coolpics.com trashed my system

Discussion in 'malware problems & news' started by crazy_cool2k, Nov 1, 2006.

Thread Status:
Not open for further replies.
  1. crazy_cool2k

    crazy_cool2k Registered Member

    Joined:
    Nov 1, 2006
    Posts:
    13
    i recently upraded to yahoo messenger ver 8 after which i received a seemingly harmless message form my frnd asking me to check his pics on a site. After this my computer got infected with the virus. my task manager was disabled, i had no run box. i ran a number of malware removal tools but none worked till i ran spybot SD. now the coolpics virus has been removed but i am still facing few problems. 1) When i try to do a regedit i get an error "Regedit is not a valid win32 application" 2) My internet explorer home page is greyed out and i cant change it.

    Also my sisters computer also has been infected by the coolpics virus after she clicked on a message that was autosent by teh virus when it affected my system. i gave her the spybot SD software to run but she has been unsuccessful in removing the virus even after running spybot SD. WHich is the best tool to use to remove the coolpics virus completely.
    This is the message that is sent by the virus to the contacts ":( the page cannot be displayed http:// /error.jpg Something was wrong !!! Check it again and tell me later. THanks"


    NORTON and MCAfeee have been major letdowns and have been no use in preventing infection and also have not been able to remove the virus.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Please post the combofix log.

    Regards,

    Pieter
     
  3. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    As a word of caution, do not open any links within a IM chat window regardless of the circumstances. That's just my advice to you.

    Regarding some system utilities like task manager and regedit being disabled by the malware which infected your system, please visit this site: http://www.excessive-software.eu.tt/

    AND
    scroll to the bottom of the page where you will see the tool called: Infiltration Recovery Tool 1.0

    What it does is:

    Infiltration Recovery Tool gives you ability to recover some key system features when facing malware infiltration. Many trojans, worms and backdoors disable Task Manager, Registry Editor and some even Explorer's Right-click context menu. You can restore these features with Infiltration Recovery Tool in just few clicks. Though there is no guarantee that it will work in all situations...Infiltration Recovery Tool supports all Windows operating systems.

    As the program is in the .zip format, you can use Winrar to open it. You will have to install the programs first.

    Have you updated your antivirus programs?
     
  4. crazy_cool2k

    crazy_cool2k Registered Member

    Joined:
    Nov 1, 2006
    Posts:
    13
    Hey Pieter ..........
    I ran the combofix application, and below is the log.

    harsha - 06-11-02 17:13:05.70 Service Pack 2
    ComboFix 06.10.19 - Running from: "C:\Documents and Settings\harsha\Desktop"

    ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

    REGISTRY ENTRIES REMOVED:

    [HKEY_CLASSES_ROOT\clsid\{86D4F12B-EC08-442F-BB20-4616C5CA23D8}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{86D4F12B-EC08-442F-BB20-4616C5CA23D8}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{86D4F12B-EC08-442F-BB20-4616C5CA23D8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{86D4F12B-EC08-442F-BB20-4616C5CA23D8}\InprocServer32]
    @="blank"
    "ThreadingModel"="Apartment"

    [HKEY_CLASSES_ROOT\clsid\{4D1F1053-ED85-4A9E-A53B-79EA17B297A7}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{4D1F1053-ED85-4A9E-A53B-79EA17B297A7}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{4D1F1053-ED85-4A9E-A53B-79EA17B297A7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\clsid\{4D1F1053-ED85-4A9E-A53B-79EA17B297A7}\InprocServer32]
    @="blank"
    "ThreadingModel"="Apartment"

    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    Granting sedebugprivilege to Administrators ... successful


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\cmd.com
    C:\WINDOWS\system32\netstat.com
    C:\WINDOWS\system32\ping.com
    C:\WINDOWS\system32\regedit.com
    C:\WINDOWS\system32\taskkill.com
    C:\WINDOWS\system32\tasklist.com
    C:\WINDOWS\system32\tracert.com
    C:\Program Files\outlook
    C:\WINDOWS\system32\components
    C:\Program Files\Common Files\{387B1F4E-0224-1033-0211-000930190001}
    C:\Program Files\Common Files\{F87B1F4E-0224-1033-0211-000930190001}


    ((((((((((((((((((((((((((((((( Files Created from 2006-10-02 to 2006-11-02 ))))))))))))))))))))))))))))))))))


    2006-10-31 16:23 724,992 --a------ C:\WINDOWS\iun6002.exe
    2006-10-29 12:01 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
    2006-10-29 12:01 27,136 --a------ C:\WINDOWS\system32\irmon.dll
    2006-10-29 12:01 152,576 --a------ C:\WINDOWS\system32\irftp.exe
    2006-10-29 02:12 <DIR> d-------- C:\WINDOWS\McAfee.com
    2006-10-28 14:30 89,184 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
    2006-10-28 13:29 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
    2006-10-28 12:02 98,304 --a------ C:\WINDOWS\system32\clipboard.exe
    2006-10-28 12:02 706,048 --a------ C:\WINDOWS\system32\libmcl-3.1.1.dll
    2006-10-28 12:02 3,423,744 --a------ C:\WINDOWS\system32\libfilefmt-1.1.0.dll
    2006-10-28 12:02 20,480 --a------ C:\WINDOWS\system32\libavi-dd-1.2.0.dll
    2006-10-28 07:46 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
    2006-10-28 07:46 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
    2006-10-28 07:46 38,912 --a------ C:\WINDOWS\system32\picn20.dll
    2006-10-28 07:46 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
    2006-10-27 19:59 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
    2006-10-26 17:19 18,432 --a------ C:\WINDOWS\ss3unstl.exe
    2006-10-26 17:17 471,040 --a------ C:\WINDOWS\dog4.scr
    2006-10-26 17:17 471,040 --a------ C:\WINDOWS\dog2.scr
    2006-10-26 17:16 12,288 --a------ C:\WINDOWS\impborl.dll
    2006-10-25 13:19 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
    2006-10-22 02:03 48,824 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2006-10-22 02:03 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2006-10-21 00:49 1,259 --a------ C:\WINDOWS\system32\ngv1d563.sys
    2006-10-12 13:57 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
    2006-10-12 11:51 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
    2006-10-12 11:51 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
    2006-10-12 11:51 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
    2006-10-12 11:51 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
    2006-10-12 11:51 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
    2006-10-12 11:51 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
    2006-10-03 00:34 806,912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
    2006-10-03 00:34 806,912 --a------ C:\WINDOWS\system32\divx_xx07.dll
    2006-10-03 00:34 790,528 --a------ C:\WINDOWS\system32\divx_xx11.dll
    2006-10-03 00:34 635,486 --a------ C:\WINDOWS\system32\DivX.dll


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-11-02 16:58 -------- d-------- C:\Program Files\WinRAR
    2006-10-31 18:12 -------- d-------- C:\Program Files\a-squared Anti-Malware
    2006-10-31 16:23 -------- d-------- C:\Program Files\No Trace
    2006-10-28 15:26 -------- d-------- C:\Documents and Settings\harsha\Application Data\Macromedia
    2006-10-28 15:12 -------- d-------- C:\Documents and Settings\harsha\Application Data\AdobeUM
    2006-10-28 15:12 -------- d-------- C:\Documents and Settings\harsha\Application Data\Adobe
    2006-10-28 15:09 -------- d-------- C:\Documents and Settings\harsha\Application Data\Mozilla
    2006-10-28 15:08 -------- d-------- C:\Program Files\Mozilla Firefox
    2006-10-28 14:36 -------- d-------- C:\Documents and Settings\harsha\Application Data\DivX
    2006-10-28 14:29 -------- d-------- C:\Program Files\Common Files\Ahead
    2006-10-28 14:29 -------- d-------- C:\Program Files\Ahead
    2006-10-27 19:58 -------- d-------- C:\Program Files\TuneUp Utilities 2006
    2006-10-27 19:56 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2006-10-27 19:41 -------- d-------- C:\Program Files\MSN Messenger
    2006-10-26 17:12 -------- d-------- C:\Program Files\Screensavers.com
    2006-10-25 08:20 18888 --a------ C:\Documents and Settings\harsha\Application Data\GDIPFONTCACHEV1.DAT
    2006-10-23 17:20 -------- d-------- C:\Program Files\Mystery Case Files - Prime Suspects
    2006-10-23 17:12 -------- d-------- C:\Program Files\ReflexiveArcade
    2006-10-23 17:12 -------- d-------- C:\Program Files\Mystery Case Files Huntsville
    2006-10-22 02:04 -------- d-------- C:\Program Files\Norton Internet Security
    2006-10-21 09:05 -------- d-------- C:\Program Files\Webroot
    2006-10-21 08:26 -------- d-------- C:\Program Files\Softwin
    2006-10-21 08:24 -------- d-------- C:\Program Files\Common Files\Softwin
    2006-10-11 22:06 58880 --a------ C:\WINDOWS\system32\pnrpNsp.dll
    2006-10-11 22:06 553984 --a------ C:\WINDOWS\system32\p2psvc.dll
    2006-10-11 22:06 313344 --a------ C:\WINDOWS\system32\p2pGraph.dll
    2006-10-11 22:06 153088 --a------ C:\WINDOWS\system32\p2p.dll
    2006-10-11 22:06 115712 --a------ C:\WINDOWS\system32\p2pnetsh.dll
    2006-10-11 22:06 104960 --a------ C:\WINDOWS\system32\p2pgasvc.dll
    2006-10-09 01:40 -------- d-------- C:\Program Files\OfficeUpdate11
    2006-10-07 09:18 2143 --a------ C:\Documents and Settings\harsha\Application Data\AdobeDLM.log
    2006-10-07 09:18 0 --a------ C:\Documents and Settings\harsha\Application Data\dm.ini
    2006-10-07 09:17 -------- d-------- C:\Program Files\Adobe
    2006-09-24 22:37 -------- d-------- C:\Program Files\Java
    2006-09-24 22:30 -------- d-------- C:\Program Files\LimeWire
    2006-09-24 03:09 -------- d-------- C:\Program Files\Windows Defender
    2006-09-21 16:09 -------- d-------- C:\Program Files\ADSL Router
    2006-09-13 10:31 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
    2006-09-11 16:30 275112 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
    2006-09-11 16:30 243368 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
    2006-09-11 16:30 24232 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
    2006-09-03 01:05 613056 --a------ C:\WINDOWS\system32\SymNeti.dll
    2006-09-03 01:05 36032 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
    2006-09-03 01:05 239808 --a------ C:\WINDOWS\system32\SymRedir.dll
    2006-09-03 01:05 186048 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
    2006-09-03 01:04 39104 --a------ C:\WINDOWS\system32\drivers\symids.sys
    2006-09-03 01:04 33216 --a------ C:\WINDOWS\system32\drivers\symndis.sys
    2006-09-03 01:04 26432 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
    2006-09-03 01:04 144832 --a------ C:\WINDOWS\system32\drivers\symfw.sys
    2006-09-03 01:04 11968 --a------ C:\WINDOWS\system32\drivers\symdns.sys
    2006-08-25 21:15 617472 --a------ C:\WINDOWS\system32\comctl32.dll
    2006-08-23 00:13 11776 --a------ C:\WINDOWS\system32\ieudinit.exe
    2006-08-21 17:51 16896 --a------ C:\WINDOWS\system32\fltlib.dll
    2006-08-21 14:44 23040 --a------ C:\WINDOWS\system32\fltmc.exe
    2006-08-16 17:28 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
    2006-08-11 04:34 73728 --a------ C:\WINDOWS\system32\dpl100.dll
    2006-08-11 04:33 196608 --a------ C:\WINDOWS\system32\dtu100.dll
    2006-08-08 17:13 8464 --a------ C:\WINDOWS\system32\sporder.dll
    2006-08-07 19:19 720896 --a------ C:\WINDOWS\iun6002ev.exe


