Jump to content


Photo

Common Name removal help


  • This topic is locked This topic is locked
14 replies to this topic

#1 oxjeremy334

oxjeremy334

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 24 June 2007 - 09:59 PM

My system seems to keep getting more and more sluggish as the days wear on. My computer is about 4 years old, but it still should have more power than it is producing (2.8 ghz pIV with 1gb of ram). I ran AVG a couple of times in safe mode, but can't seem to save the logfile (it says I must reboot before changes take effect), and the only thing that I can't delete is the common name prog. I have done adaware and spybot. Here is my Hijack This log. I think that I may need some major cleaning.

Logfile of HijackThis v1.99.1
Scan saved at 9:50:03 PM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Mozilla Firefox\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P32 "EPSON Stylus C82 Series (Copy 1)" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [fMFGSw1v] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [bEpGYsEx] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [bIFHX5ow] C:\PROGRA~1\wqxoxrwq\RQwDH4BL.exe
O4 - HKLM\..\Run: [QM0GS91v] C:\PROGRA~1\wqxoxrwq\RQwDH4BL.exe
O4 - HKLM\..\Run: [ZUFJQ5Ux] C:\PROGRA~1\wqxoxrwq\fAgCFkBN.exe
O4 - HKLM\..\Run: [bYVJT5Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QMVGRAov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fYVGQsEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YgVJT51v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cU0HWsow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YQ0GQcox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fEVHVsUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYpHYc1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fgFJRA1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QApHWcEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cMVGZAUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YIFHSkov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dYFGWAow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZgpGRkEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dAVHUA1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QM0GXk1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cIVHQ5ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RUpHVkUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dkFJY5Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Rw0HSs1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aMVGX5Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QIVJQsEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aUFGTcov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RkpGWsow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bwVHRcox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RQ0GUs1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aEFJYc1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eApHRA1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [akpGWcUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fwFHZAUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQFGSkov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [REVJX9Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YY0HQoEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eg0GU11v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZIVHXoow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fMpHS1ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bEFJVwUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QYpHZoox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QkpGUc1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dw0HXsUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgFGRcUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dIVJWAov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eMpHZcEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ak0GSAEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QUVHVk1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQVGQ9ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [REFJToox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bY0HX1Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ekpGQo1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aUVJV11x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fQFGYwEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bwVJR1Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fYVHWwov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Yg0GZ1ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eAFHTwEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YMpHWg1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fwpGRw1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZY0HUgox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fEVGX9Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YAVJSgUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cMFGV91x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eY0HUgov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aE0GY9ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eAVJRkEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [agFGWcow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fAFJQ9ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QMpHToox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cIpGW1Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QUFHRo1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dkFGV11x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZwVJYwEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aQVHT1Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QI0GWwov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aUFHZgow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RkpHSwEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dwFJXg1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RQ0HR91w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aEVGUkox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eYVJX5Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [agFGSkUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Rw0GV51x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQVHYsEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RE0GT5Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YYFJXsov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [egpHQcow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aApGTsox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fMFHYc1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bkFGRA1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fYVJUc1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Yg0HXAUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eA0GTcUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZMVHWAov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fIpHZkEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZUFJUAEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cQ0HXk1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YwVGQ5ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cMFHTkox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZIFGZ5Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dUVJSs1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZkVHV51x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cw0GYsEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QYFHTcUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cEpHWsov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RAFJZcow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dk0HVsEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZwVGYc1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aQVJRA1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QEFGUcox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aA0GZ9Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgVHSoUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dI0GV91x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQFJZoEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aEpHU1Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eYpGXoov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bgFHQ1ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RIFGVoox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bMVJY11v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ek0HRw1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YU0GV11x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [egVHQwUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bIpHTgUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fMFJWwov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bk0HZgEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cUVGU9Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YQVJXg1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ewFGR9ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYpGWoox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fkVHZ9Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QU0GSoUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cQFJV91x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YwpHQoEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dYpGT1Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEFHXoov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dAVGS1ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QMVJVwox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cw0HY11v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QY0GRw1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dEVHWg1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RApHZwUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dgFJTgUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QIpHWAov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aUVGRkEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEFHVcov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bUFGQ9ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fkVJToow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YwFGW1ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cY0GQo1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZIVHV11w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fUVGYw1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZkFJR1Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cw0HUwUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QQpGZgov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cEFHSwEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZAFGWkEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dgVJRA1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZwVHUkow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aQ0GX5ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QEFHQkUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YgFJZAUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cUpHSkUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YQVGX51x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fwFHRkEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYVGU5Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fgVJXsov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QA0HS5ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cM0GVsox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YIVHY51v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dYpHTs1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEFJXc1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eApHQ11w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQpGWAUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bAFHZk1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fMFGSAEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bIVJVkEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eUVHQ5ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YQ0GUkow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ewVHX5ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYVGSs1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fEFJV51w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bU0HYs1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ckpGR5Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YwVJWsUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cYFGQcov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEVJTsEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fAVHWcEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Qg0GRA1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cIFHUgow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QQpHX9ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dEpGSoUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZA0HW91w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dgVGZo1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QIVJS1Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aMFGXoUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Qk0GQ1ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dwVHToow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgVGY1Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dIFJSw1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZMpHVoox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YEpGRcox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fM0HU9Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Zk0GXg1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cwVJQ91x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YQFGVoEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cEFJZ9Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYVHSoov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dgVGX1ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZIFHQoEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cQ0HT11v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QEpGWo1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cY0HR1ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgFGVwUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dAVJY1Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZMpHRw1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ak0GWgEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QUFHZwEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [agVGSg1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RApGX9ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dM0HRgox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RIpGU9Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aUVJXg1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQFGS91x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bwFJVoEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RYVHY9Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bIVGRoov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eUFHX1ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YkpHQoEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ewpGT11v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bY0HYw1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fEFGR1ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bAVJUwUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ckpHXgUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Yw0GTA1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQVHWkEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEVGZAEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fAFJSkov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Zg0HX5ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cIpGQkox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YMVJT51v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cEFGZs1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYVJS51x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dgVHVsUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QI0GYcUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cMFHTsov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QkpHWcEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dUpGZsEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RQ0HTc1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dAVGYAow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QMVJRcox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [akFGUAUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QU0GZk1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQVHSA1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RwVGVkEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dYFJZ5Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eEpHUkov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aUpGX5ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cwVGWoow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QYFHZ9ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cEFGSo1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RUpGX11w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dkVHQo1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Zw0GU1Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aQFJXwUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QEpHS1ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bAFJVwEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgFHYgEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dIVGRw1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQVJWg1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aE0HQ9ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eY0GTgUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bgVHY9Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RIFGRg1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bMFJU9Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ekpHXoEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YUVGS9ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [egFHWoow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bAFGZ1ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fMpGSo1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bkVHX11w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cU0GQw1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YQVJT1Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ewpHYwUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYFJScov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fIFHVAEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QUVGYkEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cQVJTA1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Yw0HWkow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dYpGZ5ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEVHSkUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dAFGY51w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QgFJRs1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cwpHU5Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QYVGZsUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dEFHScov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RAVGVsow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dgpGYcEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QI0HUs1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aM0GXc1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QEVJQAox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bApHTcUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgFJYAUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cIpHSwUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cQpGXkEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZIFHR5Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fUFGUsov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZkVJX5ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cw0HSsEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QQ0GVc1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cEVHYs1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYpHRcox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dgFJXsUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Zw0HQcUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aQVGTA1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QEFHYcEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cYFGRAEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgpGUkov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dAVHXAow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RM0GTkox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aEFJW51v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QYpHZk1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bgpGS51x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RAFHXkUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bMVGQ5Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ekVJTsov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aUFGZ5Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQ0GSsEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bAVHVc1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fMVGYwow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bIFJTgox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cEVJT1Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QgpGSA1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dU0HWk1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZQFGZ5Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dwVJSkUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QYFGX5ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aE0GQkEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RAVHT5Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dMVGWs1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cYpHV11v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEFJZo1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fA0HU1ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QgVGXwUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cIVJQ1Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QQFGVwov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dEpGYgEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZAVHRwEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dg0GVg1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QIFJQwow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aMpHTgox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QkpGW9Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dUFHZg1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgVGU91x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dIVJXoEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eM0HR9Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ak0GWoov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QUVHZ1ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQpHSoEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RwFJV11v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YYpHQw1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ekVGTcox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aUFHXAUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fQFGQcUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bwpGVA1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fYVHYkEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YE0GRAEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eAVJWkov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YQpHZ5ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fwFJTkox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYFHW51v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fEVGRs1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YAVJU51x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cg0HXsUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YI0GQ5Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dUVHVsov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEFGZcEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fAFJSsEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QgpHXc1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cIVGQAow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RMFHTcox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dkFGWAUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZwpGRk1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eg0HVgUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ew0GZ5Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQVHUsUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fEVGX5ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bAFJQsEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ckpHV5Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YwpGYs1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQFHScow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEFGVsox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fYVJQcUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZgVHTA1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cI0GWc1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YMVHRAEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dEpHUkUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYFJYAov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dg0HRkow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QIVGW5Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cMVJZk1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QkFGS51w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dUpGVkox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RQVHQ5Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dA0GUsUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QMFJX51x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [akpHSwEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QUpGVgEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQ0HYwov