I've got a nasty batch of spyware on my laptop. I have run Spybot, Ad-Aware, and Spy Catcher repeatedly for days and have kept the laptop offline once I had updated all of my definitions. Currently Spybot is the only App picking up the last two bits of suspect code. However, Spybot is not removing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdServices, or
HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\Services\cmdServices. I have been fighting this garbage in Safe Mode, and I have been giving Spybot permission to remove this items on boot up (as they are untouchable running in memory) but yet Spybot picks them up on every scan tells me it can't get rid of them except on boot...and they are still here. As soon as I open an internet connection, I immediately get hit with 12-50 different viruses, malware, etc. Spybot makes short work of all that garbage, but it appears these two reg enrties are the last vestiges. HELP!

:sick:

Logfile of HijackThis v1.99.1
Scan saved at 1:24:43 PM, on 8/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\system32\igfxtray.exe
C:\dfndrff_8.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Common Files\{2840D246-05D7-1033-0414-040630200001}\Update.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\regedit.exe
C:\Program Files\HijackThis\HijackThis.exe

<CONTINUED NEXT POST>

Here is the rest of my HjT log. Thanks in advance!!!! :bigthumb:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [wktcwv] C:\WINNT\system32\wspkww.exe reg_run
O4 - HKLM\..\Run: [defender] C:\\dfndrff_8.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_8.exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINNT\help\SplshWrp.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [sgbdx] C:\WINNT\system32\wspkww.exe reg_run
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} -
O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://192.168.1.10/AntiSpamGateway/Cabs/Mapicom.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147378105417
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.jaffets.com/msrdp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.1.202/activex/AxisCamControl.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc03.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thevark.com
O17 - HKLM\Software\..\Telephony: DomainName = thevark.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thevark.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thevark.com
O18 - Protocol: bw+0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: offline-8876480 - {B549B781-2B67-4305-AC4C-943EFC188AF8} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINNT\system32\xeymi.dll
O20 - AppInit_DLLs: Interceptor.dll
O20 - Winlogon Notify: Internet Settings - C:\WINNT\
O20 - Winlogon Notify: OptimalLayout - C:\WINNT\system32\h22olcf31f2.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

Hello Grandterminus

Your post in another member's topic was removed, please see:
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

As to:
Perhaps we can cross reference if we get different advice. My thread is "cmdservices"Afraid that will not work very well in this forum if you wish to receive assistance from a trained helper one on one. :)

Hello, sorry for the wait.

If you are still in need of assistance we have this sticky topic:

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.

Topic re-opened.

Grandterminus :) assistance has probably been delayed because it appears you are not reading the sticky topics or my post in this thread.

ie: I did not receive a pm to re-open the topic and instead saw your post here after the thread had already been archived.

http://forums.spybot.info/showpost.php?p=39564&postcount=4
:spider:

Welcome to the forum, if you still need help, I will give it a try. Let's chat first, the command.exe issue is not much of a problem, leftovers from a removal in the registry are being found and reported by Spybot. Don't be concerned with this, we will fix it after we clean your major infections.

1) First I need your help, let's get rid of all of those 018 lines being caused by Logitech Desktop Messenger, view this information:
For your information, all of the 018 items in the log are the result of the Logitech Desktop Messenger which gets installed along with another Logitech program because the EULA agreement is not read. Unless you know what it is and use it, it is a resource waster and can be removed in Add Remove programs, but make sure you uninstall only what I highlite in red, this is optional:
C:\Program Files\Logitech\Desktop Messenger\ <<< uninstall only the program in red.Now if you will do that for us and reboot, then the HJT log will not contain all of those 108 lines and the log will be easier to work with.

The site I use to check for Look2me infections is down this morning, but this line:
O20 - Winlogon Notify: OptimalLayout - C:\WINNT\system32\h22olcf31f2.dll
has me 99.9% sure you have an infection call Look2me which is adware and causing a lot of popups on your computer. We will get rid of it first like this:

2) SpybotSD TeaTimer will block changes we must make, please use these instructions to disable TeaTimer until you are done:
http://russelltexas.com/malware/teatimer.htm

Thanks to Atribune and any others who helped with this fix.

3) Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

More info:

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it

start>run sc start schedule press enter.

Make sure the computer is restarted, post the two logs bolded above and add any comments you think will help.
With the 018 lines gone, you should get your log in one post.

Thanks...Phil

It is important that you stay in this same topic and do not start a new one.
http://forums.spybot.info/showthread.php?p=38149#post38149
use the post reply button to add your information.

Phil,

Thanks for the heads up. Wanted to let you know I have read through your post and will be taking the steps requested. I will repost when I have completed the tasks you requested.

Thanks,
Shawn

I had a tough time getting Look2Me-Destroyer to run correctly, but it did eventually run, found a list of infections, and has appeared to clear them as it did not find any on repeated runs. I uninstalled the specific Logitech component you requested and have included the Hijack This Log. Additionally, there is/was a look2me infection on the laptop as Spybot kept picking it up repeatedly...so good hunch. I still can't seem to get the final bits of crap yet.
________________________________________________________________
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 8/30/2006 11:37:31 PM

Attempting to delete infected files...

Making registry repairs.

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded
_________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 9:08:14 PM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\system32\igfxtray.exe
C:\Program Files\SpyCatcher 2006\SpyCatcher.exe
C:\Program Files\Common Files\{2840D246-05D7-1033-0414-040630200001}\Update.exe
C:\Program Files\BOINC\boincmgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [wktcwv] C:\WINNT\system32\wspkww.exe reg_run
O4 - HKLM\..\Run: [defender] C:\\dfndrff_8.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_8.exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINNT\help\SplshWrp.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [sgbdx] C:\WINNT\system32\wspkww.exe reg_run
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} -
O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://192.168.1.10/AntiSpamGateway/Cabs/Mapicom.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147378105417
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.jaffets.com/msrdp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.1.202/activex/AxisCamControl.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc03.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thevark.com
O17 - HKLM\Software\..\Telephony: DomainName = thevark.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thevark.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thevark.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINNT\system32\xeymi.dll
O20 - AppInit_DLLs: Interceptor.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
_________________________________________________________________

Thanks Again for the Help!

Thanks for returning your information and fixing the DesktopMessenger, the log is easier for both of us now and you are saving some resources. Make sure you always read the EULA agreement before you install software.
Looks like Look2me is gone, that is not the log I needed to see, but I will live with knowing you are clean of that infection.

I need to know if this file is good or bad, please use one or more of the free online scans and post the information for me. I am fairly sure it is a source of your problems:
C:\Program Files\Common Files\{2840D246-05D7-1033-0414-040630200001}\Update.exe
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

C:\Program Files\Java\j2re1.4.2\ <<< out of date
Java is out of date and that will get you infected, see this information: http://forums.spybot.info/showpost.php?p=12880&postcount=2 and fix that right away.

Instructions start here:
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(the first three are redirects to Gateway advertising, they are not making your browser run better and I suggest you remove them)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O4 - HKLM\..\Run: [wktcwv] C:\WINNT\system32\wspkww.exe reg_run
O4 - HKLM\..\Run: [defender] C:\\dfndrff_8.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_8.exe
O4 - HKCU\..\Run: [sgbdx] C:\WINNT\system32\wspkww.exe reg_run
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} -
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINNT\system32\xeymi.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

(some may be gone, just DO NOT miss any)

C:\\dfndrff_8.exe <<< file

C:\\kybrdff_8.exe <<< file

C:\WINNT\system32\wspkww.exe <<< file

C:\WINNT\system32\xeymi.dll <<< file

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the information about the file I requested, a new HJT log and any comments you think will help.

Thanks

Thanks for the fast follow up!

I'll hack at this when I get home tonight. Somewhere in the process my machine ate part of my TCP/IP config, so I will need to reinstall my adapters and get the machine back online. I am hoping that the machine doesn't blow up as soon as it sees an internet connection. I'll let you know.

Thanks!:bigthumb:

How is it going Grandterminus

So I can't get my laptop back on the internet. I can ping successfully and tracert till my heart's content, but no luck actually getting on the 'net. Am I dead in the water on this? I ask because I cannot get to any of the sites you mentioned for scanning. I'm willing to keep cracking, but is there a way around this without me getting online?

Hello Grandterminus,

Pskelley is away until Monday, so I'll see what we can do. Try the following for your internet connection:

Go to Start > Run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
hit enter.

REBOOT!!

I hope this should solve your broken connection.

Let me know! Thanks,
tea

Excellent! I will try it tonight when I get home. Thanks for the fill in help!

