127,488 lufrea.exe.vir
07/26/2006 09:36 PM 127,488 ddqsk.exe.vir
07/26/2006 09:36 PM 51,712 rceruif.dll.vir
07/26/2006 09:36 PM 28,672 bfvve.exe.vir
07/26/2006 09:36 PM 23,552 madaogu.exe.vir
07/30/2006 07:35 PM 53 bqocvb.dat.vir

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * *

* *

2006-08-16 12:55:02 2 "C:\WINDOWS\system32\wtssvtr.exe"
2006-06-12 14:22:08 520,192 "C:\WINDOWS\system32\DivXsm.exe"
2006-07-27 00:07:20 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-05-24 17:43:44 1,044,480 "C:\WINDOWS\system32\libdivx.dll"
2006-07-26 21:57:44 24,576 "C:\WINDOWS\system32\msxml3a.dll"
2006-05-24 17:43:44 200,704 "C:\WINDOWS\system32\ssldivx.dll"
2006-05-24 17:43:40 245,408 "C:\WINDOWS\system32\unicows.dll"
2006-07-26 21:36:36 380,928 "C:\WINDOWS\system32\WinNB58.dll"
2006-05-24 17:46:44 90,112 "C:\WINDOWS\system32\dpl100.dll"
2006-05-24 17:46:44 344,064 "C:\WINDOWS\system32\dpus11.dll"
2006-05-24 17:46:44 200,704 "C:\WINDOWS\system32\dtu100.dll"
2006-07-27 00:07:36 159,744 "C:\WINDOWS\system32\redist.dll"
2006-05-24 17:46:44 294,912 "C:\WINDOWS\system32\dpu10.dll"
2006-05-24 17:46:44 294,912 "C:\WINDOWS\system32\dpu11.dll"
2006-05-24 17:46:44 57,344 "C:\WINDOWS\system32\dpv11.dll"
2006-06-29 04:24:10 83,456 "C:\WINDOWS\system32\nsz4A.dll"
2006-08-16 12:54:34 386 "C:\WINDOWS\jqlyu.dll"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions

)))))))))))))))))))))))))))))))))))))))))))))))))

C:\dfndref_7.exe
C:\dfndrff_7.exe
C:\dfndrff_8.exe
C:\dfndrfg_7.exe
C:\dfndrfh_10.exe
C:\kybrdef_7.exe
C:\kybrdff_7.exe
C:\kybrdff_8.exe
C:\kybrdfg_7.exe
C:\kybrdfh_10.exe
C:\Documents and Settings\Matt\Local Settings\Temp\drsmartload180a.exe
C:\Documents and Settings\Matt\Local Settings\Temporary Internet

Files\Content.IE5\O96F0D6J\kybrdff_7[1].exe
C:\Documents and Settings\Matt\Local Settings\Temporary Internet

Files\Content.IE5\O96F0D6J\kybrdfh_10[1].exe
C:\Documents and Settings\Matt\Local Settings\Temporary Internet

Files\Content.IE5\T88VTXSX\dfndrfh_10[1].exe
C:\Documents and Settings\Matt\Local Settings\Temporary Internet

Files\Content.IE5\T88VTXSX\kybrdff_8[1].exe
C:\Documents and Settings\Matt\Local Settings\Temporary Internet

Files\Content.IE5\UXB4TC7Q\dfndrff_7[1].exe
C:\Documents and Settings\Matt\Local Settings\Temporary Internet

Files\Content.IE5\ZNHFJXOW\dfndrff_8[1].exe
C:\WINDOWS\keyboard1.dat

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report

)))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-16 12:55:02 2 ( A.... ) "C:\WINDOWS\system32\wtssvtr.exe"
2006-08-16 12:54:34 386 ( A.... ) "C:\WINDOWS\jqlyu.dll"
2006-08-15 21:44:48 45105 ( A.... ) "C:\WINDOWS\system32\opdsregq.exe"
2006-08-15 13:08:50 155648 ( A.... ) "C:\WINDOWS\sys09276012051.exe"
2006-08-15 13:06:22 155648 ( A.... ) "C:\WINDOWS\sys03012051276.exe"
2006-08-15 13:05:54 106496 ( A.... ) "C:\WINDOWS\Duce6.exe"
2006-08-15 13:05:02 925 ( A.... ) "C:\WINDOWS\system32\winpfg32.sys"
2006-08-15 13:05:02 925 ( A.... ) "C:\WINDOWS\system32\winpfg32.sys"
2006-08-15 13:04:48 155648 ( A.... ) "C:\WINDOWS\ms06051276012.exe"
2006-08-15 13:04:36 168025 ( A.... ) "C:\WINDOWS\system32\twinqpex.exe"
2006-08-15 00:55:40 45087 ( A.... ) "C:\WINDOWS\system32\dwdsregt.exe"
2006-07-30 19:37:32 ( .D... ) "C:\Program Files\Common Files\?ystem"
2006-07-30 00:01:14 579525 ( A.... ) "C:\626_101newer.exe"
2006-07-29 23:39:06 ( .D... ) "C:\Documents and