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
    "Yahoo! Pager"="\"C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
    "BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000005

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,c0,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,18,02,\
    00,00,04,00,00,40
    "RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,18,02,\
    00,00,01,00,00,00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
    "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    "NoRun"=dword:00000000
    "NoViewContextMenu"=dword:00000000

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001
    "undockwithoutlogon"=dword:00000001

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
    "item"="Adobe Reader Speed Launch"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
    "item"="Microsoft Office"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^harsha^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    "location"="Startup"
    "command"="C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup"
    "item"="LimeWire On Startup"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="CameraFixer"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\CameraFixer.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ccApp"
    "hkey"="HKLM"
    "inimapping"="0"
    "command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ccRegVfy"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clipboard.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="clipboard"
    "hkey"="HKCU"
    "command"="C:\\WINDOWS\\system32\\clipboard.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ctfmon"
    "hkey"="HKCU"
    "command"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="dfndrff_e33"
    "hkey"="HKLM"
    "command"="C:\\\\dfndrff_e33.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="DAP"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="hkcmd"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\System32\\hkcmd.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="igfxtray"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\System32\\igfxtray.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ipwins"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\ipwins\\ipwins.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="iTunesHelper"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="kybrdff_e33"
    "hkey"="HKLM"
    "command"="C:\\\\kybrdff_e33.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\loaddr]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="gffapp"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="msmsgs"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="MsnMsgr"
    "hkey"="HKCU"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="NeroCheck"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="NEWDOT~1"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="nwnmff_e33"
    "hkey"="HKLM"
    "command"="C:\\\\nwnmff_e33.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="osCheck"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="outlook"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="qttask"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"=""
    "hkey"="HKLM"
    "command"=""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReJf5vH]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="iraujvk"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="vsnpstd3"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\vsnpstd3.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="jusched"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunnyGames_WhenUSave_Installer]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SunnyGames_WhenUSave_Installer"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfAccuracy]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SAcc"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SNDMon"
    "hkey"="HKLM"
    "command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="realsched"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="tsnpstd3"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\tsnpstd3.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\urywxnl.dll]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="urywxnl"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\urywxnl.dll,xtqanlc"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="winampa"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Winamp\\winampa.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="MSASCui"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlog]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="winlog"
    "hkey"="HKLM"
    "command"="winlog.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="YAHOOM~1"
    "hkey"="HKCU"
    "command"="\"C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "iPodService"=dword:00000003
    "SNDSrvc"=dword:00000003

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineqx32

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\MP Scheduled Scan.job
    C:\WINDOWS\tasks\1-Click Maintenance.job
    C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - harsha.job

    Completion time: 06-11-02 17:18:11.76
    C:\ComboFix.txt ... 06-11-02 17:18
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Oh boy. They did make a mess didn't they? :gack:

    Please download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C:) or whatever your primary drive is
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
    • Press Execute and let it do it’s job. Do not be scared because your taskbar and desktop will disappear for a short while.
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.

    Then copy the part in the QUOTE box below into notepad and save the file in the same folder as BFU.exe as restrun.bfu
    Set Filetype to "All files"

    Run BFU again and this time let it execute the restrun.bfu

    Reboot when it is done and let me know if you have any problems left to be dealt with.
     
  6. crazy_cool2k

    crazy_cool2k Registered Member

    Joined:
    Nov 1, 2006
    Posts:
    13
    Thanks Pieter,
    I ran the file as you said.
    Everything seems to be ok now.
    I ran the combofix again for you to see if there is anything still wrong on my system.
    below is the log : -

    harsha - 06-11-03 18:53:52.90 Service Pack 2
    ComboFix 06.10.19 - Running from: "C:\Documents and Settings\harsha\Desktop"

    ((((((((((((((((((((((((((((((( Files Created from 2006-10-03 to 2006-11-03 ))))))))))))))))))))))))))))))))))


    2006-11-02 18:33 41,472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
    2006-11-02 18:33 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
    2006-11-02 18:33 1,212,928 --a------ C:\WINDOWS\system32\Incinerator.dll
    2006-10-31 16:23 724,992 --a------ C:\WINDOWS\iun6002.exe
    2006-10-29 12:01 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
    2006-10-29 12:01 27,136 --a------ C:\WINDOWS\system32\irmon.dll
    2006-10-29 12:01 152,576 --a------ C:\WINDOWS\system32\irftp.exe
    2006-10-29 02:12 <DIR> d-------- C:\WINDOWS\McAfee.com
    2006-10-28 14:30 89,184 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
    2006-10-28 13:29 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
    2006-10-28 12:02 98,304 --a------ C:\WINDOWS\system32\clipboard.exe
    2006-10-28 12:02 706,048 --a------ C:\WINDOWS\system32\libmcl-3.1.1.dll
    2006-10-28 12:02 3,423,744 --a------ C:\WINDOWS\system32\libfilefmt-1.1.0.dll
    2006-10-28 12:02 20,480 --a------ C:\WINDOWS\system32\libavi-dd-1.2.0.dll
    2006-10-28 07:46 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
    2006-10-28 07:46 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
    2006-10-28 07:46 38,912 --a------ C:\WINDOWS\system32\picn20.dll
    2006-10-28 07:46 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
    2006-10-27 19:59 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
    2006-10-26 17:19 18,432 --a------ C:\WINDOWS\ss3unstl.exe
    2006-10-26 17:17 471,040 --a------ C:\WINDOWS\dog4.scr
    2006-10-26 17:17 471,040 --a------ C:\WINDOWS\dog2.scr
    2006-10-26 17:16 12,288 --a------ C:\WINDOWS\impborl.dll
    2006-10-25 13:19 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
    2006-10-22 02:03 48,824 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2006-10-22 02:03 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2006-10-21 00:49 1,259 --a------ C:\WINDOWS\system32\ngv1d563.sys
    2006-10-12 13:57 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
    2006-10-12 11:51 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
    2006-10-12 11:51 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
    2006-10-12 11:51 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
    2006-10-12 11:51 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
    2006-10-12 11:51 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
    2006-10-12 11:51 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
    2006-10-03 00:34 806,912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
    2006-10-03 00:34 806,912 --a------ C:\WINDOWS\system32\divx_xx07.dll
    2006-10-03 00:34 790,528 --a------ C:\WINDOWS\system32\divx_xx11.dll
    2006-10-03 00:34 635,486 --a------ C:\WINDOWS\system32\DivX.dll