I'm not sure what file you were referring to when you said the information about "that file", but if you can clarify for me which file(s) you want to know about I will CERTAINLY tell you everything I know. These files C:\\dfndrff_8.exe <<< file

C:\\kybrdff_8.exe <<< file

C:\WINNT\system32\wspkww.exe <<< file

C:\WINNT\system32\xeymi.dll <<< file

were not present oddly enough when I went to delete them. I know that the dfndrff and kybrdff files were picked up numerous times when spybot would run scans. I was not able to run the online scans or update my java as my stinking network adapters are still on the fritz and will not allow me to get online. I did follow teacup61's advice, but it doesn't seem to have fixed the problem.

Logfile of HijackThis v1.99.1
Scan saved at 4:21:23 AM, on 9/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\system32\igfxtray.exe
C:\Program Files\Common Files\{2840D246-05D7-1033-0414-040630200001}\Update.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINNT\help\SplshWrp.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://192.168.1.10/AntiSpamGateway/Cabs/Mapicom.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147378105417
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.jaffets.com/msrdp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.1.202/activex/AxisCamControl.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc03.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thevark.com
O17 - HKLM\Software\..\Telephony: DomainName = thevark.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thevark.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thevark.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: Interceptor.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

I have tried running spybot or anything else that you did not specify in your instructions so I don't know if we got everything else or not.

:fear:

Hello,

From a computer that has internet access, download this small program and burn it to either floppy or disc and transfer it to your infected computer.

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea

Okay here is what we came up with....strange it claims to have found a file called qoologic....but I just noticed I still have a file on my C:\ called qoobox...

Anyway here is the log

shawnn - 06-09-12 0:17:25.64
ComboFix 06.09.11B - Running from: C:\

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-08-09 16:51 127488 wspkww.exe.qoo
06-08-09 16:51 53 oqlnno.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\dfndrff_8.exe
C:\WINNT\system32\bez6n4r21.exe
C:\WINNT\system32\n9nyb.exe
C:\WINNT\system32\redist.dll
C:\WINNT\system32\redistributor.exe
C:\WINNT\system32\VSL05.exe
C:\WINNT\system32\wfxqhv.exe
C:\WINNT\system32\zqskw.exe
C:\WINNT\ssqbn.exe
C:\WINNT\system32bez6n4r21.exe
C:\WINNT\system32ghynf.exe
C:\WINNT\system32n9nyb.exe
C:\Program Files\Common Files\{2840D246-05D7-1033-0414-040630200001}


((((((((((((((((((((((((((((((( Files Created from 2006-08-12 to 2006-09-12 ))))))))))))))))))))))))))))))))))


2006-09-12 00:17 275,806 --a------ C:\combofix.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-12 00:18 -------- d-------- C:\Program Files\Common Files
2006-09-09 04:21 -------- d-------- C:\Program Files\HijackThis
2006-09-09 01:27 -------- d-------- C:\Program Files\BOINC
2006-09-06 09:13 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-20 03:42 -------- d-------- C:\Documents and Settings\shawnn.THEVARK\Application Data\.gaim
2006-08-20 03:40 -------- d-------- C:\Program Files\Gaim
2006-08-15 13:21 -------- d-------- C:\Program Files\smartkiller
2006-08-12 16:36 -------- d-------- C:\Program Files\Internet Explorer
2006-08-12 08:25 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-11 21:01 435 --a------ C:\WINNT\vnvqn.dll
2006-08-11 20:09 1167 --a------ C:\WINNT\system32\jqwd09d3.sys
2006-08-11 13:00 24296 --a------ C:\WINNT\icont.exe
2006-08-10 00:41 -------- d-------- C:\Program Files\LimeWire
2006-08-10 00:32 -------- d-------- C:\Documents and Settings\shawnn.THEVARK\Application Data\Tenebril
2006-08-10 00:01 -------- d-------- C:\Program Files\Common Files\ummq
2006-08-09 23:52 -------- d-------- C:\Program Files\SpyCatcher 2006
2006-08-09 21:34 -------- d-------- C:\Program Files\Lavasoft
2006-08-09 21:34 -------- d-------- C:\Documents and Settings\shawnn.THEVARK\Application Data\Lavasoft
2006-08-09 16:54 -------- d-------- C:\Program Files\Online Services
2006-08-09 16:54 -------- d-------- C:\Program Files\ComPlus Applications
2006-08-09 16:53 -------- d-------- C:\Program Files\Messenger
2006-08-09 16:52 61952 --a------ C:\WINNT\system32\jqwd09d3.dll
2006-08-09 16:48 28672 --a------ C:\WINNT\system32\iqqr.exe
2006-08-09 16:48 20480 --a------ C:\WINNT\system32\dr.exe
2006-08-09 16:48 186 --a------ C:\WINNT\system32\n.bat
2006-08-09 16:48 147456 --a------ C:\WINNT\system32\vbzip10.dll
2006-08-09 03:12 -------- d-------- C:\Program Files\mIRC
2006-08-05 16:36 -------- d-------- C:\Documents and Settings\shawnn.THEVARK\Application Data\ArcSoft
2006-08-05 16:34 -------- d-------- C:\Program Files\ArcSoft
2006-08-05 06:08 -------- d-------- C:\Program Files\Canon
2006-08-05 05:47 -------- d-------- C:\Program Files\Common Files\Canon
2006-07-29 00:47 -------- d-------- C:\Documents and Settings\shawnn.THEVARK\Application Data\LimeWire
2006-07-27 07:24 679424 --a------ C:\WINNT\system32\inetcomm.dll
2006-07-27 00:52 -------- d-------- C:\Documents and Settings\shawnn.THEVARK\Application Data\CyberLink
2006-07-23 00:38 -------- d-------- C:\Program Files\Trymedia
2006-07-21 15:41 -------- d-------- C:\Program Files\Java
2006-07-21 02:24 72704 --a------ C:\WINNT\system32\hlink.dll
2006-07-15 16:20 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-15 16:18 -------- d-------- C:\Program Files\Common Files\Logitech
2006-07-13 01:34 -------- d---s---- C:\Documents and Settings\shawnn.THEVARK\Application Data\Microsoft
2006-06-23 09:22 9216 --a------ C:\WINNT\dunq.dll
2006-06-16 14:34 48936 --a------ C:\WINNT\system32\sirenacm.dll


<cont>

<cont>

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletTip"="\"C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabtip.exe\" /resume"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PRONoMgr.exe"="c:\\Program Files\\Intel\\PROSetWireless\\NCS\\PROSet\\PRONoMgr.exe"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"vptray"="C:\\PROGRA~1\\NavNT\\vptray.exe"
"TabletWizard"="C:\\WINNT\\help\\SplshWrp.exe"
"SpyCatcher Reminder"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck /autofix /autoclose"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\visenegy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Online Services\\saqy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk"
"backup"="C:\\WINNT\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Distillr\\AcroTray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINNT\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech SetPoint.lnk"
"backup"="C:\\WINNT\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\SetPoint.exe "
"item"="Logitech SetPoint"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pabld.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pabld.exe"
"backup"="C:\\WINNT\\pss\\pabld.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pabld.exe"
"item"="pabld"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^shawnn.THEVARK^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="C:\\Documents and Settings\\shawnn.THEVARK\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="C:\\WINNT\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^shawnn.THEVARK^Start Menu^Programs^Startup^Sticky Notes.lnk]
"path"="C:\\Documents and Settings\\shawnn.THEVARK\\Start Menu\\Programs\\Startup\\Sticky Notes.lnk"
"backup"="C:\\WINNT\\pss\\Sticky Notes.lnkStartup"
"location"="Startup"
"command"="C:\\WINNT\\system32\\stikynot.exe "
"item"="Sticky Notes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ACUMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ACUMon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Cisco Systems\\Aironet Client Monitor\\ACUMon.Exe\" -a"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CAS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="System"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\System Files\\System.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_8"
"hkey"="HKLM"
"command"="C:\\\\dfndrff_8.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Eraser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eraser"
"hkey"="HKCU"
"command"="C:\\Program Files\\Eraser\\eraser.exe -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Gaim]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gaim"
"hkey"="HKCU"
"command"="C:\\Program Files\\Gaim\\gaim.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Gateway Ink Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GWInkMonitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Gateway\\Gateway Ink Monitor\\GWInkMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WCESCOMM"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINNT\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\jqwd09d3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w2ec5443.dll,n 002d09d1000000032ec5443"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\k6mmN5IOU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxqhv"
"hkey"="HKLM"
"command"="\"C:\\WINNT\\system32\\wfxqhv.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechDesktopMessenger"
"hkey"="HKCU"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Logitech Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Logitech\\KhalShared\\KHALMNPR.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MediaLifeService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaLifeService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Logitech\\MediaLife\\MediaLifeService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NAV CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CfgWiz"
"hkey"="HKLM"
"command"="c:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINNT\\System32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_8"
"hkey"="HKLM"
"command"="C:\\\\nwnmff_8.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\sgbdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wspkww"
"hkey"="HKCU"
"command"="C:\\WINNT\\system32\\wspkww.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpyCatcher Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyCatcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TabletWizard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SplshWrp"
"hkey"="HKLM"
"command"="C:\\WINNT\\help\\SplshWrp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\wcmdmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcmdmgrl"
"hkey"="HKLM"
"command"="C:\\WINNT\\wt\\updater\\wcmdmgrl.exe -launch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\wktcwv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wspkww"
"hkey"="HKLM"
"command"="C:\\WINNT\\system32\\wspkww.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"PrismXL"=dword:00000002
"VSS"=dword:00000003
"LBTServ"=dword:00000002