Settings\Matt\Application Data\?ppPatch"
2006-07-29 22:49:14 45079 ( A.... ) "C:\WINDOWS\system32\ojdsregq.exe"
2006-07-28 18:23:42 159866 ( A.... ) "C:\WINDOWS\system32\twinkpez.exe"
2006-07-27 00:11:48 1064 ( A.... ) "C:\WINDOWS\system32\vzz1b7e3.sys"
2006-07-27 00:11:48 1064 ( A.... ) "C:\WINDOWS\system32\vzz1b7e3.sys"
2006-07-27 00:08:04 38412 ( A.... ) "C:\WINDOWS\ssqbn.exe"
2006-07-27 00:07:54 45068 ( A.... ) "C:\WINDOWS\system32\ZICORN003.exe"
2006-07-27 00:07:36 159744 ( A.... ) "C:\WINDOWS\system32\redist.dll"
2006-07-27 00:07:32 126464 ( A.... ) "C:\WINDOWS\system32\redistributor.exe"
2006-07-27 00:07:26 ( .D... ) "C:\Program Files\Batty"
2006-07-27 00:07:20 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-07-27 00:07:08 ( .D... ) "C:\Program Files\System Icons"
2006-07-27 00:07:08 ( .D... ) "C:\Program Files\System Files"
2006-07-27 00:06:36 27648 ( A.... ) "C:\dist13.exe"
2006-07-27 00:05:58 ( .D... ) "C:\Program Files\Common Files\rfkw"
2006-07-27 00:02:12 33085 ( A.... ) "C:\WINDOWS\system32\adrot-uninst.exe"
2006-07-26 21:57:44 24576 ( A.... ) "C:\WINDOWS\system32\msxml3a.dll"
2006-07-26 21:55:28 0 ( A.... ) "C:\Documents and

Settings\Matt\Application Data\internaldb41.dat"
2006-07-26 21:50:44 ( .D... ) "C:\Documents and

Settings\Matt\Application Data\??mantec"
2006-07-26 21:36:52 232749 ( A.... ) "C:\WINDOWS\pf78.exe"
2006-07-26 21:36:44 32768 ( A.... ) "C:\WINDOWS\unstall.exe"
2006-07-26 21:36:36 380928 ( A.... ) "C:\WINDOWS\system32\WinNB58.dll"
2006-07-26 21:36:18 28672 ( A.... ) "C:\WINDOWS\system32\iqqr.exe"
2006-07-26 21:36:08 359634 ( A.... ) "C:\WINDOWS\media_motor_bundle.exe"
2006-07-26 21:36:08 0 ( A.... ) "C:\WINDOWS\system32ghynf.exe"
2006-07-26 21:35:58 57344 ( A.... ) "C:\fym9bvo.exe"
2006-07-26 21:35:58 ( .D... ) "C:\Program Files\Common

Files\{10739C13-0296-1033-0810-000111270001}"
2006-07-21 18:55:38 127578 ( A.... ) "C:\WINDOWS\system32\tsuninst.exe"
2006-07-14 01:11:52 58880 ( A.... ) "C:\WINDOWS\system32\adrotate.dll"
2006-06-29 09:07:36 61440 ( A.... ) "C:\WINDOWS\system32\BattyRun.dll"
2006-06-29 04:24:10 83456 ( A.... ) "C:\WINDOWS\system32\nsz4A.dll"
2006-06-21 17:38:40 235228 ( A.... ) "C:\WINDOWS\system32\icon_mediamotor.exe"
2006-06-21 17:38:16 115239 ( A.... ) "C:\WINDOWS\system32\ts_mediamotor.exe"
2006-06-15 16:55:04 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-06-15 16:55:04 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-06-15 16:55:04 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-06-15 16:55:04 620180 ( A.... ) "C:\WINDOWS\system32\DivX.dll"
2006-06-14 12:49:08 118784 ( A.... )