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-11-02 16:58 -------- d-------- C:\Program Files\WinRAR
    2006-10-31 18:12 -------- d-------- C:\Program Files\a-squared Anti-Malware
    2006-10-31 16:23 -------- d-------- C:\Program Files\No Trace
    2006-10-28 15:26 -------- d-------- C:\Documents and Settings\harsha\Application Data\Macromedia
    2006-10-28 15:12 -------- d-------- C:\Documents and Settings\harsha\Application Data\AdobeUM
    2006-10-28 15:12 -------- d-------- C:\Documents and Settings\harsha\Application Data\Adobe
    2006-10-28 15:09 -------- d-------- C:\Documents and Settings\harsha\Application Data\Mozilla
    2006-10-28 15:08 -------- d-------- C:\Program Files\Mozilla Firefox
    2006-10-28 14:36 -------- d-------- C:\Documents and Settings\harsha\Application Data\DivX
    2006-10-28 14:29 -------- d-------- C:\Program Files\Common Files\Ahead
    2006-10-28 14:29 -------- d-------- C:\Program Files\Ahead
    2006-10-27 19:58 -------- d-------- C:\Program Files\TuneUp Utilities 2006
    2006-10-27 19:56 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2006-10-27 19:41 -------- d-------- C:\Program Files\MSN Messenger
    2006-10-26 17:12 -------- d-------- C:\Program Files\Screensavers.com
    2006-10-25 08:20 18888 --a------ C:\Documents and Settings\harsha\Application Data\GDIPFONTCACHEV1.DAT
    2006-10-23 17:20 -------- d-------- C:\Program Files\Mystery Case Files - Prime Suspects
    2006-10-23 17:12 -------- d-------- C:\Program Files\ReflexiveArcade
    2006-10-23 17:12 -------- d-------- C:\Program Files\Mystery Case Files Huntsville
    2006-10-22 02:04 -------- d-------- C:\Program Files\Norton Internet Security
    2006-10-21 09:05 -------- d-------- C:\Program Files\Webroot
    2006-10-21 08:26 -------- d-------- C:\Program Files\Softwin
    2006-10-21 08:24 -------- d-------- C:\Program Files\Common Files\Softwin
    2006-10-20 22:55 -------- d-------- C:\Program Files\Google
    2006-10-11 22:06 58880 --a------ C:\WINDOWS\system32\pnrpNsp.dll
    2006-10-11 22:06 553984 --a------ C:\WINDOWS\system32\p2psvc.dll
    2006-10-11 22:06 313344 --a------ C:\WINDOWS\system32\p2pGraph.dll
    2006-10-11 22:06 153088 --a------ C:\WINDOWS\system32\p2p.dll
    2006-10-11 22:06 115712 --a------ C:\WINDOWS\system32\p2pnetsh.dll
    2006-10-11 22:06 104960 --a------ C:\WINDOWS\system32\p2pgasvc.dll
    2006-10-09 01:40 -------- d-------- C:\Program Files\OfficeUpdate11
    2006-10-07 09:18 2143 --a------ C:\Documents and Settings\harsha\Application Data\AdobeDLM.log
    2006-10-07 09:18 0 --a------ C:\Documents and Settings\harsha\Application Data\dm.ini
    2006-10-07 09:17 -------- d-------- C:\Program Files\Adobe
    2006-09-24 22:37 -------- d-------- C:\Program Files\Java
    2006-09-24 22:30 -------- d-------- C:\Program Files\LimeWire
    2006-09-24 03:09 -------- d-------- C:\Program Files\Windows Defender
    2006-09-21 16:09 -------- d-------- C:\Program Files\ADSL Router
    2006-09-13 10:31 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
    2006-09-11 16:30 275112 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
    2006-09-11 16:30 243368 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
    2006-09-11 16:30 24232 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
    2006-09-03 01:05 613056 --a------ C:\WINDOWS\system32\SymNeti.dll
    2006-09-03 01:05 36032 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
    2006-09-03 01:05 239808 --a------ C:\WINDOWS\system32\SymRedir.dll
    2006-09-03 01:05 186048 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
    2006-09-03 01:04 39104 --a------ C:\WINDOWS\system32\drivers\symids.sys
    2006-09-03 01:04 33216 --a------ C:\WINDOWS\system32\drivers\symndis.sys
    2006-09-03 01:04 26432 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
    2006-09-03 01:04 144832 --a------ C:\WINDOWS\system32\drivers\symfw.sys
    2006-09-03 01:04 11968 --a------ C:\WINDOWS\system32\drivers\symdns.sys
    2006-08-25 21:15 617472 --a------ C:\WINDOWS\system32\comctl32.dll
    2006-08-23 00:13 11776 --a------ C:\WINDOWS\system32\ieudinit.exe
    2006-08-21 17:51 16896 --a------ C:\WINDOWS\system32\fltlib.dll
    2006-08-21 14:44 23040 --a------ C:\WINDOWS\system32\fltmc.exe
    2006-08-16 17:28 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
    2006-08-11 04:34 73728 --a------ C:\WINDOWS\system32\dpl100.dll
    2006-08-11 04:33 196608 --a------ C:\WINDOWS\system32\dtu100.dll
    2006-08-08 17:13 8464 --a------ C:\WINDOWS\system32\sporder.dll
    2006-08-07 19:19 720896 --a------ C:\WINDOWS\iun6002ev.exe


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
    "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
    "SMSystemAnalyzer"="\"C:\\Program Files\\iolo\\System Mechanic 6\\SMSystemAnalyzer.exe\""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
    "BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000005

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,c0,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,18,02,\
    00,00,04,00,00,40
    "RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,18,02,\
    00,00,01,00,00,00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
    "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001
    "undockwithoutlogon"=dword:00000001

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
    "item"="Adobe Reader Speed Launch"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
    "item"="Microsoft Office"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^harsha^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    "location"="Startup"
    "command"="C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup"
    "item"="LimeWire On Startup"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraFixer]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="CameraFixer"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\CameraFixer.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ccApp"
    "hkey"="HKLM"
    "inimapping"="0"
    "command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ccRegVfy"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clipboard.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="clipboard"
    "hkey"="HKCU"
    "command"="C:\\WINDOWS\\system32\\clipboard.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ctfmon"
    "hkey"="HKCU"
    "command"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="dfndrff_e33"
    "hkey"="HKLM"
    "command"="C:\\\\dfndrff_e33.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="DAP"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="hkcmd"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\System32\\hkcmd.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="igfxtray"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\System32\\igfxtray.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ipwins"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\ipwins\\ipwins.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="iTunesHelper"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="kybrdff_e33"
    "hkey"="HKLM"
    "command"="C:\\\\kybrdff_e33.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\loaddr]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="gffapp"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="msmsgs"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="MsnMsgr"
    "hkey"="HKCU"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="NeroCheck"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="NEWDOT~1"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="nwnmff_e33"
    "hkey"="HKLM"
    "command"="C:\\\\nwnmff_e33.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="osCheck"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="outlook"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="qttask"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"=""
    "hkey"="HKLM"
    "command"=""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReJf5vH]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="iraujvk"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="vsnpstd3"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\vsnpstd3.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="jusched"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunnyGames_WhenUSave_Installer]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SunnyGames_WhenUSave_Installer"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfAccuracy]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SAcc"
    "hkey"="HKLM"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SNDMon"
    "hkey"="HKLM"
    "command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="realsched"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="tsnpstd3"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\tsnpstd3.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\urywxnl.dll]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="urywxnl"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\urywxnl.dll,xtqanlc"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="winampa"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Winamp\\winampa.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="MSASCui"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlog]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="winlog"
    "hkey"="HKLM"
    "command"="winlog.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="YAHOOM~1"
    "hkey"="HKCU"
    "command"="\"C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "iPodService"=dword:00000003
    "SNDSrvc"=dword:00000003

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\MP Scheduled Scan.job
    C:\WINDOWS\tasks\1-Click Maintenance.job
    C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - harsha.job

    Completion time: 06-11-03 18:56:14.79
    C:\ComboFix.txt ... 06-11-03 18:56
    C:\ComboFix2.txt ... 06-11-02 17:18




    Please check the log and tell me if i need to do anything else.
    I am just an intermediate user and i dont know much about these things.

    My sisters computer has also been affected by the virus.
    I have asked her to run the combofix and she will give me the log file for her computer on Sunday.



    Thanks ..........
    Regards........

    I Owe You One.
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    It looks like the infecting files survived the ordeal:
    Can you please delete:
    C:\WINDOWS\iun6002ev.exe
    C:\WINDOWS\iun6002.exe
    (Be carefull not to doubleclick them)
    I would advise a thorough scan with a good antivirus of your computer to check for the presence of any other leftovers.
    My script is designed to make the computer operable again, but it is not a "solve all in one strike" solution.

    You also have a lot of entries disabled with Msconfig that are related to the infection.

    Do you want to get rid of those? (There is no real need as long as you are aware of them.)

    Regards,
     
  8. crazy_cool2k

    crazy_cool2k Registered Member

    Joined:
    Nov 1, 2006
    Posts:
    13
    yes i would like to remove al traces of the virus ........

    Please advise how to do so .......... also i have downloaded and run the latest version of Norton Internet Secutiry 2007 but it has been of no use.

    Could you advise which antivirus i shud be using.

    Regards,

    Crazy
     
  9. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    BEFORE performing the steps below, look for the 2 files Pieter mentioned and upload them to this site: http://www.virustotal.com/en/indexf.html
    for scanning.
    --------------------------------------------------------------------------

    According to Pieter about those files surviving the ordeal, maybe this tool will take care of them:

    Go to: http://www.excessive-software.eu.tt/
    Look for Advanced File Remover and download it. Use a decompression program like WinRAR to open the program.

    Search for the files Pieter mentioned and get Advanced File Remover to remove them.
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    If you already have an antivirus installed, it may be better to do an online scan.
    Can you surf to:
    http://www.kaspersky.com/virusscanner
    Use the Kaspersky Online Scanner and follow the prompts.
    Please save the report and post the content please.

    Regards,

    Pieter
     
  11. crazy_cool2k

    crazy_cool2k Registered Member

    Joined:
    Nov 1, 2006
    Posts:
    13
    Hi Pieter,
    I have deleted both the files.
    Ran the KASPERSKY Scan as advised.
    Below is the report : -

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, November 05, 2006 6:50:26 AM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.83.0
    Kaspersky Anti-Virus database last update: 4/11/2006
    Kaspersky Anti-Virus database records: 224777
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 42974
    Number of viruses found: 0
    Number of infected objects: 0 / 0
    Number of suspicious objects: 0
    Duration of the scan process: 01:31:14

    Infected Object Name / Virus Name / Last Action
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\Temp\TMP00000050C22F8F1379CC262E Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{C333E761-7CE7-47DF-8759-876A2175D9D9}.bin Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-09242006-031032.log Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\harsha\ntuser.dat Object is locked skipped
    C:\Documents and Settings\harsha\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\harsha\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\harsha\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\harsha\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\harsha\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\harsha\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\harsha\Incomplete\T-208198743-Norton AntiVirus 2006 With Full Activation Instructions.zip Object is locked skipped
    C:\Documents and Settings\harsha\Incomplete\T-226451460-My.First.Sex.Teacher.-.Mrs.Chelsea.Zinn.mpg Object is locked skipped
    C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
    C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
    C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

    Scan process completed.
     
  12. crazy_cool2k

    crazy_cool2k Registered Member

    Joined:
    Nov 1, 2006
    Posts:
    13
    Hi Pieter,
    I had earlier told you about my sisters computer also being infected with teh coolpics.com virus.
    I ran the combofix on her computer
    The following is the log for her computer : -

    wadey - Fri 11/03/2006 21:28:17.76 Service Pack 1
    ComboFix 06.10.19 - Running from: "C:\Documents and Settings\wadey\Desktop"

    ((((((((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011/03/2006 ))))))))))))))))))))))))))))))))))


    No new files created in this timespan


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2012/12/2002 12:14 AM 7424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
    2012/12/2002 12:14 AM 5504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
    2012/12/2002 12:14 AM 5248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
    2012/12/2002 12:14 AM 4096 --a------ C:\WINDOWS\system32\drivers\swenum.sys
    2012/12/2002 12:14 AM 130304 --a------ C:\WINDOWS\system32\drivers\ks.sys
    2012/11/2005 08:40 PM 1414656 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
    "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "BigDog303"="C:\\WINDOWS\\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)"
    "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
    "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "SoundMax"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\smax4.exe\" /tray"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
    "Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
    "Task Manager"="C:\\WINDOWS\\system\\svchost32.exe"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
    "SVCHOST"="C:\\WINDOWS\\system\\svhost.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000005

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,\
    00,00,04,00,00,40
    "RestoredStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,\
    00,00,01,00,00,00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=dword:00000001
    "DisableTaskMgr"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    "NoRun"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001
    "undockwithoutlogon"=dword:00000001

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="cli"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="HDAShCut"
    "hkey"="HKLM"
    "command"="HDAShCut.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="Smax4"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="smax4pnp"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - wadey.job

    Completion time: Fri 11/03/2006 21:28:42.54
    C:\ComboFix.txt ... 11/03/2006 09:28 PM


    Please suggest what should be done.
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Your KAV scan looks clean, although not completely fit for people that are under-age. ;)

    Your sister has the honour to be my first try-out victim. :)

    You can obvioulsy skip the first part since she already ran ComboFix and the line is present. But follow the rest of the instructions I posted here:
    http://www.geekstogo.com/forum/How_to_remove_the_coolpicscom_hijacker-t137346.html

    Let me know if it works, please.