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Tue 09/12/2006 0:24:24.86
ComboFix.txt


Hopefully this helps. Thanks Tea!:bigthumb:

Hello,

Holy cow you have a lot of bad stuff still there.:fear:

I'm sorry to have to have you do this, but we've got to get all that garbage off there.:sick:

1. Download Ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded Ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete, run Ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close Ewido anti-spyware, Do Not run a scan just yet

2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

4. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

5. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your desktop (This is important)
Close Ewido and reboot your system back into Normal Mode.

6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

Let me know how it's running, please.

Thanks,
tea

Tea,

"Hate to do this to me"??? I am very grateful that you are!!! I will crack on this tonight/tomorrow and post everything you've asked. Thanks for the help!:present:

Alright, did as requested though I could not run updates to ewido before scanning as my POS laptop refuses to get online even though I can ping and tracert etc. I ran ewido in Windows stadard operating mode because I forgot to reboot to safe mode. Thus I have included the 1st scan in standard mode and then the 2nd scan log from when I ran it again in Safe Mode. I have also included the BFU log.

ewido log 1 (standard)

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:01:58 PM 9/14/2006

+ Scan result:



C:\WINNT\icont.exe -> Adware.AdURL : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453\A0061180.dll -> Adware.CASClient : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476\A0069226.exe -> Adware.Suggestor : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476\A0069231.exe -> Adware.Suggestor : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476\A0069235.exe -> Adware.Suggestor : No action taken.
C:\Limewire\Microsoft Project Professional 2003.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\Microsoft Project Professional 2003.rar/zia02176/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\Microsoft Project Professional 2003.rar/zia04008/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\1 Click Boost v2.4.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\1st SMTP Server 2.8.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\3D Gamestudio A6.22 Professional.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\44 GameLoft Games for Mobile Phones.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\A Breath of Scandal 1960 DVDRip XviD-iMMORTALs.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\AIO Pocket PC Vol2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\AWinstall v4.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Abomination The Nemesis Project.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Acala DVD Ripper v2.3.2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Acala DVD to Pocket PC Movie v2.3.2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Acoustica CD DVD Label Maker v2.55.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Actual Window Manager v4.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Advanced Encryption Package 2006 4.4.13.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Advanced System Optimizer 2.10.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Advanced Windows Optimizer v.5.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Advanced Woman Calendar v1.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Aeon Flux DVDRip Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Aibase-CS v1.184.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Aikido Videoz.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Allok MPEG4 Converter 1.4.2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Allok Video to MP4 Converter 1.4.2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Allok Video to PSP Converter 1.7.4.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\AnyDVD v5.6.3.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Aplus DVD Copy 3.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Apollo DVD Creator 3.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Apollo PSP Video Converter v.3.0.2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Arc DVD Copy v1.3.5.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Ashampoo AudioCD MP3 Studio 3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Ashampoo Burning Studio 6.20.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Ashampoo Magical Defrag v1.11.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Atani 3.8.9.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Atmosphere Deluxe.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Audio Video To MP3 Maker 3.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\AutoRun Design Specialty v5.0.0.6.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Avast Professional Edition 4.7.869 EN.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Avi Divx Wmv Real Mp3 Media Fixer Pro v6.5.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Bandidas DVDScr Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Barnyard The Original Party Animals 2006 CAM.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\BattleField 2 DVD iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\BearShare Pro 5.2.5.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Big Kahuna Reef 2 - Chain Reaction.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Big Mommas House 2 DVDRip Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Big Oil Build an Oil Empire.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Bitplane Imaris 5.0.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Bob Ross - The Joy of Painting Video Collection.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Brother Bear 2 2006 TS Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Bubbles 1.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Bulletproof Public PC v3.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\CafeSuite 3.39.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Call of Cthulhu Dark Corners of the Earth.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Canasta 2006.1. 60804.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Caretta GUI Design Studio v2.1.52.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Catch 22 - Permanent Revolution (2006).rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Chipscope Pro v8.2i.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Click 2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\CloneDVD v2.8.9.9.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Close Combat III The Russian Front.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Code Weaver 1.6.4.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\CoffeeCup Megapack.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\ColorPilot Slide Show Pilot v1.6.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\CommView Remote Agent v2.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Comodo AIO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\CuteFTP Pro 7.2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\DOOM DVDRip Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\DVD Cover Searcher v3.2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\DVD X Software Powerpack Pro.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\DVD to 3GP Converter.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\DVD to IPOD Ripper 4.38.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\DVD to IPOD Ripper v4.38.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\DVDFab Platinum 2.9.8.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\DVDIdle Pro 5.9.8.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\DVDIdle Pro v5.9.8.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\DVDIdle Pro v5.983.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Dedaulus SC last build.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Deep Freeze v6.00.020.1523.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Deskshare Appz AIO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Desktop Icon Toy v.1.2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Dolphins Software Conversions v1.10.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Dr. Dolittle 3 (2006).rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Dr.DivX 2.0.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Dual DVD copy Gold 4.09.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\EA Sports NHL 2006 iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Easy CD-DA Extractor Pro v10.0.2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Ellusionist - GutBuster.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Eltima Serial Port Monitor v3.0.0.101.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Email Programs AIO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Email Security 2.81.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Encrypt My Information v3.00.263.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Envelope Printer v7.0.060722.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\European Thought And Culture In The 19th Centu.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Evonsoft Advanced Spyware Remover Pro v1.90.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Ewido Security Suite 4.0.0.172c.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\FPS Creator 1 + Model Packs + Video.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.

<cont>
ewido log 1 (standard windows mode)