"C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-06-12 14:22:08 520192 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-06-07 12:55:52 3626 ( A.... ) "C:\Program Files\Common

Files\nilo.html"
2006-05-24 17:47:12 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-05-24 17:46:52 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-05-24 17:46:44 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-05-24 17:46:44 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-05-24 17:46:44 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-05-24 17:46:44 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-05-24 17:46:44 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-05-24 17:46:44 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-05-24 17:46:44 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-05-24 17:43:44 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-05-24 17:43:44 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-05-24 17:43:40 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days

)))))))))))))))))))))))))))))))))))))))))))

2006-08-15 21:44 45,105 C:\WINDOWS\system32\opdsregq.exe
2006-08-15 13:08 155,648 C:\WINDOWS\sys09276012051.exe
2006-08-15 13:05 106,496 C:\WINDOWS\Duce6.exe
2006-08-15 13:04 925 C:\WINDOWS\system32\winpfg32.sys
2006-08-15 13:04 168,025 C:\WINDOWS\system32\twinqpex.exe
2006-08-15 13:04 155,648 C:\WINDOWS\sys03012051276.exe
2006-08-15 13:04 155,648 C:\WINDOWS\ms06051276012.exe
2006-08-15 00:55 45,087 C:\WINDOWS\system32\dwdsregt.exe
2006-08-09 20:47 73,728 C:\WINDOWS\system32\asuninst.exe
2006-08-09 20:47 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-30 00:00 579,525 C:\626_101newer.exe
2006-07-29 22:49 45,079 C:\WINDOWS\system32\ojdsregq.exe
2006-07-28 18:23 159,866 C:\WINDOWS\system32\twinkpez.exe
2006-07-27 00:08 38,412 C:\WINDOWS\ssqbn.exe
2006-07-27 00:07 48,167 C:\WINDOWS\system32\VSL05.exe
2006-07-27 00:07 45,068 C:\WINDOWS\system32\ZICORN003.exe
2006-07-27 00:07 159,744 C:\WINDOWS\system32\redist.dll
2006-07-27 00:07 126,464 C:\WINDOWS\system32\redistributor.exe
2006-07-27 00:07 1,064 C:\WINDOWS\system32\vzz1b7e3.sys
2006-07-27 00:06 27,648 C:\dist13.exe
2006-07-27 00:05 127,578 C:\WINDOWS\system32\tsuninst.exe
2006-07-26 23:52 33,085 C:\WINDOWS\system32\adrot-uninst.exe
2006-07-26 21:50 2 C:\WINDOWS\system32\wtssvtr.exe
2006-07-26 21:36 386 C:\WINDOWS\jqlyu.dll
2006-07-26 21:36 380,928 C:\WINDOWS\system32\WinNB58.dll
2006-07-26 21:36 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-26 21:36 32,768 C:\WINDOWS\unstall.exe
2006-07-26 21:36 28,672 C:\WINDOWS\system32\iqqr.exe
2006-07-26 21:36 232,749 C:\WINDOWS\pf78.exe
2006-07-26 21:36 0 C:\WINDOWS\system32ghynf.exe
2006-07-26 21:35 57,344 C:\fym9bvo.exe
2006-07-14 01:11 58,880 C:\WINDOWS\system32\adrotate.dll

fowler1416

2006-08-16, 20:08

had to split it up... here is the rest.....

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points

))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"PNAgent"="\"C:\\Program Files\\PhatNoise Media Manager\\PNAgent.exe\""
"webHancer Survey Companion"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"ACTX1"="C:\\WINDOWS\\v1201.exe"
"pizcuyaA"="C:\\WINDOWS\\pizcuyaA.exe"
"vzz1b7e3"="RUNDLL32.EXE w0404f70.dll,n 0021b7e1000000030404f70"
"w040d588.dll"="RUNDLL32.EXE w040d588.dll,I2 0021b7e10040d588"
"{39-9C-C1-13-ZN}"="c:\\windows\\system32\\opdsregq.exe CORN003"
"ms06051276012"="C:\\WINDOWS\\ms06051276012.exe"
"ExploreUpdSched"="C:\\WINDOWS\\system32\\twinqpex.exe CORN003"
"TheMonitor"="C:\\WINDOWS\\Duce6.exe"
"sys03012051276"="C:\\WINDOWS\\sys03012051276.exe"
"sys09276012051"="C:\\WINDOWS\\sys09276012051.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"irssyncd"="C:\\WINDOWS\\system32\\irssyncd.exe"
"rfkw"="C:\\PROGRA~1\\COMMON~1\\rfkw\\rfkwm.exe"
"Riam"="\"C:\\DOCUME~1\\Matt\\APPLIC~1\\PPPATC~1\\wuauclt.exe\" -vt yazr"
"Tfjveuzr"="C:\\Program Files\\Common Files\\?ystem\\r?gsvr32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{10739C13-0296-1033-0810-000111270001}"="\"C:\\Program Files\\Common