    Regards,

    Pieter
     
  14. crazy_cool2k

    crazy_cool2k Registered Member

    Joined:
    Nov 1, 2006
    Posts:
    13
    Hi Pieter,
    Ran the coolpics.bfu file on my sisters computer.
    I dont know if it ran completely as it ran only for like few seconds and then closed.

    The following is the log : -


    wadey - 06-11-10 23:08:37.45 Service Pack 1
    ComboFix 06.10.19 - Running from: "C:\Documents and Settings\wadey\Desktop"

    ((((((((((((((((((((((((((((((( Files Created from 2006-10-10 to 2006-11-10 ))))))))))))))))))))))))))))))))))


    2006-11-10 14:00 91,856 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2006-11-10 14:00 123,488 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2006-11-08 10:38 66,048 --a------ C:\BFU.exe
    2006-10-28 21:55 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
    2006-10-28 21:55 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
    2006-10-28 21:55 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
    2006-10-28 21:55 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
    2006-10-28 21:55 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
    2006-10-28 21:47 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
    2006-10-28 21:47 41,240 --a------ C:\WINDOWS\system32\wups.dll
    2006-10-28 21:47 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
    2006-10-28 21:47 18,200 --a------ C:\WINDOWS\system32\wups2.dll
    2006-10-28 21:47 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
    2006-10-28 21:47 127,256 --a------ C:\WINDOWS\system32\wucltui.dll


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-11-10 22:18 -------- d-------- C:\Program Files\WinZip
    2006-11-10 14:00 -------- d-------- C:\Program Files\Symantec AntiVirus
    2006-11-10 14:00 -------- d-------- C:\Program Files\Symantec
    2006-11-08 07:09 -------- d-------- C:\Program Files\Adobe
    2006-10-29 10:33 -------- d-------- C:\Program Files\Common Files\Symantec Shared
    2006-10-24 13:23 -------- d-------- C:\Program Files\Mystery Case Files - Prime Suspects
    2006-10-24 13:23 -------- d-------- C:\Program Files\BFG
    2006-10-24 12:46 -------- d-------- C:\Program Files\Mystery Case Files Huntsville
    2006-10-24 12:45 -------- d-------- C:\Program Files\ReflexiveArcade
    2006-10-10 22:06 -------- d-------- C:\Program Files\Singapore Airlines PC Timetable
    2006-10-06 12:20 -------- d-------- C:\Documents and Settings\wadey\Application Data\LimeWire
    2006-10-06 12:19 -------- d-------- C:\Program Files\Java
    2006-10-06 12:17 -------- d-------- C:\Program Files\Common Files\Java
    2006-10-06 12:16 -------- d-------- C:\Program Files\LimeWire
    2006-10-06 11:47 -------- d-------- C:\Program Files\Common Files\xing shared
    2006-10-06 11:46 -------- d-------- C:\Documents and Settings\wadey\Application Data\Real
    2006-10-02 07:48 -------- d-------- C:\Documents and Settings\wadey\Application Data\PlayFirst
    2006-09-19 15:15 -------- d-------- C:\Documents and Settings\wadey\Application Data\Ahead
    2006-08-30 23:25 774144 --a------ C:\Program Files\RngInterstitial.dll
    2006-08-29 12:47 0 -rahs---- C:\MSDOS.SYS
    2006-08-29 12:47 0 -rahs---- C:\IO.SYS
    2006-08-29 12:47 0 --a------ C:\CONFIG.SYS
    2006-08-29 12:47 0 --a------ C:\AUTOEXEC.BAT
    2006-08-29 12:40 62 --ahs---- C:\Documents and Settings\wadey\Application Data\desktop.ini


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
    "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "BigDog303"="C:\\WINDOWS\\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)"
    "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
    "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
    "SoundMax"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\smax4.exe\" /tray"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
    "Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000005

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,\
    00,00,04,00,00,40
    "RestoredStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,\
    00,00,01,00,00,00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001
    "undockwithoutlogon"=dword:00000001

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="cli"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="HDAShCut"
    "hkey"="HKLM"
    "command"="HDAShCut.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="Smax4"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="smax4pnp"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - wadey.job

    Completion time: 06-11-10 23:08:57.95
    C:\ComboFix3.txt ... 06-11-10 22:51
    C:\ComboFix2.txt ... 06-11-10 23:02
    C:\ComboFix.txt ... 06-11-10 23:08


    Please go through the log and advise.
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    It's only a short script and it looks like it did the job. :cool:

    Or is there any reason to assume that it didn't remove the hijacker fully?

    Regards,

    Pieter
     
  16. crazy_cool2k

    crazy_cool2k Registered Member

    Joined:
    Nov 1, 2006
    Posts:
    13
    Hi Pieter,

    No was just worried as the BFU ran only for few seconds.
    So was worried if it actually worked.


    But i think it has been removed as now i cant see coolpics.com in the status message on my sisters computer.



    Lotsa Thanks,
    Mahesh
     
  17. jackson_love

    jackson_love Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    2
    Hey Pieter ..........
    I ran the combofix application, and below is the log.
    jack - 06-11-11 16:28:01.45 Service Pack 2
    ComboFix 06.11.9 - Running from: "D:\Program Files\Free Download Manager"

    ((((((((((((((((((((((((((((((( Files Created from 2006-10-11 to 2006-11-11 ))))))))))))))))))))))))))))))))))


