spyware, popups and HBO's-w
I tried to run the pandascan online, and it wouldn't work. i click the search computer and nothing happens.
Next I ran spybot and it removed some things...then when I logged back into regular mode, my internet explorer wouldn't work, so i had to restore the previous settings from spybot.
i have run spyware manytimes, it removes infections, but each time i run it there they are again.
sorry, my computer freaked out and posted when i hit my space bar. anyway, here is my hijack log.
Logfile of HijackThis v1.99.1
Scan saved at 10:11:01 PM, on 10/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\CTsvcCDA.EXE
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\sys101353947576.exe
E:\WINDOWS\Duce6.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
E:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\Karyn\Desktop\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe, E:\WINDOWS\system32\xqhno.exe
F2 - REG:system.ini: UserInit=E:\WINDOWS\system32\userinit.exe,jlnraor.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EM_EXEC] E:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SpyHunter] E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SpywareTerminator] "E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [sys101353947576] E:\WINDOWS\sys101353947576.exe
O4 - HKLM\..\Run: [TheMonitor] E:\WINDOWS\Duce6.exe
O4 - HKCU\..\Run: [Creative Detector] E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = E:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - E:\Program Files\Batty2\Batty2.dll
O20 - Winlogon Notify: RunOnce - E:\WINDOWS\system32\lvr2099oe.dll (file missing)
O20 - Winlogon Notify: Themes - E:\WINDOWS\system32\irrul5991.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Overlay Components - Unknown owner - E:\WINDOWS\ymmtfda.exe (file missing)
Hi txladykat and welcome to Safer Networking Forums
You got infections there....
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Please post an uninstall list to here.
- Start HijackThis
- Click on the Config button
- Click on the Misc Tools button
- Click on the Open Uninstall Manager button.
- Click on the Save list... button and specify where you would like to save this file.
- When you press Save button a notepad will open with the contents of that file.
- Simply copy and paste the contents of that notepad here on your next reply.
Then we'll continue
Adobe Acrobat Reader 3.02
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0
CCScore
Creative MediaSource
Creative System Information
DeluxeCommunications
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
Flock (Photobucket Edition) 0.7
HijackThis 1.99.1
HLPPDOCK
iPod for Windows 2006-06-28
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Logitech MouseWare 9.10
Logitech User's Guide
Mozilla Firefox (1.5)
MSN Money Investment Toolbox
Notifier
OfotoXMI
OTtBP
OTtBPSDK
QuickTime
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
SFR
SHASTA
SKIN0001
SKINXSDK
Sound Blaster Audigy
Spybot - Search & Destroy 1.4
SpyHunter
Spyware Terminator
staticcr
UBNet
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VPRINTOL
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Overlay Components
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WIRELESS
Yahoo! Messenger
Yahoo! Toolbar
YAMAHA AC-XG WDM
YAMAHA DS-XG WDM
Yazzle by OIN
Hi again
Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") to download Silent Runners.
- Save it to the desktop.
- Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
- You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
- Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
Then we'll continue
thanks! here ya go:
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Creative Detector" = "E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R" ["Creative Technology Ltd"]
"MSMSGS" = ""E:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"dubdp" = "E:\WINDOWS\system32\hhpjoj.exe reg_run" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"EM_EXEC" = "E:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "]
"QuickTime Task" = ""E:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"iTunesHelper" = ""E:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"Adobe Photo Downloader" = ""E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"CTSysVol" = "E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r" ["Creative Technology Ltd"]
"P17Helper" = "Rundll32 P17.dll,P17Helper" [MS]
"UpdReg" = "E:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"hxtboh" = "E:\WINDOWS\system32\hhpjoj.exe reg_run" [null data]
"SpyHunter" = "E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" ["Enigma Software Group Inc."]
"SpywareTerminator" = ""E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"" ["Crawler.com"]
"sys101353947576" = "E:\WINDOWS\sys101353947576.exe" [null data]
"TheMonitor" = "E:\WINDOWS\Duce6.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "E:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
i was kind of confused by the question it asked about what kind of search i wanted, so i did both, here is the second one:
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Creative Detector" = "E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R" ["Creative Technology Ltd"]
"MSMSGS" = ""E:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"dubdp" = "E:\WINDOWS\system32\hhpjoj.exe reg_run" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"EM_EXEC" = "E:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "]
"QuickTime Task" = ""E:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"iTunesHelper" = ""E:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"Adobe Photo Downloader" = ""E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"CTSysVol" = "E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r" ["Creative Technology Ltd"]
"P17Helper" = "Rundll32 P17.dll,P17Helper" [MS]
"UpdReg" = "E:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"hxtboh" = "E:\WINDOWS\system32\hhpjoj.exe reg_run" [null data]
"SpyHunter" = "E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" ["Enigma Software Group Inc."]