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RwVGRgow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dYVJW9ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eEFGQg1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aU0GT91w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQVHWg1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bwVGR9Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RYFJUoUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YE0HX9ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eApGSoEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YgFHW1Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fIFGZo1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bYVJS11w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bYpGRo1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgVHU11x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dIFGZoUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQFJS1Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aEpHVsov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eYVGZcEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bgFHUAEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RAVGXc1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bMpGQAow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ek0HVkox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YU0GYAUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [egVJRk1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bApHV51x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fMFJQkEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bIVHT5Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cUVGWsov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YQFHZ5ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cw0HUsEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYpGX51v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fIVHRs1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QUFGWcox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ckVJZsUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QwpHScUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dY0GVA1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEFHQcEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dAVGTAEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QgpGXkov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aw0HQAow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QYpGVkox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dEVJYA1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RAFGRk1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dgFJW51x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eIVHZkUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aMVGT5Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QEFHWsov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bApHR1Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgpGUwEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YI0HXg1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZMpGT1ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZIVHWAox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fUFGQk1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZkFJVA1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cwpHYk1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QQVGRAUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cEFHUkUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYFGZ5ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dkpGSkEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZwVHW5Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aQ0GRs1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QEVJU1ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cYpHXwox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgFJQgUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dA0HVw1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eMVGYg1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aEVJS9Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QYFGVgUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bgpGQ9ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RAVHTgow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bM0GW9Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eIFJRo1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aUpHU91w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQpGYo1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bAFHR1Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fMVGWoUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bIVJZ1ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eU0HSwEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Yk0GV1Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ewVHQw1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYpHU1ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fEFJXwox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bUpHSgUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ckVGVw1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YwFHYg1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dQFGR9Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEpGWgUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fAVHQ9ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Qg0GToow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQFGS5ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cEFJVkox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YYVHY51v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eg0GTk1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZAFHW51x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fQpHZsUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEpGV5Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cY0HYsov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YgFGRcEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cAVJUsEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZMFGZc1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dI0GSAow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZUVHVcox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fE0GRg1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QUFHV51w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQVGYk1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RwpGT5Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YM0HWkUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ek0GZ5ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aUVJSsEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fQpHY5Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bwFJRs1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fYFHUcow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YEVGZsox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eAFHScUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YQ0HVA1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fwpGYc1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYVHUAEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fEFGXkUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YAFJQAov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cgpHTkow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YI0GYAEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dUFHRk1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEVGU51w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fApGQkox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Qg0HT1Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cI0GWwUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RMVJZ11x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dkFGUwEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RwFJXgEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fgpHR1ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ewpGXAow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQFHQkEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fEVGTA1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bAVJYk1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Yw0GUkUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQVHX5Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEpHTk1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fYFJW1Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZgpHZwEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cIVGS1ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YMFHXwow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dEFGQgox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYpGTw1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dgVHZg1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QA0GSw1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cMVHVgUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QkpHY9Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dUFJTgov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RQ0HW9ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dAVGZoEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QMVJT91v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aIFGYo1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QU0GR1ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQVHUoUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Rw0GZ1Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cgVJT9Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cwpHWwUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYpGSgUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fg0HVwov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZApGYgow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cMVJR9Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QwFGWg1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cYFJZ91w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEVHSoox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dAVGY9Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZMFHRoUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aIpHU11x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QUpGXoEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ck0HS1Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RAFGVwov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dgVJY1ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RIpHSwox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aU0GX11v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QkVHQw1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [awVGTg1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RQFJYwUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bE0HRgUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eMpGU9ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [akVJYgEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ewFGT9Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QE0HQkEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cM0GV51v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RkVHYk1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dUFGR5ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RQFJWkUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [awpHZ5Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QYVGTs1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [agFHW5Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RAFGRsEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQpGUcov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Rw0HXsow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aY0GQcox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eEVJVA1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aApHZc1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fMFJSA1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bIFHXcUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RUVGQAUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YEFHTkov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eA0HWAEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fIVHV51v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bUFGYoow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ckFJR1ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YwpHWwUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cQ0GZ11w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZIFHSw1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fMVGXgEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZkpGRwUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cw0HUgov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QQ0GXwow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cEVHSgox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZYpHV91v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dkFJYg1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZUpHR91x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\

