View Full Version : Another cmdservice
I know that this has been posted a million times but my mediocre computer skills don't allow me to follow the other threads. Here's the deal: I was browsing around the other day when a dialog box saying 'readline' and a bunch of numbers/symbols/letters popped up. I usually ignore such things, but this time I clicked 'ok' or whatever and a bunch of popups popped up. I've been fighting it since. I've run Spybot a couple times and cmdservice is always unable to be removed. It gets a lot of other stuff, but not this. Here's my Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 4:36:04 PM, on 11/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\VmFsdWVkIFNvbnkgQ3VzdG9tZXI\command.exe
C:\WINNT\system32\cusrvc.exe
C:\WINNT\System32\FEELitDM.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\wm.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\IMMERS~1\IMMERS~1.1\IDesktop.exe
C:\WINNT\system32\dpmw32.exe
C:\WINNT\Logi_MwX.Exe
C:\Program Files\Common Files\AOL\1155528407\ee\AOLSoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\sys11-1607196935.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\jakthkhA.exe
C:\WINNT\cfg32.exe
C:\windows_e56.exe
C:\DOCUME~1\aldern\MYDOCU~1\CROSOF~1\services.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
c:\winnt\system32\dwdsregt.exe
C:\WINNT\cfg32a.exe
C:\WINNT\v1201.exe
c:\dfndrff_e57.exe
c:\kybrdff_e57.exe
c:\nwnmff_e57.exe
C:\WINNT\Duce6.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\System32\MDM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\explorer.exe
C:\Ben\HijackThis.exe
...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\aaofp.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,luvibxl.exe
O1 - Hosts: 63.162.160.101 kaweb.kleinfelder.com kaweb as41d.kleinfelder.com es45 # old .8
O1 - Hosts: 63.162.160.102 citrix01.kleinfelder.com citrix01 # old .12
O1 - Hosts: 63.162.160.103 citrix02.kleinfelder.com citrix02 # old .6
O1 - Hosts: 63.162.160.104 kaweb2.kleinfelder.com kaweb2 # old .4
O1 - Hosts: 63.162.160.105 saclib.kleinfelder.com saclib
O1 - Hosts: 63.162.160.106 klinet.kleinfelder.com klinet # old .10
O1 - Hosts: 63.162.160.107 citrix03.kleinfelder.com citrix03 # old .9
O1 - Hosts: 63.162.160.108 kaweb3.kleinfelder.com kaweb3
O1 - Hosts: 63.162.160.110 dakota.kleinfelder.com dakota # old .3
O1 - Hosts: 63.162.160.111 apache.kleinfelder.com apache
O1 - Hosts: 63.162.160.112 klivax.kleinfelder.com klivax sherlock.kleinfelder.com sherlock # old .5
O1 - Hosts: 63.162.160.113 voffice.kleinfelder.com voffice
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IDesktop] C:\PROGRA~1\IMMERS~1\IMMERS~1.1\IDesktop.exe 1
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155528407\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sys11-1607196935] C:\WINNT\sys11-1607196935.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\jpxbqs.exe reg_run
O4 - HKLM\..\Run: [jakthkhA] C:\WINNT\jakthkhA.exe
O4 - HKLM\..\Run: [hfqff9a9] RUNDLL32.EXE w0eda932.dll,n 006ff9a3000000030eda932
O4 - HKLM\..\Run: [Configuration Manager] C:\WINNT\cfg32.exe
O4 - HKLM\..\Run: [windows] C:\\windows_e56.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e57.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINNT\v1201.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e57.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e57.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Hahh] "C:\DOCUME~1\aldern\MYDOCU~1\CROSOF~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [ntdll.dll] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: TA_Start.lnk = C:\TIGEN001.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk.disabled
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162056901253
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O18 - Protocol: bw+0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VmFsdWVkIFNvbnkgQ3VzdG9tZXI\command.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FEELitDM - Immersion Corporation - C:\WINNT\System32\FEELitDM.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINNT\system32\HPZipm12.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
I seriously appreciate any responses. Thanks tons!
JB
Hi jagoy and welcome to Safer Networking Forums :)
You got a nice collection of infections there....
You should print these instructions or save these to a text file. Follow these instructions carefully.
1. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
3. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows.
4.When normal mode: Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
aldern - Wed 11/15/2006 15:57:02.46 Service Pack 4
ComboFix 06.11.9 - Running from: "C:\Program Files\Mozilla Firefox"
((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))
* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *
O4 - HKCU\...\Run C:\WINNT\system32\jpxbqs.exe
O4 - HKLM\...\Run C:\WINNT\system32\jpxbqs.exe
O4 - HKLM\...\Run C:\WINNT\system32\jpxbqs.exe
F2 -REG:system.ini: Shell C:\WINNT\system32\aaofp.exe
F2 -REG:system.ini: UserInit C:\WINNT\system32\luvibxl.exe
* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *
C:\WINNT\system32\jpxbqs.exe
C:\WINNT\system32\pxxbhbw.dll
C:\WINNT\system32\luvibxl.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cxkcw.exe
C:\WINNT\ilfhh.dll
C:\WINNT\system32\pnmec.dat
C:\WINNT\system32\aaofp.exe
* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *
06-11-13 22:37 127488 cxkcw.exe.qoo
06-11-13 22:37 127488 jpxbqs.exe.qoo
06-11-14 15:54 127488 pnmec.dat.qoo
06-11-13 22:37 51712 pxxbhbw.dll.qoo
06-11-13 22:37 28672 aaofp.exe.qoo
06-11-13 22:37 23552 luvibxl.exe.qoo
06-11-13 22:49 53 bowqqq.dat.qoo
DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO
((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINNT\system32\dxclib303562752.dll
C:\Documents and Settings\aldern\Application Data\Dxcknwrd.dll
C:\Documents and Settings\aldern\Application Data\Dxcuknwrd.dll
C:\Documents and Settings\aldern\Application Data\Dxcdmns.dll
C:\WINNT\system32\bkd.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
C:\Program Files\DeluxeCommunications\Dxc.exe
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\MTE3NDI6ODoxNg14112006.exe
C:\tigen001.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Accessories\kyzevek.html
C:\Program Files\CONEXANT\howysyhuf.html
C:\dollarrev.exe
C:\WINNT\system32\atmtd.dll
C:\WINNT\system32\atmtd.dll._
C:\Documents and Settings\Default User\Application Data\NetMon
C:\Program Files\Deskbar
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\aldern\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\aldern\My Documents\CROSOF~1\??curity
C:\QooBox\Purity\Documents and Settings\aldern\My Documents\CROSOF~1\services.exe
((((((((((((((((((((((((((((((( Files Created from 2006-10-15 to 2006-11-15 ))))))))))))))))))))))))))))))))))
2006-11-15 15:50 106,496 --a------ C:\WINNT\Sloopy7.exe
2006-11-15 15:49 167,936 --a------ C:\WINNT\sys02607196935-1.exe
2006-11-15 15:49 110,592 --a------ C:\WINNT\v1201.exe
2006-11-15 15:06 131,072 --a------ C:\WINNT\system32\fhtv.dll
2006-11-14 15:56 45,056 --a------ C:\WINNT\cfg32s.dll
2006-11-14 15:56 110,592 --a------ C:\WINNT\cfg32o.dll
2006-11-14 15:56 102,400 --a------ C:\WINNT\cfg32r.dll
2006-11-14 06:18 60,436 --a------ C:\WINNT\system32\nlsgxgsy.dll
2006-11-14 06:18 110,612 --a------ C:\WINNT\system32\wchimdva.exe
2006-11-13 22:39 6,687 --a------ C:\WINNT\system32\ldcore.dll
2006-11-13 22:38 978 --a------ C:\WINNT\system32\winpfg32.sys
2006-11-13 22:38 69,632 --a------ C:\WINNT\system32\cdakdpil.dll
2006-11-13 22:38 62,976 --a------ C:\WINNT\system32\hfqff9a9.dll
2006-11-13 22:38 397,312 --a------ C:\WINNT\cfg32p.dll
2006-11-13 22:38 2 --a------ C:\WINNT\system32\wcpcc.exe
2006-11-13 22:38 106,496 --a------ C:\WINNT\system32\DomainHelper.dll
2006-11-13 22:38 1,335 --a------ C:\WINNT\system32\hfqff9a9.sys
2006-11-13 22:37 767,376 -r-hs---- C:\WINNT\jakthkhA.exe
2006-11-13 22:37 55,808 --a------ C:\WINNT\jakthkh.exe
2006-11-13 22:37 445 --a------ C:\WINNT\ilfhh.dll
2006-11-13 22:37 356,352 --a------ C:\162.exe
2006-11-13 22:36 40,973 ---hs---- C:\WINNT\system32\efcayay.dll
2006-11-13 22:36 323,072 --a------ C:\165.exe
2006-11-13 22:36 217,276 --a------ C:\WINNT\srviyzfn.exe
2006-11-13 22:36 20,480 --a------ C:\WINNT\stub_mm3.exe
2006-10-28 11:33 465,176 --a------ C:\WINNT\system32\wuapi.dll
2006-10-28 11:33 41,240 --a------ C:\WINNT\system32\wups.dll
2006-10-28 11:33 194,328 --a------ C:\WINNT\system32\wuaueng1.dll
2006-10-28 11:33 18,200 --a------ C:\WINNT\system32\wups2.dll
2006-10-28 11:33 172,312 --a------ C:\WINNT\system32\wuauclt1.exe
2006-10-28 11:33 127,256 --a------ C:\WINNT\system32\wucltui.dll
2006-10-28 10:42 977,680 --a------ C:\WINNT\system32\vfpodbc.dll
2006-10-28 10:42 92,432 --a------ C:\WINNT\system32\xactsrv.dll
2006-10-28 10:42 90,384 --a------ C:\WINNT\system32\trkwks.dll
2006-10-28 10:42 83,888 --a------ C:\WINNT\system32\vga.dll
2006-10-28 10:42 8,464 --a------ C:\WINNT\system32\wshirda.dll
2006-10-28 10:42 79,120 --a------ C:\WINNT\system32\winscard.dll
2006-10-28 10:42 74,512 --a------ C:\WINNT\system32\wmicore.dll
2006-10-28 10:42 69,904 --a------ C:\WINNT\system32\ws2_32.dll
2006-10-28 10:42 68,368 --a------ C:\WINNT\system32\unimdmat.dll
2006-10-28 10:42 59,152 --a------ C:\WINNT\system32\winfax.dll
2006-10-28 10:42 57,616 --a------ C:\WINNT\system32\wlnotify.dll
2006-10-28 10:42 55,056 --a------ C:\WINNT\system32\tlntsess.exe
2006-10-28 10:42 49,776 --------- C:\WINNT\system32\drivers\usbhub20.sys
2006-10-28 10:42 42,768 --a------ C:\WINNT\system32\webhits.dll
2006-10-28 10:42 4,368 --a------ C:\WINNT\system32\winver.exe
2006-10-28 10:42 39,696 --a------ C:\WINNT\system32\wsnmp32.dll
2006-10-28 10:42 39,184 --a------ C:\WINNT\system32\winsta.dll
2006-10-28 10:42 315,664 --a------ C:\WINNT\system32\usp10.dll
2006-10-28 10:42 31,504 --a------ C:\WINNT\system32\traffic.dll
2006-10-28 10:42 30,749 --a------ C:\WINNT\system32\vbajet32.dll
2006-10-28 10:42 29,968 --a------ C:\WINNT\system32\wpnpinst.exe
2006-10-28 10:42 28,400 --a------ C:\WINNT\system32\wupdinfo.dll
2006-10-28 10:42 270,608 --a------ C:\WINNT\winhlp32.exe
2006-10-28 10:42 26,384 --a------ C:\WINNT\system32\utildll.dll
2006-10-28 10:42 240,912 --a------ C:\WINNT\system32\wow32.dll
2006-10-28 10:42 24,848 --a------ C:\WINNT\system32\spdwnw2k.exe
2006-10-28 10:42 239,376 --a------ C:\WINNT\system32\winsmon.dll
2006-10-28 10:42 22,800 --a------ C:\WINNT\system32\utilman.exe
2006-10-28 10:42 21,776 --a------ C:\WINNT\system32\wsock32.dll
2006-10-28 10:42 21,776 --------- C:\WINNT\system32\spupdw2k.exe
2006-10-28 10:42 193,296 --a------ C:\WINNT\winrep.exe
2006-10-28 10:42 19,728 --------- C:\WINNT\system32\drivers\usbehci.sys
2006-10-28 10:42 186,128 --a------ C:\WINNT\system32\tlntsvr.exe
2006-10-28 10:42 17,680 --a------ C:\WINNT\system32\wshtcpip.dll
2006-10-28 10:42 162,064 --a------ C:\WINNT\system32\WLDAP32.DLL
2006-10-28 10:42 16,144 --a------ C:\WINNT\system32\version.dll
2006-10-28 10:42 155,920 --a------ C:\WINNT\system32\wavemsp.dll
2006-10-28 10:42 15,872 --------- C:\WINNT\system32\spupdsvc.exe
2006-10-28 10:42 14,608 --a------ C:\WINNT\system32\uniplat.dll
2006-10-28 10:42 138,288 --------- C:\WINNT\system32\drivers\usbport.sys
2006-10-28 10:42 11,536 --a------ C:\WINNT\system32\usbmon.dll
2006-10-28 10:42 10,000 --a------ C:\WINNT\system32\wshatm.dll