Files\\{10739C13-0296-1033-0810-000111270001}\\Update.exe\" mc-110-12-0000103"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000000
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\qunykyxu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Common Files\\nilo.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and

Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed

Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and

Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0A\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and

Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Bluetooth.lnk"
"backup"="C:\\WINDOWS\\pss\\Bluetooth.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WIDCOMM\\BLUETO~1\\BTTray.exe "
"item"="Bluetooth"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and

Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and

Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick

Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSP Scheduler"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NuonSoft Wallpaper Cycler

StartupHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StartupHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\NuonSoft\\WallpaperCycler\\StartupHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\K-Lite Codec Pack\\real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=dword:00000002
"Diskeeper"=dword:00000002
"srvBWMNT"=dword:00000002
"iPodService"=dword:00000003
"ERSvc"=dword:00000003
"cisvc"=dword:00000003
"btwdins"=dword:00000002

Contents of the 'Scheduled Tasks' folder

Completion time: Wed 08/16/2006 13:03:21.06
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

LonnyRJones

2006-08-17, 01:38

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4
;
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Start Hijackthis and place a check next to these items If there.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bfvve.exe
F2 - REG:system.ini: UserInit=userinit.exe,madaogu.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndrfh_10.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdfh_10.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [pizcuyaA] C:\WINDOWS\pizcuyaA.exe
O4 - HKLM\..\Run: [vzz1b7e3] RUNDLL32.EXE w0404f70.dll,n 0021b7e1000000030404f70
O4 - HKLM\..\Run: [w040d588.dll] RUNDLL32.EXE w040d588.dll,I2 0021b7e10040d588
O4 - HKLM\..\Run: [{39-9C-C1-13-ZN}] c:\windows\system32\opdsregq.exe CORN003
O4 - HKLM\..\Run: [ms06051276012] C:\WINDOWS\ms06051276012.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\twinqpex.exe CORN003
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [sys03012051276] C:\WINDOWS\sys03012051276.exe
O4 - HKLM\..\Run: [sys09276012051] C:\WINDOWS\sys09276012051.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [rfkw] C:\PROGRA~1\COMMON~1\rfkw\rfkwm.exe
O4 - HKCU\..\Run: [Riam] "C:\DOCUME~1\Matt\APPLIC~1\PPPATC~1\wuauclt.exe" -vt yazr
O4 - HKCU\..\Run: [Tfjveuzr] C:\Program Files\Common Files\?ystem\r?gsvr32.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinqpex.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - AppInit_DLLs: arpa.dll
====================================
Hit fix checked and close Hijackthis. (not wo worry about a hijackthis error)
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Set windows to show hidden extensions file's and folder's.
click for> instructions. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Delete these folders >

C:\Documents and Settings\Matt\Application Data\AppPatch
C:\Program Files\Common Files\{10739C13-0296-1033-0810-000111270001}
C:\Program Files\Common Files\rfkw
C:\Program Files\Batty
C:\Program Files\System Icons
C:\Program Files\System Files
C:\Program Files\webHancer

Delete these files at these locations
C:\Program Files\Common Files\nilo.html
C:\Program Files\MSN Gaming Zone\qunykyxu.html

C:\626_101newer.exe
C:\dist13.exe
C:\fym9bvo.exe
C:\WINDOWS\ssqbn.exe
C:\WINDOWS\sys03012051276.exe
C:\WINDOWS\ms06051276012.exe
C:\WINDOWS\sys09276012051.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\jqlyu.dll
C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\unstall.exe
C:\WINDOWS\system32\iqqr.exe
C:\WINDOWS\pf78.exe
C:\WINDOWS\system32ghynf.exe

C:\WINDOWS\system32\adrotate.dll
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\system32\ZICORN003.exe
C:\WINDOWS\system32\redist.dll
C:\WINDOWS\system32\redistributor.exe
C:\WINDOWS\system32\vzz1b7e3.sys
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\adrot-uninst.exe
C:\WINDOWS\system32\wtssvtr.exe
C:\WINDOWS\system32\ojdsregq.exe
C:\WINDOWS\system32\twinkpez.exe
C:\WINDOWS\system32\WinNB58.dll
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\asuninst.exe
C:\WINDOWS\system32\ZPORT4AS.dll
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\system32\opdsregq.exe
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\system32\twinqpex.exe
---------
delete the system folder but only the one that has the regsvr32.exe file in it
C:\Program Files\Common Files\system\r?gsvr32.exe
there should be two system folders at that location, if in doubt leave it.
---------
C:\Documents and Settings\Matt\Application Data\SYmantec < what are the contents ?
Run Hijackthis click config misc tools uninstall manager
select
Think-Adz Search Assistant removal
over to the right what is the uninstall command ?