    2006-11-10 17:48 7,103 --a------ D:\WINDOWS\system32\dlh9jkdq7.exe
    2006-11-10 17:48 7,103 --a------ D:\WINDOWS\system32\dlh9jkdq6.exe
    2006-11-10 17:47 4,547 --a------ D:\WINDOWS\system32\dlh9jkdq5.exe
    2006-11-10 17:47 2,518 --a------ D:\WINDOWS\system32\dlh9jkdq1.exe
    2006-11-10 17:47 19,903 --a------ D:\WINDOWS\system32\dlh9jkdq2.exe
    2006-11-10 17:47 16 --a------ D:\WINDOWS\system32\dlh9jkdq8.exe
    2006-11-10 16:06 286,720 --a------ D:\WINDOWS\iun506.exe
    2006-11-06 22:43 317,952 --a------ D:\WINDOWS\system32\roboex32.dll
    2006-11-05 14:59 175 --a------ D:\WINDOWS\REG.reg
    2006-10-28 14:02 12,208 --ahs---- D:\WINDOWS\system32\KGyGaAvL.sys
    2006-10-26 23:46 56 -r-hs---- D:\WINDOWS\system32\DECDA1E794.sys
    2006-10-23 14:23 97,280 --a------ D:\WINDOWS\system32\rarv1032.DLL
    2006-10-23 14:23 90,624 --a------ D:\WINDOWS\system32\pnc32301.DLL
    2006-10-23 14:23 9,728 --a------ D:\WINDOWS\system32\rmevents.DLL
    2006-10-23 14:23 87,040 --a------ D:\WINDOWS\system32\ra32sipr.DLL
    2006-10-23 14:23 85,504 --a------ D:\WINDOWS\system32\encdnet.DLL
    2006-10-23 14:23 81,920 --a------ D:\WINDOWS\system32\ra3214_4.DLL
    2006-10-23 14:23 72,704 --a------ D:\WINDOWS\system32\ra3228_8.DLL
    2006-10-23 14:23 72,192 --a------ D:\WINDOWS\system32\ra32clv1.DLL
    2006-10-23 14:23 61,952 --a------ D:\WINDOWS\system32\rmmerge2.DLL
    2006-10-23 14:23 413,760 --a------ D:\WINDOWS\system32\mpg4c32.dll
    2006-10-23 14:23 278,016 --a------ D:\WINDOWS\system32\VCT3216.dll
    2006-10-23 14:23 269,312 --a------ D:\WINDOWS\system32\clrvidcc.DLL
    2006-10-23 14:23 21,504 --a------ D:\WINDOWS\system32\ra32dnet.DLL
    2006-10-23 14:23 203,776 --a------ D:\WINDOWS\system32\clrviddc.DLL
    2006-10-23 14:23 19,968 --a------ D:\WINDOWS\system32\ra32rv10.DLL
    2006-10-23 14:23 163,840 --a------ D:\WINDOWS\system32\pnen3230.DLL
    2006-10-23 14:23 146,944 --a------ D:\WINDOWS\system32\rarv10en.DLL
    2006-10-23 14:23 131,072 --a------ D:\WINDOWS\system32\pneng50.DLL
    2006-10-23 14:23 130,560 --a------ D:\WINDOWS\system32\pnc3250.DLL
    2006-10-23 14:23 130,048 --a------ D:\WINDOWS\system32\pnc32401.DLL
    2006-10-22 23:11 737,280 --a------ D:\WINDOWS\iun6002.exe
    2006-10-21 12:43 8,096 --------- D:\WINDOWS\system32\drivers\MASPINT.SYS
    2006-10-21 12:43 30,208 --------- D:\WINDOWS\system32\WNASPI32.DLL
    2006-10-21 12:38 81,924 --------- D:\WINDOWS\system32\drivers\VC4CB104.SYS
    2006-10-21 12:38 401,408 --a------ D:\WINDOWS\system32\FE05F3D6.dll
    2006-10-21 12:38 401,408 --a------ D:\WINDOWS\system32\FE05EFED.dll
    2006-10-21 12:38 299,008 --a------ D:\WINDOWS\system32\FE05F3D5.dll
    2006-10-21 12:38 299,008 --a------ D:\WINDOWS\system32\FE05F051.dll
    2006-10-21 12:38 299,008 --a------ D:\WINDOWS\system32\FE05DA0D.dll
    2006-10-21 12:38 274,432 --a------ D:\WINDOWS\system32\FFTIFF16.dll
    2006-10-21 12:38 159,744 --a------ D:\WINDOWS\system32\FFRAFLIB.DLL
    2006-10-21 12:38 106,496 --a------ D:\WINDOWS\system32\FPXS2Pro.dll
    2006-10-21 12:37 69,632 --------- D:\WINDOWS\system32\FREGSHEX.DLL
    2006-10-21 12:37 65,536 --------- D:\WINDOWS\system32\FINFCHECK.dll
    2006-10-21 12:37 45,056 --------- D:\WINDOWS\system32\FINFCOPY.dll
    2006-10-21 12:37 45,056 --------- D:\WINDOWS\system32\FCLKBTN.DLL
    2006-10-21 07:41 278,528 --a------ D:\WINDOWS\system32\livesnth.dll
    2006-10-20 21:35 85,376 --a------ D:\WINDOWS\system32\drivers\NABTSFEC.sys
    2006-10-20 21:35 53,760 --a------ D:\WINDOWS\system32\drivers\vfwwdm32.dll
    2006-10-20 21:35 5,504 --a------ D:\WINDOWS\system32\drivers\MSTEE.sys
    2006-10-20 21:35 19,328 --a------ D:\WINDOWS\system32\drivers\WSTCODEC.SYS
    2006-10-20 21:35 17,024 --a------ D:\WINDOWS\system32\drivers\CCDECODE.sys
    2006-10-20 21:35 15,360 --a------ D:\WINDOWS\system32\drivers\StreamIP.sys
    2006-10-20 21:35 11,136 --a------ D:\WINDOWS\system32\drivers\SLIP.sys
    2006-10-20 21:35 10,880 --a------ D:\WINDOWS\system32\drivers\NdisIP.sys
    2006-10-20 21:34 82,148 --a------ D:\WINDOWS\system32\drivers\VcommMgr.sys
    2006-10-20 21:34 77,824 -ra------ D:\WINDOWS\system32\drivers\SioUi2k.dll
    2006-10-20 21:34 7,680 --a------ D:\WINDOWS\system32\btinstall.dll
    2006-10-20 21:34 63,488 -ra------ D:\WINDOWS\system32\drivers\wssbtr1f.sys
    2006-10-20 21:34 61,312 --a------ D:\WINDOWS\system32\drivers\VComm.sys
    2006-10-20 21:34 51,169 -ra------ D:\WINDOWS\system32\drivers\OXSER.SYS
    2006-10-20 21:34 49,152 --a------ D:\WINDOWS\system32\btfunc.dll
    2006-10-20 21:34 48,556 -ra------ D:\WINDOWS\system32\drivers\SktBt2k.sys
    2006-10-20 21:34 48,076 -ra------ D:\WINDOWS\system32\drivers\Sio9502k.sys
    2006-10-20 21:34 40,960 -ra------ D:\WINDOWS\system32\drivers\SCTray.exe
    2006-10-20 21:34 28,271 --a------ D:\WINDOWS\system32\drivers\BTHidMgr.sys
    2006-10-20 21:34 23,000 --a------ D:\WINDOWS\system32\drivers\btcusb.sys
    2006-10-20 21:34 20,480 --a------ D:\WINDOWS\system32\drivers\blueletaudio.sys
    2006-10-20 21:34 148,830 --a------ D:\WINDOWS\system32\drivers\bcbthub.sys
    2006-10-20 21:34 13,304 --a------ D:\WINDOWS\system32\drivers\BTNetFilter.sys
    2006-10-20 21:34 116,021 --a------ D:\WINDOWS\system32\drivers\fw203x.sys
    2006-10-20 21:34 11,860 --a------ D:\WINDOWS\system32\drivers\VBTEnum.sys
    2006-10-20 21:34 11,736 --a------ D:\WINDOWS\system32\drivers\VHIDMini.sys
    2006-10-20 21:34 10,804 --a------ D:\WINDOWS\system32\drivers\BtNetDrv.sys
    2006-10-19 21:15 5,248 --a------ D:\WINDOWS\system32\drivers\d347prt.sys
    2006-10-19 21:15 155,136 --a------ D:\WINDOWS\system32\drivers\d347bus.sys
    2006-10-19 14:12 73,728 --a------ D:\WINDOWS\ALCFDRTM.EXE
    2006-10-19 09:46 476,320 --------- D:\WINDOWS\system32\ImagXpr7.dll
    2006-10-19 09:46 471,040 --------- D:\WINDOWS\system32\ImagXRA7.dll
    2006-10-19 09:46 262,144 --------- D:\WINDOWS\system32\ImagXR7.dll
    2006-10-19 09:46 155,648 --a------ D:\WINDOWS\system32\NeroCheck.exe
    2006-10-19 09:46 106,496 --a------ D:\WINDOWS\system32\TwnLib20.dll
    2006-10-19 09:46 1,568,768 --------- D:\WINDOWS\system32\ImagX7.dll
    2006-10-18 08:36 2,297,552 --a------ D:\WINDOWS\system32\d3dx9_26.dll
    2006-10-17 23:44 17,920 --a------ D:\WINDOWS\system32\mdimon.dll
    2006-10-17 23:22 761,856 --a------ D:\WINDOWS\system32\xvidcore.dll
    2006-10-17 23:22 180,224 --a------ D:\WINDOWS\system32\xvidvfw.dll
    2006-10-17 23:01 778,656 --a------ D:\WINDOWS\system32\drivers\avg7core.sys
    2006-10-17 23:01 27,904 --a------ D:\WINDOWS\system32\drivers\avg7rsxp.sys
    2006-10-17 21:43 8,704 --a------ D:\WINDOWS\system32\kbdjpn.dll
    2006-10-17 21:43 8,192 --a------ D:\WINDOWS\system32\kbdkor.dll
    2006-10-17 21:43 6,144 --a------ D:\WINDOWS\system32\kbd106.dll
    2006-10-17 21:43 6,144 --a------ D:\WINDOWS\system32\kbd101c.dll
    2006-10-17 21:43 6,144 --a------ D:\WINDOWS\system32\kbd101b.dll
    2006-10-17 21:43 5,632 --a------ D:\WINDOWS\system32\kbd103.dll
    2006-10-17 21:31 26,496 --a------ D:\WINDOWS\system32\drivers\USBSTOR.SYS
    2006-10-17 20:52 176,167 --a------ D:\WINDOWS\system32\rmocx.dll
    2006-10-14 19:06 499,712 --a------ D:\WINDOWS\system32\msvcp71.dll
    2006-10-14 19:06 4,992 --a------ D:\WINDOWS\system32\drivers\avgtdi.sys
    2006-10-14 19:06 4,288 --a------ D:\WINDOWS\system32\drivers\avg7rsw.sys
    2006-10-14 19:04 20,016 --------- D:\WINDOWS\system32\drivers\pxhelp20.sys
    2006-10-14 18:57 306,688 --a------ D:\WINDOWS\IsUninst.exe
    2006-10-14 18:56 82,944 --a------ D:\WINDOWS\system32\drivers\wdmaud.sys
    2006-10-14 18:56 7,552 --a------ D:\WINDOWS\system32\drivers\MSKSSRV.sys
    2006-10-14 18:56 60,800 --a------ D:\WINDOWS\system32\drivers\sysaudio.sys
    2006-10-14 18:56 6,400 --a------ D:\WINDOWS\system32\drivers\splitter.sys
    2006-10-14 18:56 54,272 --a------ D:\WINDOWS\system32\drivers\swmidi.sys
    2006-10-14 18:56 52,864 --a------ D:\WINDOWS\system32\drivers\DMusic.sys
    2006-10-14 18:56 5,376 --a------ D:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2006-10-14 18:56 4,992 --a------ D:\WINDOWS\system32\drivers\MSPQM.sys
    2006-10-14 18:56 2,944 --a------ D:\WINDOWS\system32\drivers\drmkaud.sys
    2006-10-14 18:56 171,776 --a------ D:\WINDOWS\system32\drivers\kmixer.sys
    2006-10-14 18:56 142,464 --a------ D:\WINDOWS\system32\drivers\aec.sys
    2006-10-14 18:55 9,684,480 --a------ D:\WINDOWS\RTLCPL.EXE
    2006-10-14 18:55 8,376,832 --------- D:\WINDOWS\RTHDCPL.exe
    2006-10-14 18:55 77,824 --a------ D:\WINDOWS\SoundMan.exe
    2006-10-14 18:55 60,288 --a------ D:\WINDOWS\system32\drivers\drmk.sys
    2006-10-14 18:55 57,344 --a------ D:\WINDOWS\ALCMTR.EXE
    2006-10-14 18:55 4,096 --------- D:\WINDOWS\system32\ksuser.dll
    2006-10-14 18:55 2,552,320 --a------ D:\WINDOWS\ALCWZRD.EXE
    2006-10-14 18:55 2,241,280 --a------ D:\WINDOWS\system32\drivers\RtkHDAud.sys
    2006-10-14 18:55 192,512 --a------ D:\WINDOWS\system32\RTCOMDLL.dll
    2006-10-14 18:55 156,160 --a------ D:\WINDOWS\system32\RtlCPAPI.dll
    2006-10-14 18:54 86,016 -ra------ D:\WINDOWS\system32\igfxdo.dll
    2006-10-14 18:54 766,576 -ra------ D:\WINDOWS\system32\ialmdd5.dll
    2006-10-14 18:54 737,874 -ra------ D:\WINDOWS\system32\drivers\ialmnt5.sys
    2006-10-14 18:54 61,440 -ra------ D:\WINDOWS\system32\iAlmCoIn_v3889.dll
    2006-10-14 18:54 495,616 -ra------ D:\WINDOWS\system32\igfxcfg.exe
    2006-10-14 18:54 495,616 -ra------ D:\WINDOWS\system32\ialmgdev.dll
    2006-10-14 18:54 49,152 -ra------ D:\WINDOWS\system32\ialmrem.dll
    2006-10-14 18:54 45,056 -ra------ D:\WINDOWS\system32\igfxdgps.dll
    2006-10-14 18:54 37,951 -ra------ D:\WINDOWS\system32\ialmrnt5.dll
    2006-10-14 18:54 36,864 -ra------ D:\WINDOWS\system32\igfxexps.dll
    2006-10-14 18:54 344,064 -ra------ D:\WINDOWS\system32\igfxsrvc.dll
    2006-10-14 18:54 225,280 -ra------ D:\WINDOWS\system32\igfxpph.dll
    2006-10-14 18:54 225,280 -ra------ D:\WINDOWS\system32\igfxeud.dll
    2006-10-14 18:54 2,289,664 -ra------ D:\WINDOWS\system32\ialmgicd.dll
    2006-10-14 18:54 159,744 -ra------ D:\WINDOWS\system32\igfxres.dll
    2006-10-14 18:54 155,648 -ra------ D:\WINDOWS\system32\igfxtray.exe
    2006-10-14 18:54 153,008 -ra------ D:\WINDOWS\system32\ialmdev5.dll
    2006-10-14 18:54 151,552 -ra------ D:\WINDOWS\system32\igfxdiag.exe
    2006-10-14 18:54 139,264 -ra------ D:\WINDOWS\system32\igfxdev.dll
    2006-10-14 18:54 126,976 -ra------ D:\WINDOWS\system32\igfxhk.dll
    2006-10-14 18:54 118,784 -ra------ D:\WINDOWS\system32\hkcmd.exe
    2006-10-14 18:54 118,784 -ra------ D:\WINDOWS\system32\hccutils.dll
    2006-10-14 18:54 114,688 -ra------ D:\WINDOWS\system32\igfxzoom.exe
    2006-10-14 18:54 110,592 -ra------ D:\WINDOWS\system32\igfxext.exe
    2006-10-14 18:54 100,924 -ra------ D:\WINDOWS\system32\ialmdnt5.dll
    2006-10-14 18:54 1,245,184 -ra------ D:\WINDOWS\system32\igfxress.dll
    2006-10-14 18:50 36,484 --a------ D:\WINDOWS\system32\drivers\SMBios.sys
    2006-10-14 18:41 112,128 --a------ D:\WINDOWS\system32\mapi32.dll
    2006-10-14 18:39 81,920 --a------ D:\WINDOWS\system32\isign32.dll
    2006-10-14 18:39 81,920 --a------ D:\WINDOWS\system32\ils.dll
    2006-10-14 18:39 8,192 --a------ D:\WINDOWS\system32\bitsprx2.dll
    2006-10-14 18:39 73,728 --a------ D:\WINDOWS\system32\icwdial.dll
    2006-10-14 18:39 73,472 --a------ D:\WINDOWS\system32\drivers\sr.sys
    2006-10-14 18:39 7,168 --a------ D:\WINDOWS\system32\bitsprx3.dll
    2006-10-14 18:39 69,632 --a------ D:\WINDOWS\system32\msconf.dll
    2006-10-14 18:39 678,400 --a------ D:\WINDOWS\system32\inetcomm.dll
    2006-10-14 18:39 67,584 --a------ D:\WINDOWS\system32\srclient.dll
    2006-10-14 18:39 65,536 --a------ D:\WINDOWS\system32\icwphbk.dll
    2006-10-14 18:39 64,512 --a------ D:\WINDOWS\system32\acctres.dll
    2006-10-14 18:39 6,656 --a------ D:\WINDOWS\system32\wuauserv.dll