C:\Limewire\_\FTP Now 2.6.45.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Fable The Lost Chapters.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\File Access Scheduler v4.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\File and Folder Privacy v2.6.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\FinePrint Pdf Factory Pro 3.00.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\FlashyEffects v1.1.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Flatout 2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Fly DVD Copier v4.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Forum Proxy Leecher 1.07.712 Full.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Frankenthumb.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\From Autumn To Ashes - The Fiction We Live.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\From Autumn To Ashes - Too Bad Your Beautiful.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\From Autumn to Ashes - Abandon Your Friends.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\FullShot Enterprise 9.3.0.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Game Copy Protections Tools (AIO) 30in1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Garfield A Tail Of Two Kitties CAM VCD-PreVail.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Global Clipboard 2.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Google Earth Pro 3.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Grabber 1.4.4b.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Grand Theft Auto San Andreas iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Graphics Converter Pro 6.62.60728.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Graphics Converter Pro For Vector v7.62.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Graphics Converter Pro v6.62.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Guardian II v2.0.6.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Gumboy Crazy Adventures v0.934.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Hackers Black Book.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Hard Drive Inspector 1.85.950.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Hard Truck 18 Wheels of Steel.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Hard Truck 18 Wheels of Steel.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\History A Very Short Introduction.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Hitman 3 Contracts.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Hitman Blood Money iSo.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Holy War Holy Peace How Religion Can Bring Pe.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Hoodwinked DVDRip Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\House Of The Dead 3-RELOADED iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\ISD My Tattoo ID v5.1.3.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Ice Age 2 The Meltdown.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\IconCool Editor v5.14.60622.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\IconCool Editor v5.25.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Ill Nino - Confession.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Inca Quest.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Inside Website Logger v2.2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Install Unattended Enterprise v3.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Internet Download Manager 5.04 Build 2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Irreversible - the cruel.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\IsItUp Network Monitor 5.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\JFK Reloaded 1.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\John Tucker Must Die (2006).rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\John Tucker Must Die 2006.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Keeping Mum.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Kenan and Kel - Two Heads Are Better than None DVDRip Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Kingdom Under Fire Gold Edition.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Kingdom of Haven.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Kiss MyImage v1.0.4.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Lady in the Water movie cam.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Latex.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Learning Express How to Study.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Learning Express Just in Time Algebra.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Learning Express Math for the Trades.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\LearningExpress Improve Your Math.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\LimeWire Pro 4.12.4.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Little Man 2006 TS Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Loan Spread Calculator Pro v4.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Local SMTP Relay Server 2.8.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Local SMTP Server Pro 2.8.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Lock My Computer v3.6.260.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Lucky Number Slevin - DVDScr Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\MOnica bellucci-MALENA.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\MP3 WAV Studio v6.12.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Macromedia AIO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\MagicISO Maker 5.3.216.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\MarketDelta DTN IQFeed v3.2.1.5.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Master Mind Vol.2 - Self Levitation.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\McAfee AntiVirus 2006.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\McAfee Internet Security Suite 2006 Version 8.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Mechwarrior 4 Mercenaries.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Miami Vice TC Xvid-PUKKA.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Mission Impossible 3 TS Xvid-maVen.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Mission Impossible.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Monica Bellucci in Malena DVDRip Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\MorphBuster 7.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\My Buddy Icons v4.62.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\NOD32 v2.51.30.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Nancy Drew Danger by Design.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Nature Illusion Studio v1.30.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\NetCafe Softs (5 in 1).rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Network File Monitor Professional 2.26.7.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Norton Antivirus 2006.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Orchid Medical Spa v6.0.2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\PC Accelerator 2007 Pro 1.1.16.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\PC Auto Shutdown v2.2.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\PDF Maker Pilot 1.28.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Passware Kit 7.9.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Personal Mail Server Pro 1.7.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Phat Girlz 2006 DVDRip Xvid-FW.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\PhotoMagic v2.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Photometrix iWitness v1.2.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Picture Doctor v1.5.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Ping Probe v1.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Pinnacle Studio 10.5.1 Titanium + Pinnacle Studio 10 Plus.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Pirates of the Caribbean 2 Dead Mans Chest TC Xvid-PUKKA.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Pirates of the Caribbean 2 Dead Mans Chest TC Xvid-PUKK.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Pitfall The Lost Expedition iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Plato DVD Copy v4.51.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Portable DVD2one v2.0.5.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Prey PC RiP.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Privacy Shield.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\ProCAD 2D Designer v2007.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\ProShow Producer v2.6.1745.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Proxy Switcher Pro 3.7.3646.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Proxy Switcher Pro v3.7.3647.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Pussycat Dolls - Loosen Up My Buttons (Video).rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Rapidshare Premium Pack 2006.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\RawShooter Premium 2006.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Re-Volt.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Record-Anything v2.92.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Red Orchestra Ostfront 41-45 iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Red Orchestra Ostfront 41-45 iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Relentless Rapidshare Helper Pack 2006.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\SafeCracker.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Saint Paint Studio v12.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Save Flash v3.0.0067.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Scarabs Of Pharaoh v1.03.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Security Administrator 10.51.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Serenity (2005).rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Smart Undelete 2.8.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Snappy Fax v3.71.1.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\SolSuite 2006 6.8.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Soldner Secret Wars.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Sopranos New Season 6.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Speed DVD Creator v4.0.19.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Speed Video Converter v3.0.19.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Speed Video Converter v3.0.21.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Splinter Cell Pandoras Tomorrow.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Springboard 0.75.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Spy Sniper 3.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Spy Sweeper 5.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Spyware Doctor 4.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Stronghold iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\TOCA Race Driver 3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Tactical Ops Assault on Terror.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Talladega Nights VCD CAM-Marakki.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Tally 7.2 Gold.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Tetris Arena 1.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The 40 Year Old Virgin DVDRip.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The Fast And The Furious Tokyo Drift TS Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The Girl Next Door.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The Movies Stunts And Effects-RELOADED iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The Night Listener (2006).rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The Piano Tuner Of Earthquakes 2005 DVDRip XviD-WRD.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The Pin Up Art of Archie Dickens Volume One.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The Plan-PLEX iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The Pledge DVDRip Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The Punisher.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The Quakers in English Society 1655 To 1725.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The descent.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The girl next door - Elisha cuthbert.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\The pirates of the caribbean.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Thumbtanic.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Tony Hawks American Wasteland iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Topmpx Software by Virus-24 7.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\TracePlus Winsock 8.10.000.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\UCINET V6.135.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\UberSoldier iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Ulead DVD Movie Factory 5.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\UltraISO Premium Edition v.8.1.2.1625.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Underworld 2 Evolution.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\V for Vendetta.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\VA - Summer Heat 2006.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\VMware Virtual Center 1.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\VariCAD 2005 v1.09.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Vietcong 2 iSO.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\WISCO Word Power 2.00.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\WS FTP Professional 2006.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\WWW File Share Pro 5.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\WWW File Share Pro v5.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Water Illusion Professional v2.80.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Web Gallery Builder v1.3.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Web Page Maker 2.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Webroot Spy Sweeper 5.0.7.1608.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\WiFi Hopper 1.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Win Rar Crystal edition v3.51.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Win XP Pro Corp. July 2006 (100%Working).rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\WinPatrol 10.0.3.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\WinRAR 3.60 Corporate Edition no serial+themes.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\WinTools.net Professional 7.7.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\WinZip Self-Extractor v3.0.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Windows XP Pro SP2 Full Student Release.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Windows XP SP3 Update (vista Look).rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Windws XP Pro SP3 Unattended (2006).rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Without a Paddle DVDRip Xvid.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\WordHacker Golden Edition v4.1.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Worms 4 Mayhem.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\Worms Fort Under Siege.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\X-Men The Last Stand TC XviD-ASTEROiDS.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\X-NetStat Professional v5.49A.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\X-Setup Pro 8.1.110.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\X-Win32 v8.0.2082.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\XP Codec Pack 2.0.3.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\XoftSpySE 4.29.194.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\YearPlanner v2.4.8.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\dual DVD copy Silver 3.10.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\eDonkey 2000 1.4.5 Pro.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\Limewire\_\n00zn00zn00zn00z.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.



<cont next post>>

<cont>

C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP457\A0062465.exe -> Backdoor.IRCBot.dd : No action taken.
C:\t.rar/Setup.exe -> Backdoor.IRCBot.dd : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP455\A0062245.dll -> Downloader.Agent.agw : No action taken.
C:\WINNT\system32\dmonwv.dll_tobedeleted -> Downloader.Agent.agw : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476\A0069245.exe -> Downloader.Qoologic.bj : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453\A0059828.exe -> Downloader.Small.ajc : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453\A0059829.exe -> Downloader.Small.ajc : No action taken.
C:\Program Files\Messenger\sale.dll -> Downloader.Small.ctp : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453\A0060904.exe -> Downloader.TSUpdate.f : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453\A0060902.exe -> Downloader.TSUpdate.n : No action taken.
:mozilla.6:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.23:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.24:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.25:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.26:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.27:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.28:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.29:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.50:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.51:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.52:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.53:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.54:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.55:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.56:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.49:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.30:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.31:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.32:C:\Documents and Settings\shawnn\Application Data\Mozilla\Firefox\Profiles\dua68u64.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\shawnn.THEVARK\Cookies\shawnn@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476\A0069227.dll -> Trojan.Agent.sx : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476\A0069228.exe -> Trojan.Agent.sx : No action taken.
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP455\A0062244.exe -> Trojan.Qoologic : No action taken.


::Report end

This is the log from the second scan in Safe Mode

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:36:30 PM 9/14/2006

+ Scan result:



C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP478\A0069298.exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\WINNT\system32\iqqr.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453\A0060805.exe -> Downloader.Agent.aaf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP455\A0062241.exe -> Downloader.Agent.aaf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453\A0060810.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453\A0060794.exe -> Downloader.Qoologic.at : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP455\A0062246.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP456\A0062386.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP459\A0062576.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINNT\pss\pabld.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP455\A0062242.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINNT\dunq.dll -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP478\A0069297.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453\A0060804.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453\A0060816.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).


