1
Tech Clinic / some help cleaning up F***ing malware
« on: November 19, 2005, 11:47:00 PM »
things seem ok, except i still have the WebNexus thing in my list of add/remove programs.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Tech Clinic / some help cleaning up F***ing malware
« on: November 19, 2005, 08:05:29 PM »
Logfile of HijackThis v1.99.1
Scan saved at 8:04:50 PM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Scan saved at 8:04:50 PM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
3
Tech Clinic / some help cleaning up F***ing malware
« on: November 17, 2005, 08:12:50 PM »
Logfile of HijackThis v1.99.1
Scan saved at 6:16:15 PM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
---------------------\
Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\chris\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
User Startup:
C:\Documents and Settings\chris\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
---------------------------------------------------------------
Incident Status Location
Adware:Adware/BookedSpace No disinfected C:\!KillBox\Oqulumfr.dll
Adware:Adware/ClkOptimizer No disinfected C:\!KillBox\owzz.exe
Adware:Adware/ClkOptimizer No disinfected C:\!KillBox\pqaawi.exe
Adware:Adware/ClkOptimizer No disinfected C:\!KillBox\WGUUP.DAT
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[Installer.class]
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\System Files\plugin.dll
Adware:adware/ncase No disinfected C:\WINDOWS\180ax_gdf.dat
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\bsx32.ini
Adware:adware/bookedspace No disinfected C:\WINDOWS\bxxs5.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\mm63.INF
Adware:adware program No disinfected C:\WINDOWS\system32\atmtd.dll
Spyware:spyware/adclicker No disinfected C:\WINDOWS\usta33.ini
Scan saved at 6:16:15 PM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
---------------------\
Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\chris\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
User Startup:
C:\Documents and Settings\chris\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
---------------------------------------------------------------
Incident Status Location
Adware:Adware/BookedSpace No disinfected C:\!KillBox\Oqulumfr.dll
Adware:Adware/ClkOptimizer No disinfected C:\!KillBox\owzz.exe
Adware:Adware/ClkOptimizer No disinfected C:\!KillBox\pqaawi.exe
Adware:Adware/ClkOptimizer No disinfected C:\!KillBox\WGUUP.DAT
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-19e4f6fb.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-26de0658-654e1476.zip[Installer.class]
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\System Files\plugin.dll
Adware:adware/ncase No disinfected C:\WINDOWS\180ax_gdf.dat
Spyware:spyware/virtumonde No disinfected C:\WINDOWS\bsx32.ini
Adware:adware/bookedspace No disinfected C:\WINDOWS\bxxs5.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\mm63.INF
Adware:adware program No disinfected C:\WINDOWS\system32\atmtd.dll
Spyware:spyware/adclicker No disinfected C:\WINDOWS\usta33.ini
4
Tech Clinic / some help cleaning up F***ing malware
« on: November 16, 2005, 10:57:12 PM »
heres the info. If you ever need any orthopedic surgery advice, feel free to ask 
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'
\' />
Logfile of HijackThis v1.99.1
Scan saved at 10:53:06 PM, on 11/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
---------------------------------------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:43:10 PM, 11/16/2005
+ Report-Checksum: DE1BCE50
+ Scan result:
No infected objects found.
::Report End
-------------------------------------------
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\chris\Desktop\aproposfix
************
Registry entries found:
************
No service found!
Removing hidden folder:
No folder found!
Deleting files:
Backing up files:
Done!
Removing registry entries:
REGEDIT4
Done!
Finished!
-----------------------------------
Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\chris\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
User Startup:
C:\Documents and Settings\chris\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
\' /> Logfile of HijackThis v1.99.1
Scan saved at 10:53:06 PM, on 11/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
---------------------------------------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:43:10 PM, 11/16/2005
+ Report-Checksum: DE1BCE50
+ Scan result:
No infected objects found.
::Report End
-------------------------------------------
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\chris\Desktop\aproposfix
************
Registry entries found:
************
No service found!
Removing hidden folder:
No folder found!
Deleting files:
Backing up files:
Done!
Removing registry entries:
REGEDIT4
Done!
Finished!