#2 oxjeremy334

oxjeremy334

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 24 June 2007 - 10:02 PM

O4 - HKLM\..\Run: [QYpHT1ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bgFJWwUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RAFHZ11w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bMVGSw1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eIVJXgEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YU0HQwUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ekpGTgov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bAVHZ9ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fMFGSgEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bIFJV91v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cUpHYo1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YkVGT5ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ewFHWsUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZQVGZ5Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fEpGTs1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZU0HYcEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ck0GRsEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YwVJUcov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dQpHZAow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZEFJScox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dAVHVA1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QgVGZk1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cIFHUA1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QQ0HXkUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dEpGQAUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RYVHVkov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dgFGY5Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QIVJRkEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aMpHV51v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Qk0GQsow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bYFHT5ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgVGWsUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dApGZc1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eM0HUs1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [akpGXcEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fUVJRAUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bQFGWcov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RwFJZAow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YMVHScEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eIVGVA1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YUFHQk1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fQ0HTAox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bwpGXoUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bIpGW9Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RUFHZoUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dkFGS9ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ewVJXoow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aQVHQ1Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eE0GTo1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bYFHY11w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgpHSoox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bwpGV1Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQ0HYwUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YEVGT11x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eYVJWwEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bgFGZgEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fA0GSwov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bMVHYgow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cEVGR9ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YYFJUg1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fgpHZ91w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZApGSk1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fMFHV5Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QkFGYsUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cUVJU5ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YQVHXsEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dA0GQcEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZMVHTs1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dIpHYcow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QUFJRAox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cQ0HUcUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QwVGQA1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dYVJTk1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [REFGWAEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dUpGZkUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QkVHUAov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aw0GXkow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QYFJQ5Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bEpHUk1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RApGZ51w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [agFHSsox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eIVGV5Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aQVJQsUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fE0HTc1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bA0GWsEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgVHQcEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dAFGV1ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cgFHZAow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZIpHUkEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dUpGXA1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [Zk0HQk1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [awFGT5ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QQVJZkUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cEpHS5Ux] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RM0GVs1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dkVHY5Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ewVGTsEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aQFJWcov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QE0HZsow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bYpGVcox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RgVJYs1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bAFGRc1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eQVJUA1x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aEVHZcUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eY0GSAUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bgFHVkov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fApHZ9Ew] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bMpGUoEx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eI0HX11v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [YUVGQoow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [egVJV1ox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ZAFGYwUw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aI0HX1Uw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RU0GQoUx] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bEVHU1ov] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RApHXoEw] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [agFJS1Ex] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [eI0HVw1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [bMVGY1ow] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [fkFHRwox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [aYVGXs1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [ckVJRg1w] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [QwpHW91x] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [RMpGYcUx] C:\PROGRA~1\wqxoxrwq\ZoACD4RN.exe
O4 - HKLM\..\Run: [eQFJWsox] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [dUFJV11w] C:\PROGRA~1\wqxoxrwq\eQQDEkBN.exe
O4 - HKLM\..\Run: [aMpGY1ow] C:\PROGRA~1\wqxoxrwq\fAQAEcBN.exe
O4 - HKLM\..\Run: [dIVJTkEx] C:\PROGRA~1\wqxoxrwq\YcgCEsRN.exe
O4 - HKLM\..\Run: [aUFGZkow] C:\PROGRA~1\wqxoxrwq\YcgCEsRN.exe
O4 - HKLM\..\Run: [aYpGVsEx] C:\PROGRA~1\wqxoxrwq\aAwDAgBN.exe
O4 - HKLM\..\Run: [dUVHXsUw] C:\PROGRA~1\wqxoxrwq\GEADEAgN.exe
O4 - HKLM\..\Run: [YQVGTcEx] C:\PROGRA~1\wqxoxrwq\GEADFghM.exe
O4 - HKLM\..\Run: [eYpHQ91v] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [QgFGU5Ex] C:\PROGRA~1\wqxoxrwq\RQwDH4BL.exe
O4 - HKLM\..\Run: [RMpGZgov] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [agVHSgEx] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eQVJX51x] C:\PROGRA~1\wqxoxrwq\fAgCFkBN.exe
O4 - HKLM\..\Run: [QEFHRs1v] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [cA0HVw1v] C:\PROGRA~1\wqxoxrwq\Z0RCfwRN.exe
O4 - HKLM\..\Run: [cAVJSsUx] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [ckpGV1Ex] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [dgVJZk1x] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YUFHRwov] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [ZU0HSoEw] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [YQVGRs1w] C:\PROGRA~1\wqxoxrwq\RQwDH4BL.exe
O4 - HKLM\..\Run: [RApHS5ow] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [fApGXkUx] C:\PROGRA~1\wqxoxrwq\RQwDH4BL.exe
O4 - HKLM\..\Run: [ewFJU11w] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [fIFJWsUx] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [YMVGRcEx] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [aYFHRcUw] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [QMFJYwEw] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [dEpHU9Uw] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [cMpHX1Uw] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [fkpGSkEw] C:\PROGRA~1\wqxoxrwq\RQwDH4BL.exe
O4 - HKLM\..\Run: [dwFJQ5Ux] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [YkFJYgEw] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [RIpHYw1x] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [fIVGSA1w] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [RgVGXoox] C:\PROGRA~1\wqxoxrwq\RQwDH4BL.exe
O4 - HKLM\..\Run: [QQpHQ1Ex] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [bQFHY1Ex] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [fw0GXgow] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [fYFJT5Ux] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [RYFJYw1v] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [fQFHW5Ux] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [dIVJWkov] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [cgpHXoEw] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [cIpHW91v] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [dgpGSo1x] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [ckFHWwox] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [fQpGTAow] C:\PROGRA~1\wqxoxrwq\ZcgCEwxM.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Jeremiah\Client\HelpExp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 27 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 Angelfire777

Angelfire777

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 437 posts

Posted 29 June 2007 - 11:25 PM

Hi, welcome to SpywareInfo!

I think that I may need some major cleaning.


Right you are my friend, your computer is quite a mess. I'll try my best to help you :)


*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

Party Poker
The sites in which you play these games can serve as vectors for malware to come in your system. If you do not play this game, I recommend you uninstall it. However, if you want to play, this one is a free, good and clean alternative: www.pokerstars.net

WinPcap
Please uninstall this program if you did not intentionally install it as it can be a way for malware to enter your system.