::Report end

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 4:49:02 PM, on 9/14/2006

Option Unload Explorer: Yes
Failed: DllUnregister C:\WINNT\DH.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Deskbar\deskbar.dll|1 (file not found)
Failed: DllUnregister \asappsrv.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\DOCUME~1\shawnn\LOCALS~1\Temp\Perflib_Perfdata_3e8.dat (operation failed)
Failed: FileDelete C:\DOCUME~1\shawnn\LOCALS~1\Temp\~DF93D.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\simtest (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINNT\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\Program Files\ipwins (folder not found)
Failed: FolderDelete C:\temp (folder not found)
Failed: FolderDelete C:\WINNT\mdrive (folder not found)
Failed: FolderDelete C:\Program Files\PECarlin (folder not found)
Failed: FolderDelete C:\Program Files\AXVenore (folder not found)
Failed: FolderDelete C:\Program Files\SDVita (folder not found)
Failed: FolderDelete C:\Program Files\EQBranch (folder not found)
Failed: FolderDelete C:\Program Files\EQArticle (folder not found)
Failed: FolderDelete C:\Program Files\PSHope (folder not found)
Failed: FolderDelete C:\Program Files\Batty (folder not found)
Failed: FolderDelete C:\Program Files\Batty2 (folder not found)
Failed: FolderDelete C:\Program Files\AXFibula (folder not found)
Failed: FolderDelete C:\Program Files\CMFibula (folder not found)
Failed: FolderDelete C:\Program Files\PSLister (folder not found)
Failed: FolderDelete C:\Program Files\PSCloner (folder not found)
Failed: FolderDelete C:\Program Files\cmapp (folder not found)
Failed: FolderDelete C:\Program Files\cmman (folder not found)
Failed: FolderDelete C:\Program Files\cmsystem (folder not found)
Failed: FolderDelete C:\Program Files\fcengine (folder not found)
Failed: FolderDelete C:\Program Files\wincmapp (folder not found)
Failed: FolderDelete C:\Program Files\Deskbar\Cache (folder not found)
Failed: FolderDelete C:\Program Files\popupwithcast (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\cloader (folder not found)
Failed: FolderDelete C:\WINNT\system32\crunner (folder not found)
Failed: FolderCreate C:\bintheredunthat (folder already exists)
Failed: FileMove C:\WINNT\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.

The first Ewido log shows (no action) on everything because ewido locked in process. I ran ewido a second time in standard operating mode and it picked up the same list as above and quarantined/removed everything without a problem. The second log (ran ewido in safe mode) picked up the additional items listed and cleaned them as well.

FYI, After our most recent operations, Tenebril (SpyCatcher) is still showing something called "dollar revenue" from running on my system it references a file c:\WINNT\system32\wshtcpip.dll. I ran a search for the file being referenced and it only pops up in c:\WINNT\$NtServicePackUninstall$ and c:\WINNT\ServicePackFiles\i386 :fear:

Hello,

After seeing that.....do you realize how badly your computer is compromised? :eek: All those cracks off of Limewire.:sick: Your best, and safest bet, would be to reformat and reinstall. I'll do my best to help you, but I can't promise you it'll ever be really safe again.:( The damage has been done. It really is best that you can't get online right now, especially if you have any sensitive info (banking, bills, etc.....).

I'll ask that you consider this information, and let me know what you decide you want to do.

Regards,
tea

You're the volunteer...I'm game if you are. The great irony of all of this is I think I was compromised by downloading ad-aware from Limewire...not because I was having problems with Spyware, but because I thought I needed to have something "just in case". Yeah I didn't even realize I had 5,000 files like that in Limewire. Anyway...if you want a tough one for the record books, I'm yer huckleberry...but if you want to tell me to bugger off, I understand.

Thanks!

Hello,


I'm yer huckleberry Well then yer a daisy if ya do!

Now being in and from the south, I'd better know where that came from anyway, but I also happen to be reading one of the many books about Mr. John Henry Holliday right now. :D:

Why were you downloading a protection program from Limewire that's free? Ad Aware is free, unless you insist on having Ad Watch.

Okay, it's been 3 days. We'll kind of start again, using what you already have to see where we are now, and what else they might remove. Please run ComboFix first, then Ewido, then show me a HijackThis log made in normal mode, with everything enabled. Also post the logs from the other two.

Thanks,
tea

It seemed like a good idea at the time??? :oops: I was in market for some rather hard to find items to do with Ai Sora and figured I'd make a run for something to protect against infections and the last time I looked for adaware online I hit about four dummy sites before figuring out which one was right (can never remember who makes it) LAME excuse I know...forgive me it was late and I had left my logic chip in the kitchen.

NEway, I will get on the tasks you have requested and get back with you. THANKS!!!

Here is the ComboFix log.

shawnn - 06-09-19 8:40:00.67
ComboFix 06.09.11B - Running from: C:\

Microsoft Windows XP [Version 5.1.2600]

Files Created from 2006-08-19 to 2006-09-19

2006-09-12 00:17 275,806 -a- C:\combofix.exe


(( Find3M Report

2006-09-15 08:29 - d- C:\Program Files\Mozilla Firefox
2006-09-14 16:54 - d- C:\Program Files\ewido anti-spyware 4.0
2006-09-14 16:53 - d- C:\Program Files\BOINC
2006-09-14 13:31 - d- C:\Program Files\Messenger
2006-09-12 00:18 - d- C:\Program Files\Common Files
2006-09-09 04:21 - d- C:\Program Files\HijackThis
2006-08-20 03:42 - d- C:\Documents and Settings\shawnn.THEVARK\Application Data\.gaim
2006-08-20 03:40 - d- C:\Program Files\Gaim
2006-08-15 13:21 - d- C:\Program Files\smartkiller
2006-08-12 16:36 - d- C:\Program Files\Internet Explorer
2006-08-12 08:25 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-11 21:01 435 --a------ C:\WINNT\vnvqn.dll
2006-08-11 20:09 1167 --a------ C:\WINNT\system32\jqwd09d3.sys
2006-08-10 00:41 -------- d-------- C:\Program Files\LimeWire
2006-08-10 00:32 -------- d-------- C:\Documents and Settings\shawnn.THEVARK\Application Data\Tenebril
2006-08-10 00:01 -------- d-------- C:\Program Files\Common Files\ummq
2006-08-09 23:52 -------- d-------- C:\Program Files\SpyCatcher 2006
2006-08-09 21:34 -------- d-------- C:\Program Files\Lavasoft
2006-08-09 21:34 -------- d-------- C:\Documents and Settings\shawnn.THEVARK\Application Data\Lavasoft
2006-08-09 16:54 -------- d-------- C:\Program Files\Online Services
2006-08-09 16:54 -------- d-------- C:\Program Files\ComPlus Applications
2006-08-09 16:52 61952 --a------ C:\WINNT\system32\jqwd09d3.dll
2006-08-09 16:48 20480 --a------ C:\WINNT\system32\dr.exe
2006-08-09 16:48 186 --a------ C:\WINNT\system32\n.bat
2006-08-09 16:48 147456 --a------ C:\WINNT\system32\vbzip10.dll
2006-08-09 03:12 -------- d-------- C:\Program Files\mIRC
2006-08-05 16:36 -------- d-------- C:\Documents and Settings\shawnn.THEVARK\Application Data\ArcSoft
2006-08-05 16:34 -------- d-------- C:\Program Files\ArcSoft
2006-08-05 06:08 -------- d-------- C:\Program Files\Canon
2006-08-05 05:47 -------- d-------- C:\Program Files\Common Files\Canon
2006-07-29 00:47 -------- d-------- C:\Documents and Settings\shawnn.THEVARK\Application Data\LimeWire
2006-07-27 07:24 679424 --a------ C:\WINNT\system32\inetcomm.dll
2006-07-27 00:52 -------- d-------- C:\Documents and Settings\shawnn.THEVARK\Application Data\CyberLink
2006-07-23 00:38 -------- d-------- C:\Program Files\Trymedia
2006-07-21 15:41 -------- d-------- C:\Program Files\Java
2006-07-21 02:24 72704 --a------ C:\WINNT\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletTip"="\"C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabtip.exe\" /resume"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PRONoMgr.exe"="c:\\Program Files\\Intel\\PROSetWireless\\NCS\\PROSet\\PRONoMgr.exe"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"vptray"="C:\\PROGRA~1\\NavNT\\vptray.exe"
"TabletWizard"="C:\\WINNT\\help\\SplshWrp.exe"
"SpyCatcher Reminder"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck /autofix /autoclose"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\visenegy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Online Services\\saqy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk"
"backup"="C:\\WINNT\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Distillr\\AcroTray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINNT\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech SetPoint.lnk"
"backup"="C:\\WINNT\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\SetPoint.exe "
"item"="Logitech SetPoint"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pabld.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pabld.exe"
"backup"="C:\\WINNT\\pss\\pabld.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pabld.exe"
"item"="pabld"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^shawnn.THEVARK^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="C:\\Documents and Settings\\shawnn.THEVARK\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="C:\\WINNT\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^shawnn.THEVARK^Start Menu^Programs^Startup^Sticky Notes.lnk]
"path"="C:\\Documents and Settings\\shawnn.THEVARK\\Start Menu\\Programs\\Startup\\Sticky Notes.lnk"
"backup"="C:\\WINNT\\pss\\Sticky Notes.lnkStartup"
"location"="Startup"
"command"="C:\\WINNT\\system32\\stikynot.exe "
"item"="Sticky Notes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ACUMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ACUMon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Cisco Systems\\Aironet Client Monitor\\ACUMon.Exe\" -a"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CAS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="System"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\System Files\\System.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_8"
"hkey"="HKLM"
"command"="C:\\\\dfndrff_8.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Eraser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eraser"
"hkey"="HKCU"
"command"="C:\\Program Files\\Eraser\\eraser.exe -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Gaim]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gaim"
"hkey"="HKCU"
"command"="C:\\Program Files\\Gaim\\gaim.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Gateway Ink Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GWInkMonitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Gateway\\Gateway Ink Monitor\\GWInkMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WCESCOMM"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINNT\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\jqwd09d3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w2ec5443.dll,n 002d09d1000000032ec5443"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\k6mmN5IOU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxqhv"
"hkey"="HKLM"
"command"="\"C:\\WINNT\\system32\\wfxqhv.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechDesktopMessenger"
"hkey"="HKCU"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Logitech Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Logitech\\KhalShared\\KHALMNPR.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MediaLifeService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaLifeService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Logitech\\MediaLife\\MediaLifeService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NAV CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CfgWiz"
"hkey"="HKLM"
"command"="c:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINNT\\System32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_8"
"hkey"="HKLM"
"command"="C:\\\\nwnmff_8.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\sgbdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wspkww"
"hkey"="HKCU"
"command"="C:\\WINNT\\system32\\wspkww.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpyCatcher Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyCatcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TabletWizard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SplshWrp"
"hkey"="HKLM"
"command"="C:\\WINNT\\help\\SplshWrp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\wcmdmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcmdmgrl"
"hkey"="HKLM"
"command"="C:\\WINNT\\wt\\updater\\wcmdmgrl.exe -launch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\wktcwv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wspkww"
"hkey"="HKLM"
"command"="C:\\WINNT\\system32\\wspkww.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"PrismXL"=dword:00000002
"VSS"=dword:00000003
"LBTServ"=dword:00000002