-----------------------------------
Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\chris\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
User Startup:
C:\Documents and Settings\chris\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
5
Tech Clinic / some help cleaning up F***ing malware
« on: November 14, 2005, 08:16:21 PM »
here are the results from both programs. Thanks for helping
____
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"AVG7_RegCleaner"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgregcl.exe /BOOT"
"DVDTray"="\"C:\\Program Files\\HP DVD\\Umbrella\\DVDTray.exe\""
"nForce Tray Options"="sstray.exe /r"
"APD123"="C:\\WINDOWS\\system32\\APD123.exe"
"DVDBitSet"="\"C:\\Program Files\\HP DVD\\Umbrella\\DVDBitSet.exe\" /NOUI"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HPHUPD06"="C:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"winsync"="C:\\WINDOWS\\system32\\pqaawi.exe reg_run"
"oedaeeh"="C:\\WINDOWS\\oedaeeh.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG7\avgse.dll
Subkey --- EzCddax
{46E22146-59C0-4136-9233-52E412E2B428}
C:\Program Files\Easy CD-DA Extractor 8\ezcddax8.dll
Subkey --- msyyfnqm
{9ea60b27-572a-4dcd-a993-c8919caf377c}
C:\WINDOWS\system32\kqmmf.dll
Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll
Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll
Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll
=====================
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll
==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini
owzz.exe
==============================
C:\Documents and Settings\chris\Start Menu\Programs\Startup
desktop.ini
owzz.exe
desktop.ini
==============================
C:\WINDOWS\system32 cpl files
access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
ImageDrive.cpl Ahead Software AG
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sscpl.cpl NVIDIA Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
vgactl.cpl
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
------------------------------------------
Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\chris\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\docume~1\alluse~1\startm~1\programs\startup\OWZZ.EXE
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
owzz.exe
User Startup:
C:\Documents and Settings\chris\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
C:\WINDOWS\SYSTEM32\VGACTL.CPL
C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
C:\WINDOWS\NECCVO.DAT
C:\WINDOWS\SYSTEM32\PQAAWI.EXE
C:\WINDOWS\SYSTEM32\WGUUP.DAT
C:\WINDOWS\SYSTEM32\KQMMF.DLL
C:\WINDOWS\SYSTEM32\ISPPEOA.DLL
C:\WINDOWS\SYSTEM32\JVVVFSC.EXE
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\OWZZ.EXE
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\msyyfnqm]
@="{9ea60b27-572a-4dcd-a993-c8919caf377c}"
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
[HKEY_LOCAL_MACHINE\Software\qstat]
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"="C:\\WINDOWS\\system32\\pqaawi.exe reg_run"
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
____
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"AVG7_RegCleaner"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgregcl.exe /BOOT"
"DVDTray"="\"C:\\Program Files\\HP DVD\\Umbrella\\DVDTray.exe\""
"nForce Tray Options"="sstray.exe /r"
"APD123"="C:\\WINDOWS\\system32\\APD123.exe"
"DVDBitSet"="\"C:\\Program Files\\HP DVD\\Umbrella\\DVDBitSet.exe\" /NOUI"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HPHUPD06"="C:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"winsync"="C:\\WINDOWS\\system32\\pqaawi.exe reg_run"
"oedaeeh"="C:\\WINDOWS\\oedaeeh.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG7\avgse.dll
Subkey --- EzCddax
{46E22146-59C0-4136-9233-52E412E2B428}
C:\Program Files\Easy CD-DA Extractor 8\ezcddax8.dll
Subkey --- msyyfnqm
{9ea60b27-572a-4dcd-a993-c8919caf377c}
C:\WINDOWS\system32\kqmmf.dll
Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll
Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll
Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll
=====================
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll
==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini
owzz.exe
==============================
C:\Documents and Settings\chris\Start Menu\Programs\Startup
desktop.ini
owzz.exe
desktop.ini
==============================
C:\WINDOWS\system32 cpl files
access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
ImageDrive.cpl Ahead Software AG
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sscpl.cpl NVIDIA Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
vgactl.cpl
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
------------------------------------------
Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\chris\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\docume~1\alluse~1\startm~1\programs\startup\OWZZ.EXE
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
owzz.exe
User Startup:
C:\Documents and Settings\chris\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
C:\WINDOWS\SYSTEM32\VGACTL.CPL
C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
C:\WINDOWS\NECCVO.DAT
C:\WINDOWS\SYSTEM32\PQAAWI.EXE
C:\WINDOWS\SYSTEM32\WGUUP.DAT
C:\WINDOWS\SYSTEM32\KQMMF.DLL
C:\WINDOWS\SYSTEM32\ISPPEOA.DLL
C:\WINDOWS\SYSTEM32\JVVVFSC.EXE
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\OWZZ.EXE
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\msyyfnqm]
@="{9ea60b27-572a-4dcd-a993-c8919caf377c}"
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
[HKEY_LOCAL_MACHINE\Software\qstat]
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"="C:\\WINDOWS\\system32\\pqaawi.exe reg_run"
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
6
Tech Clinic / some help cleaning up F***ing malware
« on: November 12, 2005, 10:02:08 PM »
any and all help is appreciated. I believe my problem is:
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqaawi.exe reg_run
O4 - HKLM\..\Run: [oedaeeh] C:\WINDOWS\oedaeeh.exe
and the stupid web-nexus thing.
THanks a bunch
chris
--------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:58:38 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {B811A8D9-94B3-9534-136A-74D4345106D1} - C:\WINDOWS\Oqulumfr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqaawi.exe reg_run
O4 - HKLM\..\Run: [oedaeeh] C:\WINDOWS\oedaeeh.exe
O4 - HKCU\..\Run: [SpyRemover TeaTimer] C:\Program Files\SpyRemover\TeaTimer.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXM\command.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqaawi.exe reg_run
O4 - HKLM\..\Run: [oedaeeh] C:\WINDOWS\oedaeeh.exe
and the stupid web-nexus thing.
THanks a bunch
chris
--------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:58:38 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\chris\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {B811A8D9-94B3-9534-136A-74D4345106D1} - C:\WINDOWS\Oqulumfr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pqaawi.exe reg_run
O4 - HKLM\..\Run: [oedaeeh] C:\WINDOWS\oedaeeh.exe
O4 - HKCU\..\Run: [SpyRemover TeaTimer] C:\Program Files\SpyRemover\TeaTimer.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - https://emr.kcms.msu.edu/Touchworks/AHSCompressionEngine.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by103fd.bay103.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121630781625
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - https://emr.kcms.msu.edu/TouchWorks/DocWork.../Note/TWRTF.cab
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://emr.kcms.msu.edu/Touchworks/DictateBar.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - https://emr.kcms.msu.edu/TouchWorks//Docwor...aic_viewer2.cab
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} (Clipboard Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXWFCB.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} (IDXTimeOut Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXTools.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - https://emr.kcms.msu.edu/ahsweb/IDXWF/Context/IDXBrowser.cab
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - https://pacs.bronsonhg.org/public/accuradimage.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXM\command.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Pages: [1]