"SpywareTerminator" = ""E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"" ["Crawler.com"]
"sys101353947576" = "E:\WINDOWS\sys101353947576.exe" [null data]
"TheMonitor" = "E:\WINDOWS\Duce6.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "E:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "E:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{D35DAD00-94B0-4AD6-9577-337D2339680F}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\system32\kodmaori.dll" [file not found]
"{92E99454-668D-42B1-AFD8-EC55C726C980}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\system32\rIsmxs.dll" [file not found]
"{1E05D064-D542-4742-B575-2186F5E3CCAE}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\system32\djdmoprp.dll" [file not found]
"{3DD0078B-4968-404C-9D1D-FF5B7AEC49AF}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\system32\guard.tmp" [null data]
"{EC7550EE-8865-49AA-A3EC-4A0D58F5B4E0}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\system32\guard.tmp" [null data]
"{B50638C4-FA2E-4D62-A0E3-0FEDEE785715}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\system32\guard.tmp" [null data]
"{DD4A0DCB-3A68-495E-A107-53210FD458EE}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\system32\uktheme.dll" [null data]
"{7B7010CE-1565-493C-BBF7-A9B085283114}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\system32\kmdru1.dll" [null data]
"{DF47EF47-776D-428A-A3FA-5661FF949783}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\system32\dFtaclen.dll" [null data]
"{96FC970A-E73A-49FE-A15C-6733E8500E9F}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\system32\drskmon.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Shell" = "Explorer.exe, E:\WINDOWS\system32\xqhno.exe" [MS], [null data]
<<!>> "Userinit" = "E:\WINDOWS\system32\userinit.exe,jlnraor.exe" [MS], [null data]
HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"| [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> RunOnce\DLLName = "E:\WINDOWS\system32\lvr2099oe.dll" [file not found]
<<!>> SharedDlls\DLLName = "E:\WINDOWS\system32\enjql1151.dll" [null data]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/html\CLSID = "{994D478A-45D0-4DB4-AE27-738B1E346F99}"
-> {HKLM...CLSID} = "PortHope Decoder"
\InProcServer32\(Default) = "E:\Program Files\Batty2\Batty2.dll" [file not found]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "E:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "E:\Documents and Settings\Karyn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "E:\WINDOWS\System32\logon.scr" [MS]
DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------
E:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5\01A7GPQN\DESKTOP.INI -- cannot be opened!
Startup items in "Karyn" & "All Users" startup folders:
-------------------------------------------------------
E:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Kodak EasyShare software" -> shortcut to: "E:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -hx" [null data]
"KODAK Software Updater" -> shortcut to: "E:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
E:\Program Files\webHancer\Programs\webhdll.dll ["webHancer Corporation"], 01 - 02, 16
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "E:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Creative Service for CDROM Access, Creative Service for CDROM Access, "E:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
iPodService, iPodService, "E:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Windows User Mode Driver Framework, UMWdf, "E:\WINDOWS\system32\wdfmgr.exe" [MS]
----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 355 seconds.
---------- (total run time: 487 seconds)
Hi again and sorry for the delay, I had a busy day
The logs were the rigth ones, good work.
You seem to have SpyHunter and Spyware Terminator installed. Both of these programs have a suspicious reputation and I don't recommend using those. There are free and better ones available. I recommend that you remove both SpyHunter and Spyware Terminator via Control Panel, Add/Remove Programs. More info about these two programs here.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Open Control Panel -> Add/Remove programs -> Remove all the of the following programs if found:
DeluxeCommunications
Yazzle by OIN
Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
Tutorial for the uninstaller if needed
Download Lspfix. Extract(unzip) it to its own folder. Disconnect from the internet, and close all browser windows. Run LSPFix. Click the "I know what I'm doing" button. In the left hand pane, hilite all instances of webhdll.dll (and nothing else), move them to the "Remove" pane and by clicking the >> button. Click Finish. Reboot to complete the process.
When the computer has been restarted:
- Download this file - combofix.exe
- Double click combofix.exe & follow the prompts.
- When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Last edited by Mr_JAk3; 2006-10-23 at 14:06.