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Tue 09/19/2006 8:42:09.40
ComboFix.txt
ComboFix2.txt

Looks like we are making progress :ninja:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:15:38 AM 9/19/2006

+ Scan result:



C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP479\A0069305.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP479\A0069306.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP479\A0069304.dll -> Downloader.Small.ajc : Cleaned with backup (quarantined).


::Report end

:spider: Our latest log...


Logfile of HijackThis v1.99.1
Scan saved at 10:23:37 AM, on 9/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\system32\igfxtray.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\mmc.exe
C:\Program Files\SpyCatcher 2006\SpyCatcher.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINNT\help\SplshWrp.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://192.168.1.10/AntiSpamGateway/Cabs/Mapicom.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147378105417
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.jaffets.com/msrdp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.1.202/activex/AxisCamControl.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc03.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thevark.com
O17 - HKLM\Software\..\Telephony: DomainName = thevark.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thevark.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thevark.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: Interceptor.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

Hello,

Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip

Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.


Navigate to and delete the following files, if present:

C:\\Program Files\\Online Services\\saqy.html
C:\\Program Files\\ComPlus Applications\\visenegy.html
C:\\\\dfndrff_8.exe
C:\\WINNT\\system32\\wfxqhv.exe
C:\\\\nwnmff_8.exe
C:\\WINNT\\system32\\wspkww.exe
C:\\Program Files\\System Files\\System.exe

Search for this file and delete it : w2ec5443.dll

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

I see this in there as well. C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe
Is this the newest version you have installed? If it is, then I want you to look in Add/Remove Programs and UNinstall ALL the older versions. Those are not helping by lurking around in your computer, and they need to go.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously,the contents of the Qoofix logfile, along with a new HijackThis log in your next reply.
How is it running now? :)

Thanks,
tea

Get them doggies rollin...I can't believe I was usin' Norton RAWHIDE!!! The Dr. Web app found a bunch of junk. I'm impressed. However, right after reboot I got two notices from SpyCatcher telling me spyware was afoot. "pautoenr.dll located at C:\WINNT\system32\pautoenr.dll" and "dollar revenue located at C:\WINNT\system32\wshtcpip.dll.

Dr. Web Report
prompt[1].htm;C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CIOCRVI3;Trojan.Isbar.83;Deleted.;
RegUBP2b-shawnn.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Deleted.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.617;Incurable.Moved.;
A0060806.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453;Adware.DollarRevenue;Incurable.Moved.;
A0060807.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453;Adware.DollarRevenue;Incurable.Moved.;
A0060808.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453;Adware.DollarRevenue;Incurable.Moved.;
A0060809.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453;Adware.DollarRevenue;Incurable.Moved.;
A0060811.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453;Adware.SaveNow;Incurable.Moved.;
A0060813.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453;Trojan.DownLoader.11969;Deleted.;
A0060817.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453;Adware.DollarRevenue;Incurable.Moved.;
A0060838.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453;Adware.SearchAid;Incurable.Moved.;
A0060839.exe\data001;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453\A0060839.exe;Adware.SearchAid;;
A0060839.exe\data003;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453\A0060839.exe;Adware.SearchAid;;
A0060839.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453;Archive contains infected objects;Moved.;
A0060903.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453;Trojan.DownLoader.11355;Deleted.;
A0061181.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453;Adware.Consumeralert;Incurable.Moved.;
A0061196.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP453;Trojan.DownLoader.11354;Deleted.;
A0062267.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP455;Probably DLOADER.Trojan;Incurable.Moved.;
A0062307.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP455;Probably DLOADER.Trojan;Incurable.Moved.;
A0064749.reg;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP467;Trojan.StartPage.1505;Deleted.;
A0069224.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476;Trojan.Click.1360;Deleted.;
A0069225.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476;Adware.SearchAid;Incurable.Moved.;
A0069230.exe\data001;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476\A0069230.exe;Adware.Yavak;;
A0069230.exe\data002;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476\A0069230.exe;Adware.Yavak;;
A0069230.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476;Archive contains infected objects;Moved.;
A0069233.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476;Adware.SearchAid;Incurable.Moved.;
A0069237.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP476;Trojan.DownLoader.11989;Deleted.;
A0069307.dll;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP479;Adware.Yavak;Incurable.Moved.;
A0070426.reg;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Trojan.StartPage.1505;Deleted.;
dr.exe;C:\WINNT\system32;Adware.DollarRevenue;Incurable.Moved.;

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:07:35 AM, on 9/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\igfxtray.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TabletWizard] C:\WINNT\help\SplshWrp.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {42780420-E62F-490A-82FC-D626BE90B302} (ASAP! Session Class) - http://192.168.1.10/AntiSpamGateway/Cabs/Mapicom.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147378105417
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.jaffets.com/msrdp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://192.168.1.202/activex/AxisCamControl.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc03.custhelp.com/7520-b289h-turbotax/rnl/java/RntX.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thevark.com
O17 - HKLM\Software\..\Telephony: DomainName = thevark.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thevark.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thevark.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: Interceptor.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

QooFix

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [9/20/2006] at [1:43:36 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [9/20/2006] at [1:44:27 PM]

Note: Some registry keys may have been removed.

Hello,

Still can't get online? This file C:\WINNT\system32\wshtcpip.dll is bothering me. It's actually a legit file, but showing you that it's infected? I sure would like to have it uploaded and scanned. That may be your problem here, but if you can't get online I cannot know.

Let me know if there's any luck in that department. If not, I'll figure something out. :)

Thanks,
tea

I can certainly try copying it off to another PC and scanning it. Course that might have some inherent infection risks, but I'm game. I'm in this for the long run! :bigthumb:

The only way I see that happening is if you're on a network and can share.

Well, I'm gonna try copying it anyhow!!!!! Wish me luck! :D: Oh wait...where do I go to get a scan on the files you want scanned? URL?

Please be careful!