MessengerPlus3
This program normally comes with a sponsor program during setup and that sponsor program is a known malware called LOP. If you know that you have installed MessengerPlus3 without installing the sponsor program during setup, you may keep it. If not, I recommend that you uninstall MessengerPlus3.

*Reboot
_____________

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm


Also, please fix all O4 entries in your log that has this folder in it: C:\PROGRA~1\wqxoxrwq

The following is a registration reminder that is used by several companies. It is also believed to report back to the installing company some information about your computer. I recommend that you fix it.

O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg SchedulerV2.exe


Fix the following if you uninstalled Party Poker.

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)


Fix the following if you unstalled WinPcap

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Fix the following if you uninstalled MessengerPlus3

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
____________

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

Using windows explorer, please delete this folder: C:\program files\wqxoxrwq

Delete the following folders if you uninstalled their corresponding programs:

C:\Program Files\PartyPoker
C:\Program Files\WinPcap
C:\Program Files\MessengerPlus! 3

Empty your recycle bin.

Reboot to normal mode.
____________
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please post back with a fresh HijackThis log, kaspersky scan log, a fresh HijackThis log and a description on how your machine is running.

Edited by Angelfire777, 29 June 2007 - 11:26 PM.


#5 oxjeremy334

oxjeremy334

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 03 July 2007 - 03:57 PM

Sorry about the delay, I was on Vacation. I will post after the clean. I can't get rid of that one folder with the cnml.exe file in it. Overall, my computer starts faster, but I know that there is still some probs.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 03, 2007 7:47:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 4/07/2007
Kaspersky Anti-Virus database records: 357449
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 149278
Number of viruses found: 14
Number of infected objects: 41
Number of suspicious objects: 2
Duration of the scan process: 02:09:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TurboDownload5.zip/iedclean.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TurboDownload5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08380000.VBN Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08380001.VBN Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09400000.VBN Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09400001.VBN Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09400002.VBN Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09400003.VBN Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E4C0000.VBN Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E4C0001.VBN Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ECC0000.VBN Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ECC0001.VBN Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Jeremiah\Application Data\Mozilla\Firefox\Profiles\0xc6r1sv.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jeremiah\Application Data\Mozilla\Firefox\Profiles\0xc6r1sv.default\history.dat Object is locked skipped
C:\Documents and Settings\Jeremiah\Application Data\Mozilla\Firefox\Profiles\0xc6r1sv.default\key3.db Object is locked skipped
C:\Documents and Settings\Jeremiah\Application Data\Mozilla\Firefox\Profiles\0xc6r1sv.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jeremiah\Application Data\Mozilla\Firefox\Profiles\0xc6r1sv.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jeremiah\Application Data\Mozilla\Firefox\Profiles\0xc6r1sv.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jeremiah\Application Data\Sun\Java\Deployment\cache\6.0\23\1c3a7917-6667b477/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Jeremiah\Application Data\Sun\Java\Deployment\cache\6.0\23\1c3a7917-6667b477 ZIP: infected - 1 skipped
C:\Documents and Settings\Jeremiah\Application Data\Sun\Java\Deployment\cache\6.0\39\3a99d727-3c16f537/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Jeremiah\Application Data\Sun\Java\Deployment\cache\6.0\39\3a99d727-3c16f537 ZIP: infected - 1 skipped
C:\Documents and Settings\Jeremiah\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-7654fa45.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Jeremiah\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-7654fa45.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Jeremiah\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-53cc6269.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Jeremiah\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-53cc6269.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Jeremiah\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jeremiah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jeremiah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jeremiah\Local Settings\Application Data\Mozilla\Firefox\Profiles\0xc6r1sv.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Jeremiah\Local Settings\Application Data\Mozilla\Firefox\Profiles\0xc6r1sv.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Jeremiah\Local Settings\Application Data\Mozilla\Firefox\Profiles\0xc6r1sv.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Jeremiah\Local Settings\Application Data\Mozilla\Firefox\Profiles\0xc6r1sv.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Jeremiah\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeremiah\Local Settings\Temp\couponsandoffers.exe/data0120 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Documents and Settings\Jeremiah\Local Settings\Temp\couponsandoffers.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Jeremiah\Local Settings\Temp\me_LaiCwFFEHC7nMPz Object is locked skipped
C:\Documents and Settings\Jeremiah\Local Settings\Temp\me_S62PPX43o77WjB2 Object is locked skipped
C:\Documents and Settings\Jeremiah\Local Settings\Temp\me_swSKC96XdeclkJU Object is locked skipped
C:\Documents and Settings\Jeremiah\Local Settings\Temp\me_YmmQd90EmpQugKM Object is locked skipped
C:\Documents and Settings\Jeremiah\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeremiah\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jeremiah\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alset\HXDLAZCS.EXE Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\KODAK\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\KODAK\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\Windows Update\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.131 skipped
C:\Program Files\Windows Update\rconnect.exe Infected: not-a-virus:Server-FTP.Win32.SlimFTPd.312b skipped
C:\Program Files\WindowsUpdate\rpc.exe/universal.exe Infected: Exploit.Win32.DCom.i skipped
C:\Program Files\WindowsUpdate\rpc.exe Vise: infected - 1 skipped
C:\Program Files\WinXpSp2\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.131 skipped
C:\Program Files\WinXpSp2\rconnect.exe Infected: not-a-virus:Server-FTP.Win32.SlimFTPd.312b skipped
C:\Program Files\wqxoxrwq\cnml.exe Infected: not-a-virus:AdWare.Win32.CommonName.l skipped
C:\QBA\xolox1.57.exe/data0003 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\QBA\xolox1.57.exe/data0004/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.e skipped
C:\QBA\xolox1.57.exe/data0004/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\QBA\xolox1.57.exe/data0004/data0001.cab/Weather/Weather.exe Infected: not-a-virus:AdWare.Win32.SaveNow skipped
C:\QBA\xolox1.57.exe/data0004/data0001.cab/Weather/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\QBA\xolox1.57.exe/data0004/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\QBA\xolox1.57.exe/data0004 Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\QBA\xolox1.57.exe NSIS: infected - 7 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\winik.sys Infected: Rootkit.Win32.Agent.q skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Xbox\Mirc\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\Xbox\overnet0.52.exe/data0014/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e skipped
C:\Xbox\overnet0.52.exe/data0014 Infected: not-a-virus:AdWare.Win32.Ucmore.e skipped
C:\Xbox\overnet0.52.exe NSIS: infected - 2 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 7:49:21 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Mozilla Firefox\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P32 "EPSON Stylus C82 Series (Copy 1)" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YQVGTcEx] C:\PROGRA~1\wqxoxrwq\GEADFghM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Jeremiah\Client\HelpExp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Edited by oxjeremy334, 03 July 2007 - 07:50 PM.