2006-10-28 10:41 97,040 --a------ C:\WINNT\system32\rtm.dll
2006-10-28 10:41 95,504 --a------ C:\WINNT\system32\netman.dll
2006-10-28 10:41 95,024 --a------ C:\WINNT\system32\sfc.dll
2006-10-28 10:41 90,112 --a------ C:\WINNT\system32\odbcint.dll
2006-10-28 10:41 9,216 --a------ C:\WINNT\system32\wuauserv.dll
2006-10-28 10:41 89,600 --a------ C:\WINNT\system32\nlhtml.dll
2006-10-28 10:41 87,312 --a------ C:\WINNT\system32\TASKMGR.EXE
2006-10-28 10:41 85,776 --a------ C:\WINNT\system32\smlogsvc.exe
2006-10-28 10:41 85,776 --a------ C:\WINNT\system32\ntsdexts.dll
2006-10-28 10:41 831,760 --a------ C:\WINNT\system32\mswdat10.dll
2006-10-28 10:41 81,168 --a------ C:\WINNT\system32\stobject.dll
2006-10-28 10:41 80,144 --a------ C:\WINNT\system32\telnet.exe
2006-10-28 10:41 79,632 --a------ C:\WINNT\system32\ntdskcc.dll
2006-10-28 10:41 77,584 --a------ C:\WINNT\system32\scripto.dll
2006-10-28 10:41 77,072 --a------ C:\WINNT\system32\rsvpsp.dll
2006-10-28 10:41 76,560 --a------ C:\WINNT\system32\msw3prt.dll
2006-10-28 10:41 73,488 --a------ C:\WINNT\regedit.exe
2006-10-28 10:41 71,952 --a------ C:\WINNT\system32\netui0.dll
2006-10-28 10:41 70,928 --a------ C:\WINNT\system32\olethk32.dll
2006-10-28 10:41 7,440 --a------ C:\WINNT\system32\svcpack.dll
2006-10-28 10:41 7,440 --a------ C:\WINNT\system32\sensapi.dll
2006-10-28 10:41 7,440 --a------ C:\WINNT\system32\msswchx.exe
2006-10-28 10:41 692,496 --a------ C:\WINNT\system32\OPENGL32.DLL
2006-10-28 10:41 69,392 --a------ C:\WINNT\system32\shim.dll
2006-10-28 10:41 68,368 --a------ C:\WINNT\system32\regsvc.exe
2006-10-28 10:41 67,344 --a------ C:\WINNT\system32\ntdsetup.dll
2006-10-28 10:41 65,601 --a------ C:\WINNT\system32\servdeps.dll
2006-10-28 10:41 64,272 --a------ C:\WINNT\system32\mswsock.dll
2006-10-28 10:41 63,248 --a------ C:\WINNT\system32\RASSCRPT.DLL
2006-10-28 10:41 62,736 --a------ C:\WINNT\system32\sstext3d.scr
2006-10-28 10:41 614,672 --a------ C:\WINNT\system32\mswstr10.dll
2006-10-28 10:41 61,712 --a------ C:\WINNT\system32\stisvc.exe
2006-10-28 10:41 60,688 --a------ C:\WINNT\system32\RASCHAP.DLL
2006-10-28 10:41 6,928 --a------ C:\WINNT\system32\skdll.dll
2006-10-28 10:41 6,928 --------- C:\WINNT\system32\perfvd.exe
2006-10-28 10:41 57,616 --a------ C:\WINNT\system32\ntdsapi.dll
2006-10-28 10:41 57,104 --a------ C:\WINNT\system32\ocmanage.dll
2006-10-28 10:41 57,104 --a------ C:\WINNT\system32\mydocs.dll
2006-10-28 10:41 55,056 --------- C:\WINNT\system32\authz.dll
2006-10-28 10:41 547,600 --a------ C:\WINNT\system32\netcfgx.dll
2006-10-28 10:41 53,520 --a------ C:\WINNT\system32\odbcji32.dll
2006-10-28 10:41 53,520 --a------ C:\WINNT\system32\ntmsapi.dll
2006-10-28 10:41 53,008 --a------ C:\WINNT\system32\packager.exe
2006-10-28 10:41 52,496 --------- C:\WINNT\system32\wzcdlg.dll
2006-10-28 10:41 514,320 --a------ C:\WINNT\system32\msxml.dll
2006-10-28 10:41 48,912 --a------ C:\WINNT\system32\secur32.dll
2006-10-28 10:41 48,200 --------- C:\WINNT\system32\scrdx86.dll
2006-10-28 10:41 48,200 --------- C:\WINNT\system32\scrdenrl.dll
2006-10-28 10:41 477,456 --a------ C:\WINNT\system32\netshell.dll
2006-10-28 10:41 47,888 --a------ C:\WINNT\system32\ssbezier.scr
2006-10-28 10:41 47,104 --a------ C:\WINNT\system32\MSPRIVS.DLL
2006-10-28 10:41 45,840 --a------ C:\WINNT\system32\skeys.exe
2006-10-28 10:41 45,840 --------- C:\WINNT\system32\msmqprop.exe
2006-10-28 10:41 446,224 --a------ C:\WINNT\system32\oakley.dll
2006-10-28 10:41 444,176 --a------ C:\WINNT\system32\oieng400.dll
2006-10-28 10:41 44,816 --a------ C:\WINNT\system32\rsm.exe
2006-10-28 10:41 431,888 --a------ C:\WINNT\system32\riched20.dll
2006-10-28 10:41 422,160 --a------ C:\WINNT\system32\msrd2x40.dll
2006-10-28 10:41 419,600 --a------ C:\WINNT\system32\ssmaze.scr
2006-10-28 10:41 41,744 --a------ C:\WINNT\system32\tcpmon.dll
2006-10-28 10:41 41,744 --a------ C:\WINNT\system32\sti.dll
2006-10-28 10:41 41,744 --a------ C:\WINNT\system32\ssflwbox.scr
2006-10-28 10:41 41,232 --a------ C:\WINNT\system32\odbcconf.exe
2006-10-28 10:41 41,232 --a------ C:\WINNT\system32\odbcconf.dll
2006-10-28 10:41 401,168 --a------ C:\WINNT\system32\ntmssvc.dll
2006-10-28 10:41 40,720 --a------ C:\WINNT\system32\RESUTILS.DLL
2006-10-28 10:41 4,880 --a------ C:\WINNT\system32\NDDEAPIR.EXE
2006-10-28 10:41 39,936 --a------ C:\WINNT\system32\msisip.dll
2006-10-28 10:41 38,672 --a------ C:\WINNT\system32\ssmarque.scr
2006-10-28 10:41 38,160 --a------ C:\WINNT\system32\sens.dll
2006-10-28 10:41 375,568 --a------ C:\WINNT\system32\tapi3.dll
2006-10-28 10:41 37,136 --a------ C:\WINNT\system32\ODBCAD32.exe
2006-10-28 10:41 36,624 --a------ C:\WINNT\system32\ssmyst.scr
2006-10-28 10:41 36,624 --a------ C:\WINNT\system32\RNR20.DLL
2006-10-28 10:41 36,112 --a------ C:\WINNT\system32\regapi.dll
2006-10-28 10:41 35,648 --a------ C:\WINNT\system32\ntio411.sys
2006-10-28 10:41 35,600 --a------ C:\WINNT\system32\storprop.dll
2006-10-28 10:41 35,408 --a------ C:\WINNT\system32\ntio412.sys
2006-10-28 10:41 35,088 --a------
C:\WINNT\system32\MSSIGN32.DLL
2006-10-28 10:41 34,816 --------- C:\WINNT\system32\msiregmv.exe
2006-10-28 10:41 34,576 --------- C:\WINNT\system32\wzcsetup.exe
2006-10-28 10:41 34,544 --a------ C:\WINNT\system32\ntio804.sys
2006-10-28 10:41 34,544 --a------ C:\WINNT\system32\ntio404.sys
2006-10-28 10:41 33,824 --a------ C:\WINNT\system32\NTIO.SYS
2006-10-28 10:41 33,552 --a------ C:\WINNT\system32\shmgrate.exe
2006-10-28 10:41 33,040 --a------ C:\WINNT\system32\ssstars.scr
2006-10-28 10:41 32,016 --a------ C:\WINNT\system32\ntdsatq.dll
2006-10-28 10:41 315,664 --a------ C:\WINNT\system32\msrd3x40.dll
2006-10-28 10:41 29,968 --a------ C:\WINNT\system32\profmap.dll