    2006-10-14 18:39 48,128 --a------ D:\WINDOWS\system32\inetres.dll
    2006-10-14 18:39 45,568 --a------ D:\WINDOWS\system32\safrslv.dll
    2006-10-14 18:39 430,592 --a------ D:\WINDOWS\system32\wuapi.dll
    2006-10-14 18:39 43,520 --a------ D:\WINDOWS\system32\safrcdlg.dll
    2006-10-14 18:39 43,520 --a------ D:\WINDOWS\system32\racpldlg.dll
    2006-10-14 18:39 382,464 --a------ D:\WINDOWS\system32\qmgr.dll
    2006-10-14 18:39 36,864 --a------ D:\WINDOWS\system32\wups.dll
    2006-10-14 18:39 34,560 --a------ D:\WINDOWS\system32\mnmdd.dll
    2006-10-14 18:39 32,768 --a------ D:\WINDOWS\system32\mnmsrvc.exe
    2006-10-14 18:39 32,768 --a------ D:\WINDOWS\system32\isrdbg32.dll
    2006-10-14 18:39 29,696 --a------ D:\WINDOWS\system32\safrdm.dll
    2006-10-14 18:39 28,672 --a------ D:\WINDOWS\system32\nmmkcert.dll
    2006-10-14 18:39 274,944 --a------ D:\WINDOWS\system32\mstask.dll
    2006-10-14 18:39 274,432 --a------ D:\WINDOWS\system32\inetcfg.dll
    2006-10-14 18:39 252,928 --a------ D:\WINDOWS\system32\msoeacct.dll
    2006-10-14 18:39 239,104 --a------ D:\WINDOWS\system32\srrstr.dll
    2006-10-14 18:39 22,528 --a------ D:\WINDOWS\system32\fltMc.exe
    2006-10-14 18:39 190,976 --a------ D:\WINDOWS\system32\schedsvc.dll
    2006-10-14 18:39 183,296 --a------ D:\WINDOWS\system32\wuaueng1.dll
    2006-10-14 18:39 18,944 --a------ D:\WINDOWS\system32\qmgrprxy.dll
    2006-10-14 18:39 170,496 --a------ D:\WINDOWS\system32\srsvc.dll
    2006-10-14 18:39 165,888 --a------ D:\WINDOWS\system32\wuauclt1.exe
    2006-10-14 18:39 16,896 --a------ D:\WINDOWS\system32\fltlib.dll
    2006-10-14 18:39 16,384 --a------ D:\WINDOWS\system32\icfgnt5.dll
    2006-10-14 18:39 124,800 --a------ D:\WINDOWS\system32\drivers\fltMgr.sys
    2006-10-14 18:39 120,320 --a------ D:\WINDOWS\system32\wuweb.dll
    2006-10-14 18:39 12,288 --a------ D:\WINDOWS\system32\nmevtmsg.dll
    2006-10-14 18:39 12,288 --a------ D:\WINDOWS\system32\mstinit.exe
    2006-10-14 18:39 112,640 --a------ D:\WINDOWS\system32\wucltui.dll
    2006-10-14 18:39 111,104 --a------ D:\WINDOWS\system32\wuauclt.exe
    2006-10-14 18:39 11,264 --a------ D:\WINDOWS\system32\atrace.dll
    2006-10-14 18:39 105,984 --a------ D:\WINDOWS\system32\msoert2.dll
    2006-10-14 18:39 1,134,592 --a------ D:\WINDOWS\system32\wuaueng.dll
    2006-10-14 18:38 73,216 --a------ D:\WINDOWS\system32\avwav.dll
    2006-10-14 18:38 5,632 --a------ D:\WINDOWS\system32\write.exe
    2006-10-14 18:38 44,544 --a------ D:\WINDOWS\system32\hticons.dll
    2006-10-14 18:38 35,328 --a------ D:\WINDOWS\system32\winchat.exe
    2006-10-14 18:38 227,840 --a------ D:\WINDOWS\system32\avtapi.dll
    2006-10-14 18:38 16,384 --a------ D:\WINDOWS\system32\avmeter.dll
    2006-10-14 18:38 138,752 --a------ D:\WINDOWS\system32\sndvol32.exe
    2006-10-14 18:37 949,248 --a------ D:\WINDOWS\system32\msdtctm.dll
    2006-10-14 18:37 93,696 --a------ D:\WINDOWS\system32\tscfgwmi.dll
    2006-10-14 18:37 90,112 --a------ D:\WINDOWS\system32\mtxoci.dll
    2006-10-14 18:37 9,728 --a------ D:\WINDOWS\system32\reset.exe
    2006-10-14 18:37 87,176 --a------ D:\WINDOWS\system32\rdpwsx.dll
    2006-10-14 18:37 85,504 --a------ D:\WINDOWS\system32\catsrvps.dll
    2006-10-14 18:37 82,432 --a------ D:\WINDOWS\system32\comrepl.dll
    2006-10-14 18:37 80,384 --a------ D:\WINDOWS\system32\charmap.exe
    2006-10-14 18:37 67,072 --a------ D:\WINDOWS\system32\rdshost.exe
    2006-10-14 18:37 655,360 --a------ D:\WINDOWS\system32\mstscax.dll
    2006-10-14 18:37 628,224 --a------ D:\WINDOWS\system32\catsrvut.dll
    2006-10-14 18:37 62,464 --a------ D:\WINDOWS\system32\rdpclip.exe
    2006-10-14 18:37 62,464 --a------ D:\WINDOWS\system32\colbact.dll
    2006-10-14 18:37 605,696 --a------ D:\WINDOWS\system32\getuname.dll
    2006-10-14 18:37 60,416 --a------ D:\WINDOWS\system32\remotepg.dll
    2006-10-14 18:37 6,144 --a------ D:\WINDOWS\system32\msdtc.exe
    2006-10-14 18:37 58,880 --a------ D:\WINDOWS\system32\msdtclog.dll
    2006-10-14 18:37 58,880 --a------ D:\WINDOWS\system32\licwmi.dll
    2006-10-14 18:37 56,832 --a------ D:\WINDOWS\system32\sol.exe
    2006-10-14 18:37 56,320 --a------ D:\WINDOWS\system32\servdeps.dll
    2006-10-14 18:37 55,296 --a------ D:\WINDOWS\system32\freecell.exe
    2006-10-14 18:37 540,160 --a------ D:\WINDOWS\system32\comuid.dll
    2006-10-14 18:37 54,272 --a------ D:\WINDOWS\system32\stclient.dll
    2006-10-14 18:37 538,624 --a------ D:\WINDOWS\system32\spider.exe
    2006-10-14 18:37 501,248 --a------ D:\WINDOWS\system32\clbcatq.dll
    2006-10-14 18:37 5,120 --a------ D:\WINDOWS\system32\dcomcnfg.exe
    2006-10-14 18:37 44,544 --a------ D:\WINDOWS\system32\tscupgrd.exe
    2006-10-14 18:37 425,472 --a------ D:\WINDOWS\system32\msdtcprx.dll
    2006-10-14 18:37 407,552 --a------ D:\WINDOWS\system32\mstsc.exe
    2006-10-14 18:37 40,840 --a------ D:\WINDOWS\system32\drivers\termdd.sys
    2006-10-14 18:37 4,096 --a------ D:\WINDOWS\system32\rdpcfgex.dll
    2006-10-14 18:37 4,096 --a------ D:\WINDOWS\system32\mtxex.dll
    2006-10-14 18:37 38,912 --a------ D:\WINDOWS\system32\cfgbkend.dll
    2006-10-14 18:37 345,088 --a------ D:\WINDOWS\system32\hypertrm.dll
    2006-10-14 18:37 343,040 --a------ D:\WINDOWS\system32\mspaint.exe
    2006-10-14 18:37 33,792 --a------ D:\WINDOWS\system32\regini.exe
    2006-10-14 18:37 295,424 --a------ D:\WINDOWS\system32\termsrv.dll
    2006-10-14 18:37 25,600 --a------ D:\WINDOWS\system32\comaddin.dll
    2006-10-14 18:37 25,088 --a------ D:\WINDOWS\system32\mtxlegih.dll
    2006-10-14 18:37 229,888 --a------ D:\WINDOWS\system32\catsrv.dll
    2006-10-14 18:37 22,016 --a------ D:\WINDOWS\system32\qwinsta.exe
    2006-10-14 18:37 21,896 --a------ D:\WINDOWS\system32\drivers\tdtcp.sys
    2006-10-14 18:37 20,992 --a------ D:\WINDOWS\system32\msg.exe
    2006-10-14 18:37 20,480 --a------ D:\WINDOWS\system32\qprocess.exe
    2006-10-14 18:37 20,480 --a------ D:\WINDOWS\system32\mtxdm.dll
    2006-10-14 18:37 196,864 --a------ D:\WINDOWS\system32\drivers\rdpdr.sys
    2006-10-14 18:37 19,968 --a------ D:\WINDOWS\system32\rdpsnd.dll
    2006-10-14 18:37 185,344 --a------ D:\WINDOWS\system32\cmprops.dll
    2006-10-14 18:37 183,808 --a------ D:\WINDOWS\system32\accwiz.exe
    2006-10-14 18:37 17,408 --a------ D:\WINDOWS\system32\mmfutil.dll
    2006-10-14 18:37 161,280 --a------ D:\WINDOWS\system32\msdtcuiu.dll
    2006-10-14 18:37 16,896 --a------ D:\WINDOWS\system32\tsshutdn.exe
    2006-10-14 18:37 16,896 --a------ D:\WINDOWS\system32\qappsrv.exe
    2006-10-14 18:37 16,384 --a------ D:\WINDOWS\system32\tskill.exe
    2006-10-14 18:37 15,872 --a------ D:\WINDOWS\system32\rwinsta.exe
    2006-10-14 18:37 15,872 --a------ D:\WINDOWS\system32\cdmodem.dll
    2006-10-14 18:37 15,360 --a------ D:\WINDOWS\system32\logoff.exe
    2006-10-14 18:37 147,968 --a------ D:\WINDOWS\system32\rdchost.dll
    2006-10-14 18:37 147,456 --a------ D:\WINDOWS\system32\comsnap.dll
    2006-10-14 18:37 140,800 --a------ D:\WINDOWS\system32\sessmgr.exe
    2006-10-14 18:37 14,848 --a------ D:\WINDOWS\system32\tsdiscon.exe
    2006-10-14 18:37 14,848 --a------ D:\WINDOWS\system32\tscon.exe
    2006-10-14 18:37 14,848 --a------ D:\WINDOWS\system32\shadow.exe
    2006-10-14 18:37 139,400 --a------ D:\WINDOWS\system32\drivers\rdpwd.sys
    2006-10-14 18:37 131,584 --a------ D:\WINDOWS\system32\sndrec32.exe
    2006-10-14 18:37 13,824 --a------ D:\WINDOWS\system32\rdsaddin.exe
    2006-10-14 18:37 126,976 --a------ D:\WINDOWS\system32\mshearts.exe
    2006-10-14 18:37 123,392 --a------ D:\WINDOWS\system32\mplay32.exe
    2006-10-14 18:37 12,040 --a------ D:\WINDOWS\system32\drivers\tdpipe.sys
    2006-10-14 18:37 119,808 --a------ D:\WINDOWS\system32\winmine.exe
    2006-10-14 18:37 114,688 --a------ D:\WINDOWS\system32\calc.exe
    2006-10-14 18:37 110,080 --a------ D:\WINDOWS\system32\clbcatex.dll
    2006-10-14 18:37 11,776 --a------ D:\WINDOWS\system32\xolehlp.dll
    2006-10-14 18:37 11,264 --a------ D:\WINDOWS\system32\icaapi.dll
    2006-10-14 18:37 102,912 --a------ D:\WINDOWS\system32\clipbrd.exe
    2006-10-14 18:37 1,251,840 --a------ D:\WINDOWS\system32\comsvcs.dll
    2006-10-14 18:37 1,161 --a------ D:\WINDOWS\system32\usrlogon.cmd
    2006-10-14 18:35 57,472 --a------ D:\WINDOWS\system32\drivers\redbook.sys
    2006-10-14 18:35 3,072 --a------ D:\WINDOWS\system32\drivers\audstub.sys
    2006-10-14 18:35 20,992 --a------ D:\WINDOWS\system32\drivers\RTL8139.sys
    2006-10-14 18:34 74,240 --a------ D:\WINDOWS\system32\usbui.dll
    2006-10-14 18:34 5,504 --a------ D:\WINDOWS\system32\drivers\intelide.sys
    2006-10-14 18:33 85,020 --a------ D:\WINDOWS\system32\dgsetup.dll
    2006-10-14 18:33 8,704 --a------ D:\WINDOWS\system32\batt.dll
    2006-10-14 18:33 8,192 -ra------ D:\WINDOWS\system32\kbdhept.dll
    2006-10-14 18:33 74,752 --a------ D:\WINDOWS\system32\storprop.dll
    2006-10-14 18:33 7,168 -ra------ D:\WINDOWS\system32\kbdcz.dll
    2006-10-14 18:33 69,120 --a------ D:\WINDOWS\NOTEPAD.EXE
    2006-10-14 18:33 6,656 -ra------ D:\WINDOWS\system32\kbdycl.dll
    2006-10-14 18:33 6,656 -ra------ D:\WINDOWS\system32\kbdsl1.dll
    2006-10-14 18:33 6,656 -ra------ D:\WINDOWS\system32\kbdsl.dll
    2006-10-14 18:33 6,656 -ra------ D:\WINDOWS\system32\kbdpl.dll
    2006-10-14 18:33 6,656 -ra------ D:\WINDOWS\system32\kbdhu.dll
    2006-10-14 18:33 6,656 -ra------ D:\WINDOWS\system32\kbdhela3.dll
    2006-10-14 18:33 6,656 -ra------ D:\WINDOWS\system32\kbdcz2.dll
    2006-10-14 18:33 6,656 -ra------ D:\WINDOWS\system32\kbdcz1.dll
    2006-10-14 18:33 6,656 -ra------ D:\WINDOWS\system32\kbdcr.dll
    2006-10-14 18:33 6,656 -ra------ D:\WINDOWS\system32\KBDAL.DLL
    2006-10-14 18:33 6,144 -ra------ D:\WINDOWS\system32\kbdtuq.dll
    2006-10-14 18:33 6,144 -ra------ D:\WINDOWS\system32\kbdtuf.dll
    2006-10-14 18:33 6,144 -ra------ D:\WINDOWS\system32\kbdlv1.dll
    2006-10-14 18:33 6,144 -ra------ D:\WINDOWS\system32\kbdlv.dll
    2006-10-14 18:33 6,144 -ra------ D:\WINDOWS\system32\kbdhela2.dll
    2006-10-14 18:33 6,144 -ra------ D:\WINDOWS\system32\kbdgkl.dll
    2006-10-14 18:33 6,144 -ra------ D:\WINDOWS\system32\kbdest.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdycc.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbduzb.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdur.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdtat.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdru1.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdru.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdro.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdpl1.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdmon.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdlt1.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdlt.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdkyr.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdkaz.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdhu1.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdhe319.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdhe220.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdhe.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdbu.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdblr.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdazel.dll
    2006-10-14 18:33 5,632 -ra------ D:\WINDOWS\system32\kbdaze.dll
    2006-10-14 18:33 24,661 --a------ D:\WINDOWS\system32\spxcoins.dll
    2006-10-14 18:33 176,157 --a------ D:\WINDOWS\system32\dgrpsetu.dll
    2006-10-14 18:33 15,360 --a------ D:\WINDOWS\TASKMAN.EXE
    2006-10-14 18:33 13,312 --a------ D:\WINDOWS\system32\irclass.dll
    2006-10-14 18:33 11,264 --a------ D:\WINDOWS\system32\drivers\irenum.sys
    2006-10-14 18:33 103,424 --a------ D:\WINDOWS\system32\EqnClass.Dll