Post a new hijackthis log

fowler1416

2006-08-17, 04:07

there was nothing in the symantec folder so i deleted it..

the uninstall command for Think Adz is:
C:\WINDOWS\system32\twinqpex.exe -USearch

here is the new log file......
Logfile of HijackThis v1.99.1
Scan saved at 9:07:51 PM, on 8/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\PhatNoise Media Manager\PNAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 210.179.237.253:8080
O3 - Toolbar: IE Booster Toolbar - {38D2A281-0444-433C-9ED6-A2851795F32A} - C:\Program Files\IE Booster 2\iebbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PNAgent] "C:\Program Files\PhatNoise Media Manager\PNAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: IE Booster Copy Meister - res://C:\Program Files\IE Booster 2\ieb.dll/copy-wiz.ieb
O8 - Extra context menu item: IE Booster Interactive HTML Detective - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb
O8 - Extra context menu item: IE Booster Open Frame In New Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: IE Booster Open Frame In This Window - res://C:\Program Files\IE Booster 2\ieb.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: IE Booster Web Page Analyzer - res://C:\Program Files\IE Booster 2\ieb.dll/element.ieb
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Page Analysis - {4FA30F6C-ABCD-3586-DCAB-40E23FB53737} - res://C:\Program Files\IE Booster 2\ieb.dll/ieb2.ieb (file missing)
O9 - Extra 'Tools' menuitem: IE Booster Web Page Analyzer - {4FA30F6C-ABCD-3586-DCAB-40E23FB53737} - res://C:\Program Files\IE Booster 2\ieb.dll/ieb2.ieb (file missing)
O9 - Extra button: show/hide IEB Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - C:\Program Files\IE Booster 2\iebbar.dll
O9 - Extra 'Tools' menuitem: IE Booster Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - C:\Program Files\IE Booster 2\iebbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HTML Detective - {E1C111F0-6DDA-4200-B93E-8CA7AFA58D86} - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb (file missing)
O9 - Extra 'Tools' menuitem: IE Booster Interactive HTML Detective - {E1C111F0-6DDA-4200-B93E-8CA7AFA58D86} - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Page Analysis - {4FA30F6C-ABCD-3586-DCAB-40E23FB53737} - res://C:\Program Files\IE Booster 2\ieb.dll/ieb2.ieb (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: IE Booster Web Page Analyzer - {4FA30F6C-ABCD-3586-DCAB-40E23FB53737} - res://C:\Program Files\IE Booster 2\ieb.dll/ieb2.ieb (file missing) (HKCU)
O9 - Extra button: HTML Detective - {E1C111F0-6DDA-4200-B93E-8CA7AFA58D86} - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: IE Booster Interactive HTML Detective - {E1C111F0-6DDA-4200-B93E-8CA7AFA58D86} - res://C:\Program Files\IE Booster 2\ieb.dll/contextmenu.ieb (file missing) (HKCU)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/259747b8fc6b3a895f05/netzip/RdxIE2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121490531031
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

LonnyRJones

2006-08-17, 07:18

You deleted twinqpexexe ? if so windows addremove programs use the uninstall for Think Adz, windows should offer to delete it.</P>

"there was nothing in the symantec folder so i deleted it.."
Good

Start Hijackthis and place a check next to these items If there
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/...reeInstall.cab
====================================Hit fix checked and close Hijackthis
Are there any current problems ?

fowler1416

2006-08-17, 16:54

Ok, I did all this. Thanks so much for your help. I finished up this mornign so it will be a while before I get back home to test it all out. One thing I have noticed is that when all this started happening, my desktop changed a bit. there all of the sudden was a blue shadow around all the folders on the desktop, this happened at the same time. any ideas about that?

again, thank you very much for the help. :bigthumb: I will let you know tonight if there are any other problems.

tashi

2006-08-22, 20:55

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

Cheers. :)