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\WINNT\system32\wshtcpip.dll

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

Regards,
tea

SO I found two copiers of this on my machine so i copied both and scanned them....here are the results

Service load:
0% 100%
File: wshtcpip1.dll
Status:
Uploading file, please wait...
MD5 61297dea5932a3d8a9e6a2d17d0b8e8b
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Service load:
0% 100%
File: wshtcpip.dll
Status:
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 a7f95a53ee055115df03588997a47d4d
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Hello,

Well that was a dead end huh? It's been 8 days, so let's have a scan with either Dr. Web or Ewido, post the logs for me, and let me see a new HijackThis log if you please. You might also try the directions I posted some time ago for the internet connection and see if it works now. It could happen.:D:

Have a great weekend!
tea

Alright so the quick scan in Dr. Web turned up clean so I am running it again with a full system scan. While watching the scrolls bar, SpyCatcher caught the Dollar Revenue app trying to run again.....then it flagged C:\WINNT\system32\pautoenr.dll Application:eDonkey (any clue what that is?) and Type is Spyware.

I'll give the the results of Dr. Web and Ewido when I get them.

So in trying to be clever, I copied over the pautoenr.dll files to another PC and am ging to try and scan them at the site you had me scan at last time. Hopefully my independant thought doesn't destroy anything!:oops:

The online malware scanner has been busy for the lst few hours. Ewido scan came back clean, however the Dr. Web scan is running and has already picked up about five virus/spyware instances. Will post when it's finished.:fear:

:sad: So Dr. Web has found some items:

A0070427.dll;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Trojan.DownLoader.12021;Deleted.;
A0070428.EXE;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Adware.Aws;Moved.;
A0070429.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Program.mIRC.617;Moved.;
A0070430.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Adware.DollarRevenue;Moved.;
A0070428.EXE;c:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Adware.Aws;;
A0070429.exe;c:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Program.mIRC.617;Deleted.;

It found the dollarerevenue piece last time, but it doesn't seem to be completely getting rid of it.

Hello,

Everything Dr.Web found is in System Restore and either moved or deleted, so no problem there. Stop worrying.:)

This about eDonkey : http://en.wikipedia.org/wiki/EDonkey_network

And this, dated 10-01-06 from the eDonkey site :The eDonkey2000 Network is no longer available.

If you steal music or movies, you are breaking the law.

Courts around the world -- including the United States Supreme Court --
have ruled that businesses and individuals can be prosecuted for illegal
downloading.

Can you tell me what all you've tried as far as regaining your internet access?

tea :)

Grandterminus?

I posted a reply some time ago...but it isn't here. I tried your original suggestions from back in the thread ...and tried them again recently with no louck. I've disabled and reenabled both of my adapters (wired and wireless), then tried uninstalling and reinstalling them. I get a network connection, but I cannot get on the internet.

Hey! I was worried....glad to see you back.:)

maybe this break has been a good thing. I've been trying to think of anything new that's come out that might help us here.

Combofix has been updated, so I'd like for you to delete your current one and download another and run it. combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)

Post the results for me, and we'll go on to the next thing.

Thanks,
tea

Scatch that last.....ComboFix is down at present. Save what you have for now. Instead let's use this :


Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Thanks,
tea

Cool,

I will get going on the new project!

Hi :)

Update : Go ahead with ComboFix as well. It's back up. ;)

tea

Hey Tea,

Thanks for your patience man, I've had some bad health issues and have been laid up at home. The laptop has been sitting at work. I think I am going back to work tomorrow if I hold up over night. I'll start cracking at it there. Thanks again for all of the jelp!

:bigthumb:

Awww.....I'm so sorry to hear it. You get well! This thread will still be here when you feel like it.

Take care!!!

Here are the latest results

shawnn - 06-10-19 17:09:30.21 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\"

((((((((((((((((((((((((((((((( Files Created from 2006-09-19 to 2006-10-19 ))))))))))))))))))))))))))))))))))


2006-10-19 15:19 0 --a------ C:\WINNT\gmer.reg
2006-10-19 15:19 0 --a------ C:\WINNT\gmer.bat
2006-10-19 15:12 385,024 --a------ C:\gmer.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-19 15:09 276918 --a------ C:\combofix.exe
2006-10-05 09:10 -------- d-------- C:\Program Files\BOINC
2006-10-05 08:59 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-21 09:07 -------- d-------- C:\Program Files\HijackThis
2006-09-21 08:57 -------- d-------- C:\Program Files\mIRC
2006-09-20 13:55 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-20 13:54 -------- d-------- C:\Program Files\Online Services
2006-09-14 16:54 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-14 13:31 -------- d-------- C:\Program Files\Messenger
2006-09-12 00:18 -------- d-------- C:\Program Files\Common Files
2006-08-21 06:21 16896 --a------ C:\WINNT\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINNT\system32\fltmc.exe
2006-08-21 03:14 128896 --------- C:\WINNT\system32\drivers\fltmgr.sys
2006-08-20 03:40 -------- d-------- C:\Program Files\Gaim
2006-08-11 21:01 435 --a------ C:\WINNT\vnvqn.dll
2006-08-11 20:09 1167 --a------ C:\WINNT\system32\jqwd09d3.sys
2006-08-09 16:48 186 --a------ C:\WINNT\system32\n.bat
2006-08-09 16:48 147456 --a------ C:\WINNT\system32\vbzip10.dll
2006-07-27 07:24 679424 --a------ C:\WINNT\system32\inetcomm.dll
2006-07-21 02:24 72704 --a------ C:\WINNT\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TabletTip"="\"C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabtip.exe\" /resume"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PRONoMgr.exe"="c:\\Program Files\\Intel\\PROSetWireless\\NCS\\PROSet\\PRONoMgr.exe"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"vptray"="C:\\PROGRA~1\\NavNT\\vptray.exe"
"TabletWizard"="C:\\WINNT\\help\\SplshWrp.exe"
"SpyCatcher Reminder"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck /autofix /autoclose"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk"
"backup"="C:\\WINNT\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Distillr\\AcroTray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINNT\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech SetPoint.lnk"
"backup"="C:\\WINNT\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\SetPoint.exe "
"item"="Logitech SetPoint"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pabld.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pabld.exe"
"backup"="C:\\WINNT\\pss\\pabld.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pabld.exe"
"item"="pabld"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^shawnn.THEVARK^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="C:\\Documents and Settings\\shawnn.THEVARK\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="C:\\WINNT\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^shawnn.THEVARK^Start Menu^Programs^Startup^Sticky Notes.lnk]
"path"="C:\\Documents and Settings\\shawnn.THEVARK\\Start Menu\\Programs\\Startup\\Sticky Notes.lnk"
"backup"="C:\\WINNT\\pss\\Sticky Notes.lnkStartup"
"location"="Startup"
"command"="C:\\WINNT\\system32\\stikynot.exe "
"item"="Sticky Notes"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACUMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ACUMon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Cisco Systems\\Aironet Client Monitor\\ACUMon.Exe\" -a"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="System"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\System Files\\System.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_8"
"hkey"="HKLM"
"command"="C:\\\\dfndrff_8.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eraser"
"hkey"="HKCU"
"command"="C:\\Program Files\\Eraser\\eraser.exe -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gaim]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gaim"
"hkey"="HKCU"
"command"="C:\\Program Files\\Gaim\\gaim.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GWInkMonitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Gateway\\Gateway Ink Monitor\\GWInkMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WCESCOMM"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINNT\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jqwd09d3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w2ec5443.dll,n 002d09d1000000032ec5443"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxqhv"
"hkey"="HKLM"
"command"="\"C:\\WINNT\\system32\\wfxqhv.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechDesktopMessenger"
"hkey"="HKCU"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Logitech\\KhalShared\\KHALMNPR.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLifeService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaLifeService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Logitech\\MediaLife\\MediaLifeService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CfgWiz"
"hkey"="HKLM"
"command"="c:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINNT\\System32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_8"
"hkey"="HKLM"
"command"="C:\\\\nwnmff_8.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sgbdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wspkww"
"hkey"="HKCU"
"command"="C:\\WINNT\\system32\\wspkww.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyCatcher Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyCatcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TabletWizard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SplshWrp"
"hkey"="HKLM"
"command"="C:\\WINNT\\help\\SplshWrp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcmdmgrl"
"hkey"="HKLM"
"command"="C:\\WINNT\\wt\\updater\\wcmdmgrl.exe -launch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wktcwv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wspkww"
"hkey"="HKLM"
"command"="C:\\WINNT\\system32\\wspkww.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PrismXL"=dword:00000002
"VSS"=dword:00000003
"LBTServ"=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-19 17:11:17.78
C:\ComboFix.txt ... 06-10-19 17:11
C:\ComboFix2.txt ... 06-09-19 08:42
C:\ComboFix3.txt ... 06-09-12 00:24