#6 Angelfire777

Angelfire777

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 437 posts

Posted 04 July 2007 - 04:43 AM

Hi,

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

Aveo Attune
If ever you use this program, please uninstall it as it has an adware component which could bring popups to your machine.


Clear your Java Cache:
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
    • Downloaded Applications
    • Other Files
  • Click OK on Delete Temporary Files Window.

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
_____________
Update AVG Anti-Spyware
  • From the main AVG Anti-Spyware screen, click on Update, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit AVG Anti-Spyware. DO NOT scan yet.
Download ATF Cleaner

Do not use it yet.
_____________

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O4 - HKLM\..\Run: [YQVGTcEx] C:\PROGRA~1\wqxoxrwq\GEADFghM.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Jeremiah\Client\HelpExp.exe


Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_____________

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

*Using Windows Explorer, find and delete these files:

C:\Program Files\Windows Update\psexec.exe
C:\Program Files\Windows Update\rconnect.exe
C:\Program Files\WindowsUpdate\rpc.exe
C:\Program Files\WinXpSp2\psexec.exe
C:\Program Files\WinXpSp2\rconnect.exe
C:\QBA\xolox1.57.exe
C:\WINDOWS\system32\drivers\winik.sys
C:\Xbox\overnet0.52.exe
C:\Documents and Settings\Jeremiah\Local Settings\Temp\couponsandoffers.exe

Delete the following folders:

C:\Program Files\Alset
C:\Program Files\wqxoxrwq

Empty the contents of this folder:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

Empty your recycle bin.
______________

Important: Make sure all your browsers are closed before running ATF Cleaner..
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose:Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.
  • Launch AVG AntiSpyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "[b]Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
  • Close AVG AntiSpyware.
  • Reboot to normal mode.
On yuor next reply, please post a fresh HijackThis log, AVG Antispyware log and tell me how is it running now.

Edited by Angelfire777, 04 July 2007 - 04:47 AM.


#7 oxjeremy334

oxjeremy334

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 04 July 2007 - 01:08 PM

System runs better overall. I still can't remove cmnl.exe and the other file in that folder. I also can't kill the GEADFghM.exe process. Also, I can't delete C:\WINDOWS\system32\drivers\winik.sys


Logfile of HijackThis v1.99.1
Scan saved at 1:07:48 PM, on 7/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P32 "EPSON Stylus C82 Series (Copy 1)" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YQVGTcEx] C:\PROGRA~1\wqxoxrwq\GEADFghM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:43:14 PM 7/4/2007

+ Scan result:



C:\Program Files\wqxoxrwq\cnml.exe -> Adware.CommonName : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\WinIK -> Adware.CommonName : Error during cleaning.
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\Enum -> Adware.CommonName : Error during cleaning.
HKLM\SYSTEM\CurrentControlSet\Services\WinIK\Security -> Adware.CommonName : Error during cleaning.
C:\WINDOWS\system32\drivers\winik.sys -> Rootkit.Agent.q : Cleaned with backup (quarantined).