2006-10-28 10:41 29,968 --a------ C:\WINNT\system32\ntdsbsrv.dll
2006-10-28 10:41 29,968 --------- C:\WINNT\system32\wzcsapi.dll
2006-10-28 10:41 29,456 --a------ C:\WINNT\system32\perfproc.dll
2006-10-28 10:41 286,773 --a------ C:\WINNT\system32\msvcrt.dll
2006-10-28 10:41 285,456 --a------ C:\WINNT\system32\smlogcfg.dll
2006-10-28 10:41 28,432 --a------ C:\WINNT\system32\scrnsave.scr
2006-10-28 10:41 28,432 --a------ C:\WINNT\system32\ntdsbcli.dll
2006-10-28 10:41 270,608 --a------ C:\WINNT\system32\odbcjt32.dll
2006-10-28 10:41 26,896 --a------ C:\WINNT\system32\NETSTAT.EXE
2006-10-28 10:41 26,624 --a------ C:\WINNT\system32\msxmlr.dll
2006-10-28 10:41 25,360 --a------ C:\WINNT\system32\rsfsaps.dll
2006-10-28 10:41 25,360 --a------ C:\WINNT\system32\rapilib.dll
2006-10-28 10:41 246,544 --a------ C:\WINNT\system32\strmdll.dll
2006-10-28 10:41 244,224 --a------ C:\WINNT\system32\qmgr.dll
2006-10-28 10:41 24,848 --a------ C:\WINNT\system32\sqlwid.dll
2006-10-28 10:41 24,848 --a------ C:\WINNT\system32\perfdisk.dll
2006-10-28 10:41 24,848 --a------ C:\WINNT\system32\ODBC32GT.dll
2006-10-28 10:41 24,848 --a------ C:\WINNT\system32\narrator.exe
2006-10-28 10:41 24,336 --a------ C:\WINNT\system32\rpcns4.dll
2006-10-28 10:41 24,336 --------- C:\WINNT\system32\ftpqfe.exe
2006-10-28 10:41 221,456 --a------ C:\WINNT\system32\osk.exe
2006-10-28 10:41 22,800 --a------ C:\WINNT\system32\routeext.dll
2006-10-28 10:41 217,360 --a------ C:\WINNT\system32\ODBC32.dll
2006-10-28 10:41 214,800 --a------ C:\WINNT\system32\objsel.dll
2006-10-28 10:41 214,288 --a------ C:\WINNT\system32\snmpsnap.dll
2006-10-28 10:41 21,264 --a------ C:\WINNT\system32\stimon.exe
2006-10-28 10:41 200,976 --a------ C:\WINNT\system32\odbccu32.dll
2006-10-28 10:41 20,752 --a------ C:\WINNT\system32\sclgntfy.dll
2006-10-28 10:41 20,752 --a------ C:\WINNT\system32\odtext32.dll
2006-10-28 10:41 20,752 --a------ C:\WINNT\system32\odpdx32.dll
2006-10-28 10:41 20,752 --a------ C:\WINNT\system32\odfox32.dll
2006-10-28 10:41 20,752 --a------ C:\WINNT\system32\odexl32.dll
2006-10-28 10:41 20,752 --a------ C:\WINNT\system32\oddbse32.dll
2006-10-28 10:41 20,208 --------- C:\WINNT\system32\drivers\msircomm.sys
2006-10-28 10:41 198,928 --a------ C:\WINNT\system32\rasppp.dll
2006-10-28 10:41 196,880 --a------ C:\WINNT\system32\odbccr32.dll
2006-10-28 10:41 195,856 --------- C:\WINNT\system32\wzcsvc.dll
2006-10-28 10:41 187,664 --a------ C:\WINNT\system32\thumbvw.dll
2006-10-28 10:41 187,024 --a------ C:\WINNT\system32\spcmdcon.sys
2006-10-28 10:41 18,432 --a------ C:\WINNT\system32\qmgrprxy.dll
2006-10-28 10:41 18,192 --------- C:\WINNT\system32\sp4iis.exe
2006-10-28 10:41 176,912 --a------ C:\WINNT\system32\rsvp.exe
2006-10-28 10:41 173,840 --a------ C:\WINNT\system32\netplwiz.dll
2006-10-28 10:41 173,328 --a------ C:\WINNT\system32\tapisrv.dll
2006-10-28 10:41 173,328 --a------ C:\WINNT\system32\ntmsdba.dll
2006-10-28 10:41 17,680 --a------ C:\WINNT\system32\tftp.exe
2006-10-28 10:41 17,680 --a------ C:\WINNT\system32\SNMPAPI.DLL
2006-10-28 10:41 17,168 --a------ C:\WINNT\system32\secedit.exe
2006-10-28 10:41 165,136 --a------ C:\WINNT\system32\ntdsutil.exe
2006-10-28 10:41 164,112 --a------ C:\WINNT\system32\OLEPRO32.DLL
2006-10-28 10:41 16,144 --a------ C:\WINNT\system32\NDDEAPI.DLL
2006-10-28 10:41 155,920 --a------ C:\WINNT\system32\ODBCTRAC.dll
2006-10-28 10:41 155,920 --a------ C:\WINNT\system32\msorcl32.dll
2006-10-28 10:41 154,896 --a------ C:\WINNT\system32\rasmontr.dll
2006-10-28 10:41 151,824 --a------ C:\WINNT\system32\pdh.dll
2006-10-28 10:41 15,120 --a------ C:\WINNT\system32\sisbkup.dll
2006-10-28 10:41 147,216 --a------ C:\WINNT\system32\dssenh.dll
2006-10-28 10:41 146,192 --a------ C:\WINNT\system32\polstore.dll
2006-10-28 10:41 14,608 --a------ C:\WINNT\system32\RASSAPI.DLL
2006-10-28 10:41 14,608 --a------ C:\WINNT\system32\msswch.dll
2006-10-28 10:41 14,096 --a------ C:\WINNT\system32\rsh.exe
2006-10-28 10:41 139,536 --a------ C:\WINNT\system32\regedt32.exe
2006-10-28 10:41 138,000 --a------ C:\WINNT\system32\ss3dfo.scr
2006-10-28 10:41 134,928 --a------ C:\WINNT\system32\rsaenh.dll
2006-10-28 10:41 132,368 --a------ C:\WINNT\system32\RSABASE.DLL
2006-10-28 10:41 131,344 --a------ C:\WINNT\system32\netid.dll
2006-10-28 10:41 13,584 --a------ C:\WINNT\system32\powrprof.dll
2006-10-28 10:41 13,072 --a------ C:\WINNT\system32\tcpmib.dll
2006-10-28 10:41 13,072 --a------ C:\WINNT\system32\spiisupd.exe
2006-10-28 10:41 126,736 --a------ C:\WINNT\system32\TAPI32.DLL
2006-10-28 10:41 124,176 --a------ C:\WINNT\system32\net1.exe
2006-10-28 10:41 116,496 --a------ C:\WINNT\system32\msvfw32.dll
2006-10-28 10:41 113,936 --a------ C:\WINNT\system32\newdev.dll
2006-10-28 10:41 111,888 --a------ C:\WINNT\system32\polagent.dll
2006-10-28 10:41 110,352 --a------ C:\WINNT\system32\mycomput.dll
2006-10-28 10:41 110,080 --a------ C:\WINNT\system32\offfilt.dll
2006-10-28 10:41 11,984 --------- C:\WINNT\system32\drivers\ndisuio.sys
2006-10-28 10:41 11,536 --------- C:\WINNT\system32\sptsupd.exe
2006-10-28 10:41 11,024 --a------ C:\WINNT\system32\REGSVR32.EXE
2006-10-28 10:41 11,024 --a------ C:\WINNT\system32\msrle32.dll
2006-10-28 10:41 108,816 --a------ C:\WINNT\system32\NETDDE.EXE
2006-10-28 10:41 108,304 --a------ C:\WINNT\system32\rsnotify.exe
2006-10-28 10:41 107,792 --a------ C:\WINNT\system32\sndrec32.exe
2006-10-28 10:41 106,256 --a------ C:\WINNT\system32\oleprn.dll
2006-10-28 10:41 105,232 --a------ C:\WINNT\system32\rend.dll
2006-10-28 10:41 102,672 --a------ C:\WINNT\system32\odbccp32.dll
2006-10-28 10:41 102,672 --a------ C:\WINNT\system32\NTMARTA.DLL
2006-10-28 10:41 102,160 --a------ C:\WINNT\system32\sspipes.scr