And now for the other one

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-19 17:27:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess
---- Processes - GMER 1.0.11 ----

Library C:\WINNT\System32\wshtcpip.dll (*** hidden *** ) @ C:\WINNT\system32\svchost.exe [1412] 0x71A90000
Library C:\WINNT\System32\wshtcpip.dll (*** hidden *** ) @ C:\WINNT\system32\svchost.exe [1732] 0x71A90000
Library C:\WINNT\System32\wshtcpip.dll (*** hidden *** ) @ C:\WINNT\explorer.exe [1816] 0x71A90000

---- Files - GMER 1.0.11 ----

File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt
File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt
File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt
File C:\Documents and Settings\shawnn.THEVARK\Application Data\Mozilla\Firefox\Profiles\m9reetxw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\8XU7KPIJ\2[1].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\8XU7KPIJ\2[2].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\8XU7KPIJ\2[3].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\ELKH67IB\1[2].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\ELKH67IB\2[2].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\ELKH67IB\2[3].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\OTINK9AJ\1[1].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\OTINK9AJ\2[1].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\S3810REP\1[2].htm
ADS C:\Documents and Settings\shawnn.THEVARK\My Documents\aardvark all.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\shawnn.THEVARK\My Documents\aardvark all.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...
File C:\Program Files\Java\j2re1.4.2\bin\jdriver.dll
File C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

File C:\Program Files\WildTangent
File C:\Program Files\WildTangent\Apps
File C:\Program Files\WildTangent\Apps\ActiveLauncher
File C:\Program Files\WildTangent\Apps\ActiveLauncher\ActiveLauncher.ini
File C:\Program Files\WildTangent\Apps\CDA
File C:\Program Files\WildTangent\Apps\CDA\ActiveLauncher.ini
File C:\Program Files\WildTangent\Apps\CDA\ActiveLauncher0101.dll
File C:\Program Files\WildTangent\Apps\CDA\CDAEngine0400.dll
File C:\Program Files\WildTangent\Apps\CDA\CDALogger.dll
File C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\CDA
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\CDA\about.html
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\CDA\cache.html
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\DRM
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\index.html
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\nav.html
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\Webd
File C:\Program Files\WildTangent\Apps\CDA\GameData
File C:\Program Files\WildTangent\Apps\CDA\OtherLicenses.txt
File C:\Program Files\WildTangent\Apps\CDA\wt.ico
File C:\Program Files\WildTangent\Apps\DRM0302.dll
File C:\Program Files\WildTangent\Apps\DRM0302java.jar
File C:\Program Files\WildTangent\Components
File C:\Program Files\WildTangent\Components\wtAppConfig0200.dll
File C:\Program Files\WildTangent\Components\wtCache0200.dll
File C:\Program Files\WildTangent\Components\wtCookie0200.dll
File C:\Program Files\WildTangent\Components\wtDownloader0200.dll
File C:\Program Files\WildTangent\Components\wtGameData0200.dll
File C:\Program Files\WildTangent\Components\wtGUI0200.dll
File C:\Program Files\WildTangent\Components\wtIO0200.dll
File C:\Program Files\WildTangent\Components\wtKernel0200.dll
File C:\Program Files\WildTangent\Components\wtLua0200.dll
File C:\Program Files\WildTangent\Components\wtNetworking0200.dll
File C:\Program Files\WildTangent\Components\wtPropertyBag0200.dll
File C:\Program Files\WildTangent\Components\wtScript0200.dll
File C:\Program Files\WildTangent\Components\wtSerialization0200.dll
File C:\Program Files\WildTangent\Components\wtStreamProcessing0200.dll
File C:\Program Files\WildTangent\Components\wtSystem0200.dll
File C:\Program Files\WildTangent\Components\wtSystemConfig0200.dll
File C:\Program Files\WildTangent\Components\wtUserSupport0200.dll
File C:\Program Files\WildTangent\LFS
File C:\Program Files\WildTangent\LFS\ActiveLauncher
File C:\Program Files\WildTangent\LFS\AppConfig
File C:\Program Files\WildTangent\LFS\Cache
File C:\Program Files\WildTangent\LFS\CDAData
File C:\Program Files\WildTangent\LFS\CDAData\Checkin
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\download.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\downloadTrayIconData.cdas
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\icon.ico
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\install.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\installTrayIconData.cdas
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\install_complete.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\install_progress.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\inuse.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\inuseitems.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\items.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\style.css
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\CDAOnlyScreen
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\CDAOnlyScreen\style.css
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ErrorScreen
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ErrorScreen\style.css
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\FinishedScreen
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\FinishedScreen\style.css
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\bc.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\bl.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\br.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\btm.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\cancel-over.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\cancel.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\finish-over.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\finish.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\header.jpg
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\le.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\mb.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\next-over.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\next.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\re.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\retry-over.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\InUseScreen
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\InUseScreen\inuse.html
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\InUseScreen\items.html
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ProgressScreen\style.css
File C:\Program Files\WildTangent\LFS\Scripts
File C:\Program Files\WildTangent\LFS\Scripts\Common
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Files.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_LFSInit.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Registry.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Scheduler.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_String.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_User.cdas

good god this thing is long!!!!

File C:\Program Files\WildTangent\LFS\Scripts\Common\DpidLibrary_01.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\MasterUpdateLibrary_01.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\UI_Stub.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Downloaded
File C:\Program Files\WildTangent\LFS\Scripts\Downloaded\MasterUpdate.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Downloaded\SystemConfigurationUpload.cdas
File C:\Program Files\WildTangent\LFS\Scripts\GameData.log
File C:\Program Files\WildTangent\LFS\Scripts\Install
File C:\Program Files\WildTangent\LFS\Scripts\Install\CDALogger_fileList.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\CDALogger_install.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\CPL_fileList.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\CPL_uninstall.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\DMMP_fileList.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\DMMP_install.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\DRM0302_fileList.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\DRM0302_install.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\DRM0302_Uninstall.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\UI_checkin.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\UI_stub.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\Webd331_filelist.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\Webd331_Uninstall.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\Webd4_1_1_fileList.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\Webd4_1_1_install.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\Webd4_1_1_Uninstall.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\_6095B9CF_DD6F_4F94_91A3_156A8D9006A1_fileList.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Uninstall\DRM0302.cdanfo
File C:\Program Files\WildTangent\LFS\Scripts\Uninstall\Uninstaller.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Uninstall\Webd331.cdanfo
File C:\Program Files\WildTangent\LFS\System
File C:\Program Files\WildTangent\LFS\TaskStore\Bandwidth.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\Bandwidth.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\CreateAppConfig.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\CreateAppConfig.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\CreateAppConfig.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\GameData.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\GameData.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\GameData.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\Maint.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\Maint.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\Maint.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\MigrateDpid.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\MigrateDpid.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\MigrateDpid.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\NewUser.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\NewUser.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\NewUser.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateLibrary01.cdas
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateNormal.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateNormal.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateNormal.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateQuick.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateQuick.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateRestart.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateRestart.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\ShutdownTest.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\ShutdownTest.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\ShutdownTest.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\SystemConfiguration.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\SystemConfiguration.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\SystemConfiguration.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\UrlUpdate.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\UrlUpdate.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\UrlUpdate.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\verify.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\verify.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\verify.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\WeeklyCDA.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\WeeklyCDA.cdaes
File C:\Program Files\WildTangent\LicenseStores\WT\a14fd069-5c46-4863-a07b-4d03ce7fc46c.wtlic
File C:\Program Files\WildTangent\LicenseStores\WT\A7456F43-E255-4c09-90BD-81EC82890C69.wtlic
File C:\Program Files\WildTangent\LicenseStores\WT\ceb1265a-b646-4bd4-a56c-635a23d3f07a.wtlic
File C:\WINNT\system32\wshtcpip.dll
File C:\WINNT\system32\wtcpl.cpl

---- EOF - GMER 1.0.11 ----

So oddly enough I walk into work this morning where my laptop has been mindlessly idling for a few days and it was displaying the classic BLUE SCREEN OF DEATH!!!!!

Is that a bad thing?
I was told that "that's a feature"...and that I "pay extra for that"? Is that true?

:cool:

Hello,

Did it reboot for you?

Yep....and its just been sitting idle since....well except for the annoying occasional message that spyware is trying to run.

Hello there,

What annoying message? Can you tell me exactly please?

Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.