::Report end

Edited by oxjeremy334, 04 July 2007 - 01:10 PM.


#8 Angelfire777

Angelfire777

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 437 posts

Posted 05 July 2007 - 04:39 AM

Hi,

Download combofix.exe

1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

#9 oxjeremy334

oxjeremy334

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 05 July 2007 - 09:28 PM

"Jeremiah" - 2007-07-05 17:24:37 - ComboFix 07-07-04.4 - Service Pack 2


Other Deletions

C:\DOCUME~1\Jeremiah\Desktop.\internet explorer.lnk
C:\Program Files\3
C:\Program Files\3\dvd x copy 1.2.1 + crack full ver not beta\DVDXCopy_v1.2.1_full_install.exe
C:\Program Files\3\dvd x copy 1.2.1 + crack full ver not beta\info.txt
C:\WINDOWS\hosts


Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-06-05 to 2007-07-05 )))))))))))))))))))))))))))))))


2007-07-05 17:23 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-04 16:23 <DIR> d-------- C:\Program Files\HJT
2007-07-03 16:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-03 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-23 10:05 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-06 11:40 <DIR> d-------- C:\DOCUME~1\Jeremiah\APPLIC~1\Snapfish


Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-05 22:30:19 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-07-04 14:51:41 -------- d-----w C:\Program Files\WinXpSp2
2007-07-04 14:50:11 -------- d-----w C:\Program Files\Windows Update
2007-07-04 05:40:32 -------- d-----w C:\Program Files\Full Tilt Poker.Net
2007-07-03 21:33:53 -------- d-----w C:\Program Files\wqxoxrwq
2007-06-30 14:43:59 -------- d-----w C:\Program Files\PokerChamps
2007-06-30 14:43:59 -------- d-----w C:\DOCUME~1\Jeremiah\APPLIC~1\PokerChamps
2007-06-24 16:09:35 -------- d-----w C:\Program Files\MySpace
2007-06-20 00:35:30 -------- d-----w C:\DOCUME~1\Jeremiah\APPLIC~1\ZoomBrowser EX
2007-06-06 16:40:28 14,952 ----a-w C:\WINDOWS\mozver.dat
2007-06-01 00:27:17 -------- d-----w C:\Program Files\Activision Value
2007-05-27 17:33:02 -------- d-----w C:\Program Files\Canon
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 23:11:48 -------- d-----w C:\Program Files\Song List Creator
2007-05-05 21:36:53 -------- d-----w C:\Program Files\BitComet
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2004-07-26 21:42:41 56 --sh--r C:\WINDOWS\system32\1120E034A7.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-08-03 02:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2006-12-18 05:18 231160 --a------ C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-04-04 13:38]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-04-23 08:39]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
"ASUS Probe"="C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 16:07]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-06-19 10:50]
"RDLL"="" []
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2002-09-13 01:04]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Configuration Loaded"="" []
"explore"="" []
"emsw.exe"="" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-12-16 11:49]
"ck0HRAox"="" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-10 23:45]
"nwiz"="nwiz.exe" [2005-12-10 04:06 C:\WINDOWS\system32\nwiz.exe]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52]
"@"="" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 18:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 14:19]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"@"="" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-01-04 15:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RDLL"=
"Configuration Loaded"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"="C:\Program Files\DVD Region+CSS Free\DVDShell.dll" [2004-10-09 15:18]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-05 17:39:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run?Z?A~d???*?A~????????d1??????h?@?x?????B~D??????sx??s?|??????y??w????@@@????|D@@?????>??w?????92?H??????|???|???????|L(?s?92??????/?s????????D???????????????????,????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0



Completion time: 2007-07-05 17:41:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-05 17:41

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 17:46, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#10 Angelfire777

Angelfire777

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 437 posts

Posted 06 July 2007 - 09:29 AM

Hi,

Combofix Deletions
  • Right click on your desktop, select "new" then choose "New text Document"
  • Name it as "CFScript"
  • Copy and paste the text inside the code box below to CFScript.txt
File::
C:\WINDOWS\system32\drivers\winik.sys

Folder::
C:\Program Files\wqxoxrwq
C:\Program Files\Full Tilt Poker.Net

Driver::
WinIK

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RDLL"=-
"explore"=-
"emsw.exe"=-
"ck0HRAox"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RDLL"=-
"Configuration Loaded"=-
  • Save it.
  • Drag and drop CFScript.txt to your copy of combofix.
  • You can take a look at the image below if you're unsure on how to do it.
    Posted Image
  • Combofix wil restart your machine then it will produce a log afterwards.
  • Please post the contents of that log
Configure your machine to view hidden files:

Windows XP
  • Click Start.
  • Open My Computer..
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the "Hidden files and folders" heading select Show hidden files and folders.
  • Uncheck the Hide Protected Operating System Files Option.
  • Click Yes to confirm.
  • Click OK.
I would like you to scan a file for me.