2006-10-28 10:41 100,624 --a------ C:\WINNT\system32\rastls.dll
2006-10-28 10:41 10,288 --------- C:\WINNT\system32\drivers\irenum.sys
2006-10-28 10:41 10,000 --a------ C:\WINNT\system32\runas.exe
2006-10-28 10:41 1,427,216 --a------ C:\WINNT\system32\query.dll
2006-10-28 10:41 1,385,744 --a------ C:\WINNT\system32\MSVBVM60.DLL
2006-10-28 10:40 99,088 --a------ C:\WINNT\system32\modemui.dll
2006-10-28 10:40 97,040 --a------ C:\WINNT\system32\iasrad.dll
2006-10-28 10:40 96,528 --a------ C:\WINNT\system32\imm32.dll
2006-10-28 10:40 92,032 --a------ C:\WINNT\system32\KRNL386.EXE
2006-10-28 10:40 847,872 --a------ C:\WINNT\system32\msimsg.dll
2006-10-28 10:40 835,856 --a------ C:\WINNT\system32\mmcndmgr.dll
2006-10-28 10:40 81,978 --a------ C:\WINNT\system32\hlink.dll
2006-10-28 10:40 76,560 --a------ C:\WINNT\system32\hotplug.dll
2006-10-28 10:40 76,048 --a------ C:\WINNT\system32\mdhcp.dll
2006-10-28 10:40 75,536 --a------ C:\WINNT\system32\iasads.dll
2006-10-28 10:40 73,488 --a------ C:\WINNT\system32\irmon.dll
2006-10-28 10:40 72,464 --a------ C:\WINNT\system32\isign32.dll
2006-10-28 10:40 69,904 --a------ C:\WINNT\system32\mprddm.dll
2006-10-28 10:40 66,832 --a------ C:\WINNT\system32\inetpp.dll
2006-10-28 10:40 66,320 --a------ C:\WINNT\system32\LOADPERF.DLL
2006-10-28 10:40 64,512 --a------ C:\WINNT\system32\msiexec.exe
2006-10-28 10:40 603,408 --a------ C:\WINNT\system32\mmc.exe
2006-10-28 10:40 60,176 --a------ C:\WINNT\system32\iassvcs.dll
2006-10-28 10:40 60,176 --a------ C:\WINNT\system32\iasnap.dll
2006-10-28 10:40 6,928 --a------ C:\WINNT\system32\KBDCA.DLL
2006-10-28 10:40 6,416 --------- C:\WINNT\system32\hccoin.dll
2006-10-28 10:40 57,296 --a------ C:\WINNT\system32\drivers\irda.sys
2006-10-28 10:40 56,080 --a------ C:\WINNT\system32\mprui.dll
2006-10-28 10:40 53,520 --a------ C:\WINNT\system32\msjter40.dll
2006-10-28 10:40 512,272 --a------ C:\WINNT\system32\msexch40.dll
2006-10-28 10:40 49,936 --a------ C:\WINNT\system32\ixsso.dll
2006-10-28 10:40 48,400 --a------ C:\WINNT\system32\loghours.dll
2006-10-28 10:40 47,376 --a------ C:\WINNT\system32\mprdim.dll
2006-10-28 10:40 43,792 --a------ C:\WINNT\system32\magnify.exe
2006-10-28 10:40 42,809 --a------ C:\WINNT\system32\key01.sys
2006-10-28 10:40 42,537 --a------ C:\WINNT\system32\KEYBOARD.SYS
2006-10-28 10:40 4,368 --a------ C:\WINNT\system32\IPROP.DLL
2006-10-28 10:40 4,126 --a------ C:\WINNT\system32\msdxmlc.dll
2006-10-28 10:40 374,032 --a------ C:\WINNT\system32\JET500.DLL
2006-10-28 10:40 37,888 --a------ C:\WINNT\system32\hhsetup.dll
2006-10-28 10:40 305,664 --a------ C:\WINNT\system32\msihnd.dll
2006-10-28 10:40 29,456 --a------ C:\WINNT\system32\INETMIB1.DLL
2006-10-28 10:40 28,944 --a------ C:\WINNT\system32\iasacct.dll
2006-10-28 10:40 269,584 --a------ C:\WINNT\system32\iassdo.dll
2006-10-28 10:40 25,872 --a------ C:\WINNT\system32\LODCTR.EXE
2006-10-28 10:40 246,032 --a------ C:\WINNT\system32\localsec.dll
2006-10-28 10:40 245,008 --a------ C:\WINNT\system32\icm32.dll
2006-10-28 10:40 24,848 --a------ C:\WINNT\system32\msdart32.dll
2006-10-28 10:40 236,304 --a------ C:\WINNT\system32\msclus.dll
2006-10-28 10:40 213,264 --a------ C:\WINNT\system32\msltus40.dll
2006-10-28 10:40 21,776 --a------ C:\WINNT\system32\HTICONS.DLL
2006-10-28 10:40 206,096 --a------ C:\WINNT\system32\infosoft.dll
2006-10-28 10:40 20,752 --a------ C:\WINNT\system32\iasperf.dll
2006-10-28 10:40 20,240 --a------ C:\WINNT\system32\lpk.dll
2006-10-28 10:40 2,017,792 --a------ C:\WINNT\system32\msi.dll
2006-10-28 10:40 19,728 --a------ C:\WINNT\system32\mimefilt.dll
2006-10-28 10:40 19,728 --a------ C:\WINNT\system32\hidserv.exe
2006-10-28 10:40 18,192 --a------ C:\WINNT\system32\hid.dll
2006-10-28 10:40 169,232 --a------ C:\WINNT\system32\mobsync.dll
2006-10-28 10:40 163,088 --a------ C:\WINNT\system32\h323msp.dll
2006-10-28 10:40 159,504 --a------ C:\WINNT\system32\iprtrmgr.dll
2006-10-28 10:40 151,824 --a------ C:\WINNT\system32\msjint40.dll
2006-10-28 10:40 138,000 --a------ C:\WINNT\system32\INITPKI.DLL
2006-10-28 10:40 130,832 --a------ C:\WINNT\system32\logon.scr
2006-10-28 10:40 13,824 --a------ C:\WINNT\system32\mscpxl32.dLL
2006-10-28 10:40 122,128 --a------ C:\WINNT\system32\idq.dll
2006-10-28 10:40 111,376 --a------ C:\WINNT\system32\mobsync.exe
2006-10-28 10:40 108,816 --a------ C:\WINNT\system32\msafd.dll
2006-10-28 10:40 102,160 --a------ C:\WINNT\system32\mdminst.dll
2006-10-28 10:40 100,624 --a------ C:\WINNT\system32\iassam.dll
2006-10-28 10:40 10,752 --a------ C:\WINNT\hh.exe
2006-10-28 10:40 10,000 --a------ C:\WINNT\system32\lz32.dll
2006-10-28 10:40 1,015,859 --a------ C:\WINNT\system32\mfc42.dll
2006-10-28 10:40 1,011,764 --a------ C:\WINNT\system32\mfc42u.dll
2006-10-28 10:39 94,992 --a------ C:\WINNT\system32\FAXSVC.EXE
2006-10-28 10:39 92,944 --a------ C:\WINNT\system32\faxadmin.dll
2006-10-28 10:39 92,944 --a------ C:\WINNT\system32\dskquota.dll
2006-10-28 10:39 90,384 --a------ C:\WINNT\system32\CRYPTDLG.DLL
2006-10-28 10:39 82,704 --a------ C:\WINNT\system32\cmnquery.dll
2006-10-28 10:39 80,144 --a------ C:\WINNT\system32\faxcom.dll
2006-10-28 10:39 8,976 --a------ C:\WINNT\system32\autolfn.exe
2006-10-28 10:39 78,608 --a------ C:\WINNT\system32\avifil32.dll
2006-10-28 10:39 78,096 --a------ C:\WINNT\system32\aclui.dll
2006-10-28 10:39 77,584 --------- C:\WINNT\system32\gpresult.exe
2006-10-28 10:39 75,544 --a------ C:\WINNT\system32\cdm.dll
2006-10-28 10:39 74,810 --a------ C:\WINNT\system32\atl.dll
2006-10-28 10:39 74,512 --a------ C:\WINNT\system32\dsauth.dll
2006-10-28 10:39 7,440 --a------ C:\WINNT\system32\control.exe
2006-10-28 10:39 62,736 --a------ C:\WINNT\system32\adsmsext.dll