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-11-10 16:06 -------- d-------- D:\Program Files\Smackdown 3
    2006-11-10 14:51 -------- d-------- D:\Program Files\THQ
    2006-11-06 22:43 -------- d-------- D:\Program Files\Musicnotes
    2006-11-06 22:35 -------- d-------- D:\Program Files\Guitartab.co.uk
    2006-11-06 21:38 -------- d-------- D:\Program Files\Maxis
    2006-11-06 08:26 -------- d-------- D:\Documents and Settings\jack\Application Data\WebCompiler3
    2006-11-06 07:23 -------- d-------- D:\Documents and Settings\jack\Application Data\Google
    2006-11-06 07:22 -------- d-------- D:\Program Files\Google
    2006-11-05 14:59 -------- d-------- D:\Program Files\BadCopy
    2006-11-02 15:01 -------- d-------- D:\Documents and Settings\jack\Application Data\Help
    2006-10-31 11:16 -------- d-------- D:\Program Files\Globe7
    2006-10-28 14:31 8 --a------ D:\Documents and Settings\jack\Application Data\NMM-MetaData.db
    2006-10-26 23:46 -------- d-------- D:\Program Files\DivX
    2006-10-26 06:47 -------- d-------- D:\Program Files\DIFX
    2006-10-26 06:47 -------- d-------- D:\Program Files\Common Files\Nokia
    2006-10-25 19:54 -------- d-------- D:\Documents and Settings\jack\Application Data\AdobeUM
    2006-10-24 11:44 -------- d-------- D:\Documents and Settings\jack\Application Data\FUJIFILM
    2006-10-23 16:03 12464 --a------ D:\WINDOWS\system32\drivers\secdrv.sys
    2006-10-23 11:39 -------- d-------- D:\Program Files\Nokia
    2006-10-23 11:39 -------- d-------- D:\Program Files\Common Files\PCSuite
    2006-10-23 11:17 -------- d-------- D:\Program Files\Ulead Systems
    2006-10-23 10:38 -------- d-------- D:\Documents and Settings\jack\Application Data\Ulead Systems
    2006-10-23 10:34 -------- d-------- D:\Program Files\Windows Media Components
    2006-10-23 10:34 -------- d-------- D:\Program Files\Common Files\Ulead Systems
    2006-10-22 23:10 -------- d-------- D:\Program Files\Replay Converter
    2006-10-21 21:20 -------- d-------- D:\Documents and Settings\jack\Application Data\DataLayer
    2006-10-21 21:17 -------- d-------- D:\Documents and Settings\jack\Application Data\Nokia
    2006-10-21 21:04 -------- d-------- D:\Program Files\Blaze Media Pro
    2006-10-21 21:03 -------- d-------- D:\Documents and Settings\jack\Application Data\Seven Zip
    2006-10-21 19:52 -------- d-------- D:\Documents and Settings\jack\Application Data\Nokia Multimedia Player
    2006-10-21 16:19 -------- d-------- D:\Documents and Settings\jack\Application Data\CyberLink
    2006-10-21 12:39 -------- d-------- D:\Program Files\PIXELA
    2006-10-21 12:38 -------- d-------- D:\Program Files\FinePixViewer
    2006-10-21 12:36 -------- d-------- D:\Program Files\CyberLink
    2006-10-20 21:39 -------- d-------- D:\Documents and Settings\jack\Application Data\PC Suite
    2006-10-20 21:34 -------- d-------- D:\Program Files\IVT Corporation
    2006-10-19 21:15 -------- d-------- D:\Program Files\D-Tools
    2006-10-19 21:09 -------- d-------- D:\Program Files\EA SPORTS
    2006-10-19 10:41 -------- d-------- D:\Program Files\GameSpy Arcade
    2006-10-19 09:46 -------- d-------- D:\Program Files\Common Files\Ahead
    2006-10-19 09:46 -------- d-------- D:\Program Files\Ahead
    2006-10-18 01:42 -------- d-------- D:\Program Files\Free Download Manager
    2006-10-18 01:42 -------- d-------- D:\Documents and Settings\jack\Application Data\Free Download Manager
    2006-10-18 01:15 -------- d-------- D:\Documents and Settings\jack\Application Data\Macromedia
    2006-10-18 01:11 -------- d-------- D:\Program Files\Rediff Toolbar
    2006-10-18 01:11 -------- d-------- D:\Program Files\Rediff Bol
    2006-10-18 01:11 -------- d-------- D:\Documents and Settings\jack\Application Data\Rediff.com
    2006-10-18 01:01 -------- d-------- D:\Program Files\Yahoo!
    2006-10-17 23:42 -------- d-------- D:\Program Files\Microsoft.NET
    2006-10-17 23:42 -------- d-------- D:\Program Files\Microsoft ActiveSync
    2006-10-17 23:40 -------- d-------- D:\Program Files\Microsoft Office
    2006-10-17 23:40 -------- d-------- D:\Program Files\Common Files\DESIGNER
    2006-10-17 23:38 -------- d-------- D:\Program Files\Quintessential Player
    2006-10-17 23:22 -------- d-------- D:\Program Files\XviD
    2006-10-17 23:15 -------- d-------- D:\Program Files\Common Files\xing shared
    2006-10-16 20:41 -------- d-------- D:\Documents and Settings\jack\Application Data\Microsoft Games
    2006-10-16 20:35 -------- d-------- D:\Program Files\Microsoft Games
    2006-10-14 19:14 -------- d-------- D:\Program Files\WinRAR
    2006-10-14 19:10 -------- d-------- D:\Program Files\Adobe
    2006-10-14 19:08 -------- d-------- D:\Program Files\Real
    2006-10-14 19:08 -------- d-------- D:\Program Files\Common Files\Real
    2006-10-14 19:08 -------- d-------- D:\Documents and Settings\jack\Application Data\Real
    2006-10-14 19:06 -------- d-------- D:\Program Files\Grisoft
    2006-10-14 19:06 -------- d-------- D:\Documents and Settings\jack\Application Data\AVG7
    2006-10-14 19:04 -------- d-------- D:\Program Files\WinZip
    2006-10-14 19:04 -------- d-------- D:\Program Files\Winamp
    2006-10-14 19:00 -------- d-------- D:\Documents and Settings\jack\Application Data\Microsoft Web Folders
    2006-10-14 18:57 -------- d-------- D:\Program Files\Common Files\Adobe
    2006-10-14 18:57 -------- d-------- D:\Documents and Settings\jack\Application Data\InterTrust
    2006-10-14 18:57 -------- d-------- D:\Documents and Settings\jack\Application Data\Adobe
    2006-10-14 18:55 -------- d-------- D:\Program Files\Realtek
    2006-10-14 18:51 -------- d--h----- D:\Program Files\InstallShield Installation Information
    2006-10-14 18:51 -------- d-------- D:\Program Files\Intel
    2006-10-14 18:51 -------- d-------- D:\Program Files\Common Files\InstallShield
    2006-10-14 18:47 -------- d--h----- D:\Program Files\Uninstall Information
    2006-10-14 18:47 -------- d-------- D:\Documents and Settings\jack\Application Data\Identities
    2006-10-14 18:41 -------- d-------- D:\Program Files\xerox
    2006-10-14 18:41 -------- d-------- D:\Program Files\microsoft frontpage
    2006-10-14 18:40 -------- d--h----- D:\Program Files\WindowsUpdate
    2006-10-14 18:39 -------- d-------- D:\Program Files\Outlook Express
    2006-10-14 18:39 -------- d-------- D:\Program Files\NetMeeting
    2006-10-14 18:39 -------- d-------- D:\Program Files\Movie Maker
    2006-10-14 18:39 -------- d-------- D:\Program Files\Internet Explorer
    2006-10-14 18:39 -------- d-------- D:\Program Files\Common Files\System
    2006-10-14 18:39 -------- d-------- D:\Program Files\Common Files\Services
    2006-10-14 18:39 -------- d-------- D:\Program Files\Common Files\MSSoap
    2006-10-14 18:38 -------- d-------- D:\Program Files\Windows Media Player
    2006-10-14 18:38 -------- d-------- D:\Program Files\Online Services
    2006-10-14 18:38 -------- d-------- D:\Program Files\MSN Gaming Zone
    2006-10-14 18:38 -------- d-------- D:\Program Files\Messenger
    2006-10-14 18:38 -------- d-------- D:\Program Files\ComPlus Applications
    2006-10-14 18:37 -------- d-------- D:\Program Files\Windows NT
    2006-10-14 18:37 -------- d-------- D:\Program Files\MSN
    2006-10-14 18:33 62 --ahs---- D:\Documents and Settings\jack\Application Data\desktop.ini
    2006-10-14 18:33 -------- d---s---- D:\Documents and Settings\jack\Application Data\Microsoft
    2006-10-14 18:33 -------- d-------- D:\Program Files\Common Files\SpeechEngines
    2006-10-14 18:33 -------- d-------- D:\Program Files\Common Files\ODBC
    2006-10-14 18:33 -------- d-------- D:\Program Files\Common Files\Microsoft Shared
    2006-10-14 18:33 -------- d-------- D:\Program Files\Common Files