Please go HERE. Click browse then, navigate to this file:

C:\WINDOWS\system32\1120E034A7.sys

Then click submit.

Please post the results to your next reply.

If Jotti is too busy, you can go HERE and do the same as above.

On your next reply, please post a fresh HijackThis log, jotti scan results, and the combofix log.

Edited by Angelfire777, 06 July 2007 - 09:30 AM.


#11 oxjeremy334

oxjeremy334

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 06 July 2007 - 06:12 PM

That last file does not exist. I unhid all of the folders, so I could see everything. I even searched the hdd's for it and found nothing.


Logfile of HijackThis v1.99.1
Scan saved at 18:10, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


"Jeremiah" - 2007-07-06 17:49:10 - ComboFix 07-07-04.4 - Service Pack 2
Command switches used :: C:\Documents and Settings\Jeremiah\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Full Tilt Poker.Net
C:\Program Files\Full Tilt Poker.Net\Oxjeremy334.dat
C:\Program Files\wqxoxrwq\cnml.exe
C:\Program Files\wqxoxrwq\profile.dat
C:\WINDOWS\system32\drivers\winik.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINIK
-------\WinIK


((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


2007-07-05 17:23 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-04 16:23 <DIR> d-------- C:\Program Files\HJT
2007-07-03 16:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-03 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-23 10:05 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-06 11:40 <DIR> d-------- C:\DOCUME~1\Jeremiah\APPLIC~1\Snapfish


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 22:52:41 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-07-04 14:51:41 -------- d-----w C:\Program Files\WinXpSp2
2007-07-04 14:50:11 -------- d-----w C:\Program Files\Windows Update
2007-06-30 14:43:59 -------- d-----w C:\Program Files\PokerChamps
2007-06-30 14:43:59 -------- d-----w C:\DOCUME~1\Jeremiah\APPLIC~1\PokerChamps
2007-06-24 16:09:35 -------- d-----w C:\Program Files\MySpace
2007-06-20 00:35:30 -------- d-----w C:\DOCUME~1\Jeremiah\APPLIC~1\ZoomBrowser EX
2007-06-06 16:40:28 14,952 ----a-w C:\WINDOWS\mozver.dat
2007-06-01 00:27:17 -------- d-----w C:\Program Files\Activision Value
2007-05-27 17:33:02 -------- d-----w C:\Program Files\Canon
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 23:11:48 -------- d-----w C:\Program Files\Song List Creator
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2004-07-26 21:42:41 56 --sh--r C:\WINDOWS\system32\1120E034A7.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-08-03 02:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2006-12-18 05:18 231160 --a------ C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-04-04 13:38]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-04-23 08:39]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
"ASUS Probe"="C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 16:07]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-06-19 10:50]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2002-09-13 01:04]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Configuration Loaded"="" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-12-16 11:49]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-10 23:45]
"nwiz"="nwiz.exe" [2005-12-10 04:06 C:\WINDOWS\system32\nwiz.exe]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52]
"@"="" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 18:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-30 14:19]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 04:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"@"="" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-01-04 15:17]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"="C:\Program Files\DVD Region+CSS Free\DVDShell.dll" [2004-10-09 15:18]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-06 17:54:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run?????????????????????????????h?@???????B~D??????sx??sg??? ???y??w????@@@????|D@@?????>??w?????92????????|???|???????|L(?s?92??????/?s????????D???????p???????????,????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-06 17:57:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-06 17:56
C:\ComboFix2.txt ... 2007-07-05 17:41

--- E O F ---

#12 Angelfire777

Angelfire777

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 437 posts

Posted 06 July 2007 - 10:17 PM

Please see if you can delete this folder now:

C:\Program Files\wqxoxrwq


Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
  • Click Start > Control Panel
  • Click Add/Remove Programs
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6u2, and install it to your computer.

Please post a fresh HijackThis log and tell me how the folder deletion went.

#13 oxjeremy334

oxjeremy334

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 10 July 2007 - 12:27 AM

I think that the other process killed the folder since it is not there now. Thanks. System is pretty good, so hopefully this log is clean.

Logfile of HijackThis v1.99.1
Scan saved at 00:25, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#14 Angelfire777

Angelfire777

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 437 posts

Posted 10 July 2007 - 04:26 AM

Congratulations! Your log looks clean!

Configure Windows Xp to hide system files:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading, select Do not show hidden files and folders.
  • Check the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.
_______________________
This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.

Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.

» ZoneAlarm
» Kerio

Install SpyWare Blaster
~You can download it from here
~You can read the tutorial on how to use Spyware Blaster here

IESpyAds
~You can download it from here
~If you want to know how IEspyads work you can take a look at it here
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Happy safe surfing!

#15 Angelfire777

Angelfire777

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 437 posts

Posted 13 July 2007 - 08:06 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button