2006-10-28 10:39 62,224 --a------ C:\WINNT\system32\dfrgfat.exe
2006-10-28 10:39 568,592 --a------ C:\WINNT\system32\autofmt.exe
2006-10-28 10:39 55,568 --a------ C:\WINNT\system32\esentutl.exe
2006-10-28 10:39 55,568 --a------ C:\WINNT\system32\CLUSAPI.DLL
2006-10-28 10:39 50,620 --a------ C:\WINNT\system32\command.com
2006-10-28 10:39 50,448 --a------ C:\WINNT\system32\fdeploy.dll
2006-10-28 10:39 5,904 --a------ C:\WINNT\system32\dllhst3g.exe
2006-10-28 10:39 498,205 --a------ C:\WINNT\system32\dxmasf.dll
2006-10-28 10:39 45,328 --a------ C:\WINNT\system32\cmstp.exe
2006-10-28 10:39 44,304 --a------ C:\WINNT\system32\cryptdll.dll
2006-10-28 10:39 43,280 --a------ C:\WINNT\system32\dmutil.dll
2006-10-28 10:39 422,160 --a------ C:\WINNT\system32\certmgr.dll
2006-10-28 10:39 42,768 --a------ C:\WINNT\system32\dfrgsnap.dll
2006-10-28 10:39 41,744 --a------ C:\WINNT\system32\dsfolder.dll
2006-10-28 10:39 402,704 --a------ C:\WINNT\system32\cdonts.dll
2006-10-28 10:39 380,957 --a------ C:\WINNT\system32\expsrv.dll
2006-10-28 10:39 36,112 --a------ C:\WINNT\system32\cipher.exe
2006-10-28 10:39 33,040 --a------ C:\WINNT\system32\dbmsspxn.dll
2006-10-28 10:39 33,040 --a------ C:\WINNT\system32\dbmsadsn.dll
2006-10-28 10:39 316,176 --a------ C:\WINNT\system32\dmconfig.dll
2006-10-28 10:39 31,504 --a------ C:\WINNT\system32\atmlib.dll
2006-10-28 10:39 306,448 --a------ C:\WINNT\system32\dhcpmon.dll
2006-10-28 10:39 305,424 --a------ C:\WINNT\system32\gpedit.dll
2006-10-28 10:39 3,856 --------- C:\WINNT\system32\COMCAT.DLL
2006-10-28 10:39 299,792 --a------ C:\WINNT\system32\dsprop.dll
2006-10-28 10:39 294,672 --a------ C:\WINNT\system32\filemgmt.dll
2006-10-28 10:39 291,888 --a------ C:\WINNT\system32\atmfd.dll
2006-10-28 10:39 28,944 --a------ C:\WINNT\system32\dssec.dll
2006-10-28 10:39 265,488 --a------ C:\WINNT\system32\dxmrtp.dll
2006-10-28 10:39 25,872 --a------ C:\WINNT\system32\findstr.exe
2006-10-28 10:39 25,872 --a------ C:\WINNT\system32\conime.exe
2006-10-28 10:39 243,472 --a------ C:\WINNT\explorer.exe
2006-10-28 10:39 242,960 --a------ C:\WINNT\system32\cscui.dll
2006-10-28 10:39 24,848 --a------ C:\WINNT\system32\ds32gt.dll
2006-10-28 10:39 23,824 --a------ C:\WINNT\system32\at.exe
2006-10-28 10:39 226,576 --a------ C:\WINNT\system32\avtapi.dll
2006-10-28 10:39 224,016 --a------ C:\WINNT\system32\appmgr.dll
2006-10-28 10:39 221,968 --a------ C:\WINNT\system32\devmgr.dll
2006-10-28 10:39 22,800 --a------ C:\WINNT\system32\dfsshlex.dll
2006-10-28 10:39 22,288 --a------ C:\WINNT\system32\cmutil.dll
2006-10-28 10:39 219,920 --a------ C:\WINNT\system32\confmsp.dll
2006-10-28 10:39 201,488 --a------ C:\WINNT\system32\adsnt.dll
2006-10-28 10:39 200,976 --a------ C:\WINNT\system32\FONTEXT.DLL
2006-10-28 10:39 20,752 --a------ C:\WINNT\system32\batmeter.dll
2006-10-28 10:39 2,531,088 --a------ C:\WINNT\system32\cdosys.dll
2006-10-28 10:39 193,808 --a------ C:\WINNT\system32\cmdial32.dll
2006-10-28 10:39 187,152 --a------ C:\WINNT\system32\eudcedit.exe
2006-10-28 10:39 185,616 --a------ C:\WINNT\system32\faxt30.dll
2006-10-28 10:39 182,032 --a------ C:\WINNT\system32\activeds.dll
2006-10-28 10:39 174,864 --a------ C:\WINNT\system32\dmdlgs.dll
2006-10-28 10:39 164,112 --a------ C:\WINNT\system32\adsnds.dll
2006-10-28 10:39 163,600 --a------ C:\WINNT\system32\dmdskmgr.dll
2006-10-28 10:39 163,088 --a------ C:\WINNT\system32\dbghelp.dll
2006-10-28 10:39 16,144 --a------ C:\WINNT\system32\diskcopy.dll
2006-10-28 10:39 159,807 --a------ C:\WINNT\system32\cmprops.dll
2006-10-28 10:39 157,968 --a------ C:\WINNT\system32\els.dll
2006-10-28 10:39 157,456 --a------ C:\WINNT\system32\dsquery.dll
2006-10-28 10:39 156,944 --a------ C:\WINNT\system32\ciadmin.dll
2006-10-28 10:39 150,800 --a------ C:\WINNT\system32\accwiz.exe
2006-10-28 10:39 15,120 --a------ C:\WINNT\system32\faxdrv.dll
2006-10-28 10:39 147,728 --a------ C:\WINNT\system32\dmadmin.exe
2006-10-28 10:39 146,192 --a------ C:\WINNT\system32\dskquoui.dll
2006-10-28 10:39 145,680 --a------ C:\WINNT\system32\DSSBASE.DLL
2006-10-28 10:39 143,632 --------- C:\WINNT\system32\ASYCFILT.DLL
2006-10-28 10:39 14,096 --a------ C:\WINNT\system32\diskperf.exe
2006-10-28 10:39 14,096 --a------ C:\WINNT\system32\atkctrs.dll
2006-10-28 10:39 138,000 --a------ C:\WINNT\system32\faxui.dll
2006-10-28 10:39 135,440 --a------ C:\WINNT\system32\certcli.dll
2006-10-28 10:39 133,904 --a------ C:\WINNT\system32\adsldpc.dll
2006-10-28 10:39 130,832 --a------ C:\WINNT\system32\CLUSTER.EXE
2006-10-28 10:39 13,072 --a------ C:\WINNT\system32\dmintf.dll
2006-10-28 10:39 13,072 --a------ C:\WINNT\system32\CHKNTFS.EXE
2006-10-28 10:39 127,760 --a------ C:\WINNT\system32\capesnpn.dll
2006-10-28 10:39 125,712 --a------ C:\WINNT\system32\adsldp.dll
2006-10-28 10:39 122,368 --a------ C:\WINNT\system32\dmdskres.dll
2006-10-28 10:39 120,592 --a------ C:\WINNT\system32\appmgmts.dll
2006-10-28 10:39 12,048 --a------ C:\WINNT\system32\dmserver.dll
2006-10-28 10:39 118,544 --a------ C:\WINNT\system32\gptext.dll
2006-10-28 10:39 113,936 --a------ C:\WINNT\system32\DCOMCNFG.EXE
2006-10-28 10:39 112,400 --a------ C:\WINNT\system32\adsnw.dll
2006-10-28 10:39 110,864 --a------ C:\WINNT\system32\dsuiext.dll
2006-10-28 10:39 101,136 --a------ C:\WINNT\system32\cscdll.dll
2006-10-28 10:39 10,512 --a------ C:\WINNT\system32\dmremote.exe
2006-10-28 10:39 1,135,376 --a------ C:\WINNT\system32\esent.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-14 15:56 -------- d-------- C:\Documents and Settings\aldern\Application Data\SearchToolbarCorp
2006-11-14 06:18 -------- d-------- C:\Program Files\VSAdd-in
2006-11-13 23:05 -------- d-------- C:\Documents and Settings\aldern\Application Data\Mozilla
200