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "Yahoo! Pager"="\"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
    "PcSync"="D:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
    "MSMSGS"="\"D:\\Program Files\\Messenger\\msmsgs.exe\" /background"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "IgfxTray"="D:\\WINDOWS\\system32\\igfxtray.exe"
    "HotKeysCmds"="D:\\WINDOWS\\system32\\hkcmd.exe"
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe"
    "SoundMan"="SOUNDMAN.EXE"
    "AlcWzrd"="ALCWZRD.EXE"
    "Alcmtr"="ALCMTR.EXE"
    "WinampAgent"="D:\\Program Files\\Winamp\\winampa.exe"
    "AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
    "TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "Google Desktop Search"="\"D:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
    "NeroFilterCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
    "DAEMON Tools-1033"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
    "RemoteControl"="\"D:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
    "REGSHAVE"="D:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
    "PCSuiteTrayApplication"="D:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
    "Task Manager"="D:\\WINDOWS\\system\\svchost32.exe"
    "svchost"="D:\\WINDOWS\\system\\svhost.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
    00,00,01,00,00,00

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    "NoRun"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001
    "undockwithoutlogon"=dword:00000001

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    Completion time: 06-11-11 16:28:39.01
    D:\ComboFix2.txt ... 06-11-10 19:29
    D:\ComboFix.txt ... 06-11-11 16:28
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi jackson_love,

    I noticed that the line to look for is present so you can proceed with the second part of the fix, as posted here:

    http://www.geekstogo.com/forum/How_to_remove_the_coolpicscom_hijacker-t137346.html

    Then download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C: ) or whatever your primary drive is
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Coolpics Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select coolpics.bfu
    • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.
    Reboot your computer and check if it worked.

    For anyone else looking for help with this hijacker, follow the link I posted to find the fix.
    Let me know if it worked or not, but there is no need to post your combofix logs here. ;)
    Just look for the tell-tale line and proceed with the fix if it is present.

    Anyone needing helps is welcome to ask, but please start your own thread.
    Do not become a hijacker yourself. :D

    Regards,

    Pieter
     
  19. jackson_love

    jackson_love Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    2
    thank you pieter its good now...lots and lots of praise 4 u.:)
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Glad we could help. :cool:
     
  21. crazy_cool2k

    crazy_cool2k Registered Member

    Joined:
    Nov 1, 2006
    Posts:
    13
    Hey Pieter,

    Thanks for all the help.
    Thanks to you now both my sisters computer and my own computer are free of the virus.

    Thanks again,
    Mahesh R Shetty
    Mumbai, India.
     
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    You are welcome. :cool:
     
  23. lovelysumi

    lovelysumi Registered Member

    Joined:
    Nov 13, 2006
    Posts:
    6
    Location:
    Malaysia
    Hi Pieter....

    THANK YOU VERY MUCH :-* ..... you've solve my problem...

    you are the BEST :thumb:

    regards,
    sumi
    Malaysia
     
  24. chilidog

    chilidog Registered Member

    Joined:
    Nov 19, 2006
    Posts:
    1
    hey guys, I landed here from the WWW in search of help after my wife accidentally F'ed up by clicking some junk that came through yahooIM I cant thank you enough, specifically Pieter.....you guys rock. C-ya in cyber space...

    chili D:D :D :D

    oh yeah, Tampa FL USA!!!
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Thank you for taking the time to register and let us know. :)

    Don't be a stranger now.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.