I don't know what to do. I am unable to get to the internet from my home computer now. I am writing this from my office computer. What should I do?
ok, i got my internet working by reinstalling windows over the current version. i ran the combofix, but when it rebooted my computer it didn't give me a log. However, I searched my hard drive and found this, hope this is the correct log:
Karyn - 06-10-23 21:05:26.62 Service Pack 2
ComboFix 06.10.19 - Running from: "E:\Documents and Settings\Karyn\Desktop"
((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\clsid\{D35DAD00-94B0-4AD6-9577-337D2339680F}]
@=""
[HKEY_CLASSES_ROOT\clsid\{D35DAD00-94B0-4AD6-9577-337D2339680F}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{D35DAD00-94B0-4AD6-9577-337D2339680F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{D35DAD00-94B0-4AD6-9577-337D2339680F}\InprocServer32]
@="E:\\WINDOWS\\system32\\kodmaori.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{92E99454-668D-42B1-AFD8-EC55C726C980}]
@=""
[HKEY_CLASSES_ROOT\clsid\{92E99454-668D-42B1-AFD8-EC55C726C980}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{92E99454-668D-42B1-AFD8-EC55C726C980}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{92E99454-668D-42B1-AFD8-EC55C726C980}\InprocServer32]
@="E:\\WINDOWS\\system32\\rIsmxs.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{1E05D064-D542-4742-B575-2186F5E3CCAE}]
@=""
[HKEY_CLASSES_ROOT\clsid\{1E05D064-D542-4742-B575-2186F5E3CCAE}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{1E05D064-D542-4742-B575-2186F5E3CCAE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{1E05D064-D542-4742-B575-2186F5E3CCAE}\InprocServer32]
@="E:\\WINDOWS\\system32\\djdmoprp.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{3DD0078B-4968-404C-9D1D-FF5B7AEC49AF}]
@=""
[HKEY_CLASSES_ROOT\clsid\{3DD0078B-4968-404C-9D1D-FF5B7AEC49AF}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{3DD0078B-4968-404C-9D1D-FF5B7AEC49AF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{3DD0078B-4968-404C-9D1D-FF5B7AEC49AF}\InprocServer32]
@="E:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{EC7550EE-8865-49AA-A3EC-4A0D58F5B4E0}]
@=""
[HKEY_CLASSES_ROOT\clsid\{EC7550EE-8865-49AA-A3EC-4A0D58F5B4E0}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{EC7550EE-8865-49AA-A3EC-4A0D58F5B4E0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{EC7550EE-8865-49AA-A3EC-4A0D58F5B4E0}\InprocServer32]
@="E:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{B50638C4-FA2E-4D62-A0E3-0FEDEE785715}]
@=""
[HKEY_CLASSES_ROOT\clsid\{B50638C4-FA2E-4D62-A0E3-0FEDEE785715}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{B50638C4-FA2E-4D62-A0E3-0FEDEE785715}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{B50638C4-FA2E-4D62-A0E3-0FEDEE785715}\InprocServer32]
@="E:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{DD4A0DCB-3A68-495E-A107-53210FD458EE}]
@=""
[HKEY_CLASSES_ROOT\clsid\{DD4A0DCB-3A68-495E-A107-53210FD458EE}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{DD4A0DCB-3A68-495E-A107-53210FD458EE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{DD4A0DCB-3A68-495E-A107-53210FD458EE}\InprocServer32]
@="E:\\WINDOWS\\system32\\itakui.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{7B7010CE-1565-493C-BBF7-A9B085283114}]
@=""
[HKEY_CLASSES_ROOT\clsid\{7B7010CE-1565-493C-BBF7-A9B085283114}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{7B7010CE-1565-493C-BBF7-A9B085283114}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{7B7010CE-1565-493C-BBF7-A9B085283114}\InprocServer32]
@="E:\\WINDOWS\\system32\\kmdru1.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{DF47EF47-776D-428A-A3FA-5661FF949783}]
@=""
[HKEY_CLASSES_ROOT\clsid\{DF47EF47-776D-428A-A3FA-5661FF949783}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{DF47EF47-776D-428A-A3FA-5661FF949783}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{DF47EF47-776D-428A-A3FA-5661FF949783}\InprocServer32]
@="E:\\WINDOWS\\system32\\mgxml4.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{06EB7A38-8D19-4287-B387-D01D991DB6D1}]
@=""
[HKEY_CLASSES_ROOT\clsid\{06EB7A38-8D19-4287-B387-D01D991DB6D1}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{06EB7A38-8D19-4287-B387-D01D991DB6D1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{06EB7A38-8D19-4287-B387-D01D991DB6D1}\InprocServer32]
@="E:\\WINDOWS\\system32\\aqwav.dll"
"ThreadingModel"="Apartment"
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
FILES REMOVED:
E:\WINDOWS\system32\aqwav.dll
E:\WINDOWS\system32\dn8201loe.dll
E:\WINDOWS\system32\en06l1ds1.dll
E:\WINDOWS\system32\en46l1hs1.dll
E:\WINDOWS\system32\irn2l55o1.dll
E:\WINDOWS\system32\itakui.dll
E:\WINDOWS\system32\k8pmli7118.dll
E:\WINDOWS\system32\kmdru1.dll
E:\WINDOWS\system32\l8r00i9me8.dll
E:\WINDOWS\system32\lv4s09h7e.dll
E:\WINDOWS\system32\m6ls0g37e6.dll
E:\WINDOWS\system32\p68qlgl516q.dll
Granting sedebugprivilege to Administrators ... successful
((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))
* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *
O4 - HKCU\...\Run E:\WINDOWS\system32\hhpjoj.exe
O4 - HKLM\...\Run E:\WINDOWS\system32\hhpjoj.exe
F2 -REG:system.ini: Shell E:\WINDOWS\system32\xqhno.exe
F2 -REG:system.ini: UserInit E:\WINDOWS\system32\jlnraor.exe
* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *
E:\WINDOWS\system32\hhpjoj.exe
E:\WINDOWS\system32\nopjgrd.dll
E:\WINDOWS\system32\jlnraor.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\aockv.exe
E:\WINDOWS\gcwqg.dll
E:\WINDOWS\system32\nefmb.dat
E:\WINDOWS\system32\xqhno.exe
* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *
06-10-15 10:15 127488 hhpjoj.exe.qoo
06-10-21 09:30 127488 nefmb.dat.qoo
06-10-15 10:15 127488 aockv.exe.qoo
06-10-17 06:56 51712 nopjgrd.dll.qoo
06-10-15 10:15 28672 xqhno.exe.qoo
06-10-15 10:15 23552 jlnraor.exe.qoo
06-10-15 10:15 53 vnlnep.dat.qoo
DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO
((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))
E:\Documents and Settings\Adam\Application Data\Dxcknwrd.dll
E:\Documents and Settings\Adam\Application Data\Dxcuknwrd.dll
E:\Documents and Settings\Karyn\Application Data\Dxccwrd.dll
E:\Documents and Settings\Karyn\Application Data\Dxcknwrd.dll
E:\Documents and Settings\Karyn\Application Data\Dxcuknwrd.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
E:\WINDOWS\Duce6.exe
E:\WINDOWS\offun.exe
E:\WINDOWS\system32\bszip.dll
E:\WINDOWS\system32\cmd.com
E:\WINDOWS\system32\netstat.com
E:\WINDOWS\system32\ping.com
E:\WINDOWS\system32\regedit.com
E:\WINDOWS\system32\taskkill.com
E:\WINDOWS\system32\tasklist.com
E:\WINDOWS\system32\tracert.com
E:\Documents and Settings\LocalService\Application Data\NetMon
E:\Program Files\batty2
E:\Program Files\cmfibula
E:\Program Files\Deskbar
E:\Program Files\network monitor
E:\Program Files\outlook
E:\Program Files\Common Files\{18BA091C-064E-1033-1029-010004100001}
E:\Program Files\Common Files\{38BA091C-064E-1033-1029-010004100001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
E:\QooBox\Purity\Program Files\Common Files\RACLE~1
E:\QooBox\Purity\Program Files\Common Files\RACLE~1\??rss.exe
E:\QooBox\Purity\WINDOWS\RACLE~1
E:\QooBox\Purity\WINDOWS\RACLE~1\smss.exe
E:\QooBox\Purity\WINDOWS\RACLE~1\?racle
E:\QooBox\Purity\WINDOWS\system32\MBOLS~1
((((((((((((((((((((((((((((((( Files Created from 2006-09-23 to 2006-10-23 ))))))))))))))))))))))))))))))))))
2006-10-23 20:40 20,992 --a------ E:\WINDOWS\system32\drivers\RTL8139.sys
2006-10-23 20:35 24,661 --a------ E:\WINDOWS\system32\spxcoins.dll
2006-10-23 20:35 13,312 --a------ E:\WINDOWS\system32\irclass.dll
2006-10-23 19:52 24,296 --a------ E:\WINDOWS\icont.exe
2006-10-21 13:04 426,382 --a------ E:\WINDOWS\ms0757613539472006.exe
2006-10-21 10:54 131,072 --a------ E:\WINDOWS\system32\coznv.dll
2006-10-18 12:38 163,840 --a------ E:\WINDOWS\sys101353947576.exe
2006-10-15 10:15 919 --a------ E:\WINDOWS\system32\winpfg32.sys
2006-10-15 10:15 436 --a------ E:\WINDOWS\gcwqg.dll
2006-10-15 10:15 183,478 --a------ E:\WINDOWS\srvmmexlyo.exe
2006-10-15 10:15 1,259 --a------ E:\WINDOWS\system32\pryd6bb6.sys
2006-10-15 10:14 217,276 --a------ E:\WINDOWS\srvhucwjki.exe
2006-10-06 19:37 64,512 --a------ E:\WINDOWS\system32\PTPITCP.dll
2006-10-06 19:37 307,200 --a------ E:\WINDOWS\system32\KPDPM.dll
2006-10-06 19:37 229,376 --a------ E:\WINDOWS\system32\KPDPMUI.dll
2006-10-06 19:23 5,632 --a------ E:\WINDOWS\system32\ptpusb.dll
2006-10-06 19:23 159,232 --a------ E:\WINDOWS\system32\ptpusd.dll
2006-10-06 19:23 15,104 --a------ E:\WINDOWS\system32\drivers\usbscan.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-23 21:09 -------- d-------- E:\Program Files\Common Files
2006-10-23 20:44 -------- d-------- E:\Program Files\Windows Media Player
2006-10-23 20:44 -------- d-------- E:\Program Files\Outlook Express
2006-10-23 20:44 -------- d-------- E:\Program Files\Internet Explorer
2006-10-23 20:44 -------- d-------- E:\Program Files\Common Files\System
2006-10-23 19:36 -------- d-------- E:\Program Files\Spyware Terminator
2006-10-23 19:36 -------- d-------- E:\Program Files\PSDream
2006-10-23 19:36 -------- d-------- E:\Program Files\PSCastor
2006-10-23 19:35 -------- d-------- E:\Program Files\whInstall
2006-10-23 19:35 -------- d-------- E:\Program Files\Mozilla Firefox
2006-10-23 19:34 -------- d-------- E:\Program Files\Flock
2006-10-23 18:41 -------- d-------- E:\Program Files\Enigma Software Group
2006-10-19 21:52 -------- d-------- E:\Program Files\webHancer
2006-10-18 12:39 93664 --ahs---- E:\Program Files\Common Files\Y1324OU.exe
2006-10-16 21:46 -------- d-------- E:\Program Files\ComPlus Applications
2006-10-16 19:51 -------- d-------- E:\Program Files\Messenger
2006-10-15 20:10 -------- d-------- E:\Program Files\Common Files\krwr
2006-10-15 17:45 -------- d-------- E:\Program Files\LimeWire
2006-10-15 17:37 -------- d-------- E:\Documents and Settings\Karyn\Application Data\Help
2006-10-15 17:24 -------- d-------- E:\Program Files\Google
2006-10-15 17:07 -------- d--h----- E:\Program Files\InstallShield Installation Information
2006-10-06 19:37 -------- d-------- E:\Program Files\Kodak
2006-10-06 19:35 -------- d-------- E:\Program Files\Common Files\Kodak
2006-10-06 19:29 -------- d-------- E:\Documents and Settings\Karyn\Application Data\Leadertech
2006-10-06 19:28 -------- d-------- E:\Documents and Settings\Karyn\Application Data\Adobe
2006-09-22 09:38 53248 --a------ E:\WINDOWS\109uninst.exe
2006-09-22 09:36 53248 --a------ E:\WINDOWS\uni_7eh.exe
2006-09-21 07:03 -------- d-------- E:\Documents and Settings\Karyn\Application Data\Google
2006-09-15 16:16 53248 --a------ E:\WINDOWS\uni_e6h.exe
2006-09-06 05:47 -------- d---s---- E:\Documents and Settings\Karyn\Application Data\Microsoft
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Creative Detector"="E:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"MSMSGS"="\"E:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EM_EXEC"="E:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="E:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"E:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Adobe Photo Downloader"="\"E:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"CTSysVol"="E:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"UpdReg"="E:\\WINDOWS\\UpdReg.EXE"
"sys101353947576"="E:\\WINDOWS\\sys101353947576.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-10-23 21:12:36.59
E:\ComboFix.txt ... 06-10-23 21:12
Posting Permissions