6-11-13 23:04 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-11 21:09 -------- d-------- C:\Program Files\AOD
2006-10-28 11:38 -------- d-------- C:\Program Files\iTunes
2006-10-28 11:38 -------- d-------- C:\Program Files\iPod
2006-10-28 11:38 -------- d-------- C:\Documents and Settings\aldern\Application Data\Apple Computer
2006-10-28 11:37 -------- d-------- C:\Program Files\Apple Software Update
2006-10-08 13:30 -------- d-------- C:\Documents and Settings\aldern\Application Data\SolidWorks
2006-09-15 13:21 53248 --a------ C:\WINNT\uninst108.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"Hahh"="\"C:\\DOCUME~1\\aldern\\MYDOCU~1\\CROSOF~1\\services.exe\" -vt yazb"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"=""
"HotKeysCmds"=""
"Synchronization Manager"="mobsync.exe /logon"
"PRPCMonitor"="PRPCUI.exe"
"JOGSERV2.EXE"="C:\\Program Files\\Sony\\Jog Dial Utility\\JogServ2.exe"
"Drag'n Drop CD"="C:\\Program Files\\Drag'n Drop CD\\BinFiles\\DragDrop.exe /StartUp"
"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"
"NWTRAY"="NWTRAY.EXE"
"IDesktop"="C:\\PROGRA~1\\IMMERS~1\\IMMERS~1.1\\IDesktop.exe 1"
"WinVNC"="\"C:\\Program Files\\UltraVNC\\WinVNC.exe\" -servicehelper"
"NDPS"="C:\\WINNT\\system32\\dpmw32.exe"
"Logitech Utility"="Logi_MwX.Exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1155528407\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"sys11-1607196935"="C:\\WINNT\\sys11-1607196935.exe"
"jakthkhA"="C:\\WINNT\\jakthkhA.exe"
"hfqff9a9"="RUNDLL32.EXE w0eda932.dll,n 006ff9a3000000030eda932"
"sys02607196935-1"="C:\\WINNT\\sys02607196935-1.exe"
"ACTX1"="C:\\WINNT\\v1201.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Accessories\\kyzevek.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\CONEXANT\\howysyhuf.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
@=""
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"intdctrr"="C:\\WINNT\\system32\\idctup20.exe"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\{25AC81F2-1F58-4A4D-8379-30B745C82373}_JOEALDERN_jaldern.job
C:\WINNT\tasks\{BF963A89-F0BE-4693-8141-CB033E3C9103}_JOEALDERN_jaldern.job
C:\WINNT\tasks\{96FAAEED-072E-4939-94E4-E04057DD208A}_JOEALDERN_jaldern.job
C:\WINNT\tasks\AppleSoftwareUpdate.job
Completion time: Wed 2006-11-15 16:15:59.15
C:\ComboFix.txt ... 06-11-15 16:16
Logfile of HijackThis v1.99.1
Scan saved at 4:24:56 PM, on 11/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\cusrvc.exe
C:\WINNT\System32\FEELitDM.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\IMMERS~1\IMMERS~1.1\IDesktop.exe
C:\WINNT\system32\dpmw32.exe
C:\WINNT\Logi_MwX.Exe
C:\Program Files\Common Files\AOL\1155528407\ee\AOLSoftware.exe
C:\PROGRA~1\Sony\JOGDIA~1\JogServ2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\jakthkhA.exe
C:\WINNT\sys02607196935-1.exe
C:\WINNT\v1201.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
c:\program files\common files\aol\1155528407\ee\aim6.exe
C:\WINNT\System32\MDM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Ben\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 63.162.160.101 kaweb.kleinfelder.com kaweb as41d.kleinfelder.com es45 # old .8
O1 - Hosts: 63.162.160.102 citrix01.kleinfelder.com citrix01 # old .12
O1 - Hosts: 63.162.160.103 citrix02.kleinfelder.com citrix02 # old .6
O1 - Hosts: 63.162.160.104 kaweb2.kleinfelder.com kaweb2 # old .4
O1 - Hosts: 63.162.160.105 saclib.kleinfelder.com saclib
O1 - Hosts: 63.162.160.106 klinet.kleinfelder.com klinet # old .10
O1 - Hosts: 63.162.160.107 citrix03.kleinfelder.com citrix03 # old .9
O1 - Hosts: 63.162.160.108 kaweb3.kleinfelder.com kaweb3
O1 - Hosts: 63.162.160.110 dakota.kleinfelder.com dakota # old .3
O1 - Hosts: 63.162.160.111 apache.kleinfelder.com apache
O1 - Hosts: 63.162.160.112 klivax.kleinfelder.com klivax sherlock.kleinfelder.com sherlock # old .5
O1 - Hosts: 63.162.160.113 voffice.kleinfelder.com voffice
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfg32p.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {656FF48F-F76D-4D65-91DA-37AEA70DE9AE} - (no file)
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINNT\cfg32r.dll
O2 - BHO: Domain Helper - {B8A5DE1C-BC13-4DD2-BF00-7BE3C603F9F2} - C:\WINNT\system32\DomainHelper.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINNT\cfg32o.dll
O2 - BHO: (no name) - {D9CC5ECF-BC5A-C0A8-7804-C9891A5F69B9} - C:\WINNT\system32\fhtv.dll
O2 - BHO: (no name) - {E818DA78-1E83-4B22-82FB-188911B50D6F} - C:\Program Files\NetMeeting\horejoruk.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\system32\nlsgxgsy.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IDesktop] C:\PROGRA~1\IMMERS~1\IMMERS~1.1\IDesktop.exe 1
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155528407\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jakthkhA] C:\WINNT\jakthkhA.exe
O4 - HKLM\..\Run: [hfqff9a9] RUNDLL32.EXE w0eda932.dll,n 006ff9a3000000030eda932
O4 - HKLM\..\Run: [sys02607196935-1] C:\WINNT\sys02607196935-1.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINNT\v1201.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Hahh] "C:\DOCUME~1\aldern\MYDOCU~1\CROSOF~1\services.exe" -vt yazb
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk.disabled
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162056901253
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O18 - Protocol: bw+0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {F5F25DBB-5C36-4B62-962B-704283627D5C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FEELitDM - Immersion Corporation - C:\WINNT\System32\FEELitDM.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINNT\system32\HPZipm12.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
There are the logs. Thanks.
JB
Hi again, we'll continue :)
The instructions are quite long because you're quite nicely infected....
You seem to have this Viewpoint program installed. It has a suspicious reputation and we'll remove it
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
==================
Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:
VSAdd-in
ViewPoint
and any other programs you didn't install or don't recognize - if your not sure please ask first
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
dpmw32.exe
ViewMgr.exe
jakthkhA.exe
sys02607196935-1.exe
v1201.exe
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Hahh"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NDPS"=-
"ViewMgr"=-
"sys11-1607196935"=-
"jakthkhA"=-
"hfqff9a9"=-
"sys02607196935-1"=-
"ACTX1"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"intdctrr"=-
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfg32p.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {656FF48F-F76D-4D65-91DA-37AEA70DE9AE} - (no file)
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINNT\cfg32r.dll
O2 - BHO: Domain Helper - {B8A5DE1C-BC13-4DD2-BF00-7BE3C603F9F2} - C:\WINNT\system32\DomainHelper.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINNT\cfg32o.dll
O2 - BHO: (no name) - {D9CC5ECF-BC5A-C0A8-7804-C9891A5F69B9} - C:\WINNT\system32\fhtv.dll
O2 - BHO: (no name) - {E818DA78-1E83-4B22-82FB-188911B50D6F} - C:\Program Files\NetMeeting\horejoruk.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\system32\nlsgxgsy.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [jakthkhA] C:\WINNT\jakthkhA.exe
O4 - HKLM\..\Run: [hfqff9a9] RUNDLL32.EXE w0eda932.dll,n 006ff9a3000000030eda932
O4 - HKLM\..\Run: [sys02607196935-1] C:\WINNT\sys02607196935-1.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINNT\v1201.exe
O4 - HKCU\..\Run: [Hahh] "C:\DOCUME~1\aldern\MYDOCU~1\CROSOF~1\services.exe" -vt yazb
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Filter: text/html - (no CLSID) - (no file)
Please run Killbox.
Select "Delete on Reboot".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\Sloopy7.exe
C:\WINNT\sys11-1607196935.exe
C:\WINNT\sys02607196935-1.exe
C:\WINNT\v1201.exe
C:\WINNT\system32\fhtv.dll
C:\WINNT\cfg32s.dll
C:\WINNT\cfg32o.dll
C:\WINNT\cfg32r.dll
C:\WINNT\system32\nlsgxgsy.dll
C:\WINNT\system32\wchimdva.exe
C:\WINNT\system32\ldcore.dll
C:\WINNT\system32\winpfg32.sys
C:\WINNT\system32\cdakdpil.dll
C:\WINNT\system32\hfqff9a9.dll
C:\WINNT\cfg32p.dll
C:\WINNT\system32\wcpcc.exe
C:\WINNT\system32\DomainHelper.dll
C:\WINNT\system32\hfqff9a9.sys
C:\WINNT\system32\dpmw32.exe
C:\WINNT\jakthkhA.exe
C:\WINNT\jakthkh.exe
C:\WINNT\ilfhh.dll
C:\162.exe
C:\WINNT\system32\efcayay.dll
C:\165.exe
C:\WINNT\srviyzfn.exe
C:\WINNT\stub_mm3.exe
C:\WINNT\uninst108.exe
C:\WINNT\system32\idctup20.exe
C:\Program Files\Accessories\kyzevek.html
C:\Program Files\CONEXANT\howysyhuf.htm
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Select "All Files".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
C:\Documents and Settings\aldern\Application Data\SearchToolbarCorp
C:\Program Files\VSAdd-in
C:\Program Files\ViewPoint
Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: w0eda932.dll
Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
I got through everything and rebooted but got the 'windows 2000 could not boot because the following file is missing or corrupt: \WINNT\SYSTEM32\CONFIG\SYSTEMced" error. I don't have the disk with me so I'll have to fix this before I can continue. Thanks for your help so far.
JB
Hi again :)
Ok, do you get the same error if you try to boot to the safe mode too ?
I don't have the disk with me
But you do have it ? the installation or restore cd ?
We'll need that in order to get your computer working again...
Please let me know :bigthumb:
Actually, it's my dad's computer so I hope he has it. It locks at the bootscreen when I get the error and doesn't allow me to boot in safe mode. I sure hope he has it.
JB
Ok, please let me know when you have verified the status of the restore disc :bigthumb:
Well, he had the system restore discs and didn't mind me using them. I totally restored everything which cleared everything. We didn't really have much on the computer so it wasn't a big deal, but I think it's lame that Sony didn't include the OS disc. Thanks for your help through all of this. What do you suggest I do to keep it from happening again?
JB
Hi again, I'll respect you decicion to do a clean install :)
Then there are a couple of things you should do immediately after installing Windows and before surfing the net... Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).
These are good (free) firewalls:
- Kerio (http://www.sunbelt-software.com/Kerio.cfm)
- Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
- Outpost (http://www.majorgeeks.com/download.php?det=1056)
These are good (free) antiviruses:
- Antivir (http://www.free-av.com)
- Avast (http://www.avast.com)
- AVG (http://free.grisoft.com)
Get all Windows updates installed!
Then here are a few things that you can do in order to make your fresh computer more secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use Ewido (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?
Excellent post! Thanks for the tips, I will do all of them as soon as I can. Thanks for your help!
JB
You're very welcome :D:
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: