Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby teknokidd » December 27th, 2010, 11:36 pm

Laptop Hp Compaq tc4400 with Win Xp pro tablet edition 2005 with sp2 starting up super slow,virtual keyboard for login in no longer shows keys and now gets error Keyboard Surrogate.exe .Net Framework Initialization Error c:\WINDOWS\Microsoft.Net\Framework\v2.0.50727\mscorwks.dll could not be loaded..Firefox running slow and is redirected,on the tools/option tab on firefox as homepage it displays hxxp://flyingincognitosleep.com/cgi-bin/h.pl ran avast no help,got past scotty (WinPatrol Plus) cause it never alerted me..also tried restore point got error and no changes got made..on safemode when it reaches the point to choose user it goes black and restarts laptop so safemode seems corrupted...ive googled around and it seems this flyingincognitosleep malware is fairly new..please help i dont want to resort to plan B formatting.

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:43:21 PM, on 12/27/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient Mini\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient Mini\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AutorunRemover\AutorunRemover.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\JDownloader\downloads\PORTABLE_SUITE\Unlocker 1.8.8\App\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mp4converter.net/webapp/buy. ... ar1=108427
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: mipony-plugin Toolbar - {90d46c30-9f25-4104-aea9-35c3f84477ff} - C:\Program Files\mipony-plugin\tbmip1.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutorunRemover.exe] C:\Program Files\AutorunRemover\AutorunRemover.exe -Hide
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\JDownloader\downloads\PORTABLE_SUITE\Unlocker 1.8.8\App\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Download with Mipony - file://C:\Program Files\MiPony\Browser\IEContext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{76F68857-08C0-459B-A392-CF12C1D8B237}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B760AB00-3400-4049-A720-58175AEE90EE}: NameServer = 4.2.2.2,4.2.2.1
O20 - Winlogon Notify: ackpbsc - C:\Program Files\ActivIdentity\ActivClient Mini\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient Mini\acunlock.dll
O20 - Winlogon Notify: DeviceNP - DeviceNP.dll (file missing)
O20 - Winlogon Notify: OneCard - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient Mini\acachsrv.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient Mini\accoca.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

--
End of file - 12757 bytes

Unistall_List:

32 Bit HP CIO Components Installer
91 PC Suite for iPhone
ActivClient Mini
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Agere Systems HDA Modem
Apple Mobile Device Support
Apple Software Update
AuthenTec Fingerprint Sensor Minimum Install
Autorun Virus Remover 2.3
avast! Pro Antivirus
BatteryBar (remove only)
BitLord 1.1
Bonjour
Broadcom 802.11 Wireless LAN Adapter
Broadcom NetXtreme Ethernet Controller
Cole2k Media - Nero Audio Plugin Pack
CopyTrans Suite (remove only)
Credential Manager for HP ProtectTools
Device Access Manager for HP ProtectTools
DiscJuggler
Dream Aquarium 1.24
Driver Genius Professional Edition
Dziobas Rar Player 0.009.50
EASEUS Data Recovery Wizard Professional 4.3.6
EASEUS Photo Recovery 2.1.1
Easy Photo Recovery 2.6
EmoDio
eMule
FileZilla Client 3.3.2.1
FlashFXP v3
FormatFactory 1.85
Foxit Reader
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB896243)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Backup and Recovery Manager Installer
HP BatteryCheck 1.00 A7
HP BIOS Configuration for ProtectTools 2.00 D1
HP Customer Participation Program 13.0
HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6
HP Embedded Security for ProtectTools
HP Imaging Device Functions 13.0
HP Integrated Module with Bluetooth wireless technology
HP Java Card Security for ProtectTools 1.00 B4
HP Mobile Data Protection System
HP Print Projects 1.0
HP ProtectTools Security Manager
HP Quick Launch Buttons 6.30 J1
HP Smart Card Security for ProtectTools 5.00 D4
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HP Wireless Assistant
iMagic Inventory 1.93
InCD
Instant Invoice n CashBook 2007
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
InterVideo DVD Check
InterVideo WinDVD
iPhone Explorer 0.973
iPhone Folders
iPhoneBrowser
iPod Access for Windows v4.4
iTunes
Java(TM) 6 Update 15
JDownloader
JPEG Recovery Pro 4.0
K-Lite Mega Codec Pack 5.4.4
Liquid Desktop 3D Screensaver
LiveUpdate BVRP Software
Malwarebytes' Anti-Malware
MediaBrowser LE
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Video Screensaver
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WinUsb 1.0
Microsoft Xbox 360 Accessories 1.2
MiPony 1.1.2
mipony-plugin Toolbar
mIRC
mobile PhoneTools
Motorola Driver Installation 4.6.0
Motorola Software Update
Mozilla Firefox (3.6.13)
MP3 Player Utilities 4.17
mProSafe
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
mWlsSafe
MyFreeCodec
MyMenu 1.2
Nero 6 Ultra Edition
Nero BurnRights
Nero Digital
NeroMIX
PdaNet for Android 1.12
PixRecovery
Project64 1.6
PSP Grader v006 - Lite
QuickTime
Radmin Viewer 3.4
RAR Repair Tool v.4.0
RealPlayer
RealPlayer
RegRun Reanimator
RightClick
RocketDock 1.3.5
SDFormatter
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shop for HP Supplies
Sonic Data Module
SoundMAX
Synaptics Pointing Device Driver
Talisman 3
TeamViewer 5
Texas Instruments PCIxx21/x515/xx12 drivers.
UnHackMe 5.99 release
Update for Windows XP (KB898461)
Update for Windows XP (KB920142)
Update for Windows XP (KB925720)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Vuze
Wacom Pen Driver 2.7
WBFS Manager 3.0
WD SmartWare
Winamp
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
WinISO 5.3
WinPatrol 2009
WinRAR archiver
WinSCP 4.2.8
WinZip 12.1
teknokidd
Active Member
 
Posts: 12
Joined: December 27th, 2010, 10:21 pm
Advertisement
Register to Remove

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby askey127 » December 28th, 2010, 4:44 pm

Hi teknokidd,
-----------------------------------------------
Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programs
It is posted here: http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394
As a condition of receiving our help, I have included the P2P programs Bitlord,eMule and Vuze in the removal instructions below, so we are not wasting our time.
If you have used these, you can be fairly confident this is a principal reason your computer is infected

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Frostwire, Limewire, Vuze, Shareaza, Bitlord.
(Limewire has just been shut down by the courts).
Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Some of the recent infections can turn your machine into a doorstop.

Your system is way behind in updates, and in fact has not been updated in over a year, so we need to check your Windows version.
In this condition, Microsoft no longer will support the system, since it does not have Service Pack 3.
If everything works OK, you will be required to update your system, but only after it has been cleaned.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

BitLord 1.1
eMule
Vuze

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------------------
Download and Run a Diagnostic Tool (MGADiag.exe) from here and save this to your desktop.
http://go.microsoft.com/fwlink/?linkid=56062
* Double-click on MGADiag.exe
* When the program has finished, click on the Validation tab and then click on Copy to Clipboard.
* Please post the results in your next reply.
---------------------------------------------
Run CKScanner
Download CKScanner from HERE
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a couple minutes or less, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby teknokidd » December 28th, 2010, 6:54 pm

Hi askey127 thank you for your time and help.

Removed:BitLord 1.1,eMule and Vuze

MGADiag.exe results:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-2BVJT-DBGV9-8YHMW
Windows Product Key Hash: Z3a4Zoj0rn1MnDUeZ/qxdaVUpy4=
Windows Product ID: 76487-OEM-2217565-78983
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.2.0.tab
ID: {371D4606-6A6C-4140-815B-FB8D57F66F20}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{371D4606-6A6C-4140-815B-FB8D57F66F20}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.2.0.tab</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-8YHMW</PKey><PID>76487-OEM-2217565-78983</PID><PIDType>3</PIDType><SID>S-1-5-21-1547161642-839522115-946487875</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq tc4400 (RA296AW#ABA)</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>68YHV Ver. F.0B</Version><SMBIOSVersion major="2" minor="4"/><Date>20070713000000.000000+000</Date></BIOS><HWID>E2A70900018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: A5CC:Compaq Computer Corporation|13A01:Compaq Computer Corporation|1FFEA:Compaq Computer Corporation|139A7:Compaq Computer Corporation|139A7:Compaq Computer Corporation|13B1F:GENUINE C&C INC|1FFEA:Hewlett-Packard Company|139A7:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A


CKScanner results:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\evil1\my documents\1wii\gb\fceugx\roms\crackout__e_.nes
c:\documents and settings\evil1\my documents\wii\wii sd card backup\fceu\roms\crackout__e_.nes
scanner sequence 3.AA.11
----- EOF -----
teknokidd
Active Member
 
Posts: 12
Joined: December 27th, 2010, 10:21 pm

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby askey127 » December 28th, 2010, 7:14 pm

Teknokidd,
Is there any reason why you have not Validated Windows yet?
Go to the Microsoft Diagnostics Site
Be sure to use Internet Explorer for this (not Firefox).
It's HERE
Click "Start Diagnostics" button. If it shows some items failed, follow the steps to fix it, and click "Try Again".

Then Please visit This website using Internet Explorer.
Follow the instructions to Validate Windows, then run MGADiag.exe again and post the new log in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby teknokidd » December 28th, 2010, 8:28 pm

Here you go askey127, and no reason didnt know it wasnt validated or i had too..

MGADiag.exe results:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-2BVJT-DBGV9-8YHMW
Windows Product Key Hash: Z3a4Zoj0rn1MnDUeZ/qxdaVUpy4=
Windows Product ID: 76487-OEM-2217565-78983
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.2.0.tab
ID: {371D4606-6A6C-4140-815B-FB8D57F66F20}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{371D4606-6A6C-4140-815B-FB8D57F66F20}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.2.0.tab</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-8YHMW</PKey><PID>76487-OEM-2217565-78983</PID><PIDType>3</PIDType><SID>S-1-5-21-1547161642-839522115-946487875</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq tc4400 (RA296AW#ABA)</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>68YHV Ver. F.0B</Version><SMBIOSVersion major="2" minor="4"/><Date>20070713000000.000000+000</Date></BIOS><HWID>E2A70900018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: A5CC:Compaq Computer Corporation|13A01:Compaq Computer Corporation|1FFEA:Compaq Computer Corporation|139A7:Compaq Computer Corporation|139A7:Compaq Computer Corporation|13B1F:GENUINE C&C INC|1FFEA:Hewlett-Packard Company|139A7:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A
teknokidd
Active Member
 
Posts: 12
Joined: December 27th, 2010, 10:21 pm

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby askey127 » December 29th, 2010, 8:25 am

teknokidd,
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [AutorunRemover.exe] C:\Program Files\AutorunRemover\AutorunRemover.exe -Hide

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Autorun Virus Remover 2.3
Java(TM) 6 Update 15
UnHackMe 5.99 release

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software after downloading but BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVAST
    Right click on the avast! icon in system tray (looks like this: Image) and choose (Stop On-Access Protection)
    Avast On-Access Protection is now disabled.
    (Reverse the procedure to re-enable the On-Access Protection later).
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts.
    When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • It will run through about 50 procedures, then take a while to assemble its output log.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your AVG protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby teknokidd » December 29th, 2010, 4:24 pm

i no longer have avast after sending me to validate MS gave me Microsoft Security Essentials to install saying other anti-virus programs would need to be removed so i did thinking it was part of the validation process...

Ran HijackThis and Removed Registry items:
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [AutorunRemover.exe] C:\Program Files\AutorunRemover\AutorunRemover.exe -Hide

Removed Programs:
Autorun Virus Remover 2.3
Java(TM) 6 Update 15
UnHackMe 5.99 release

Combofix log:

ComboFix 10-12-28.03 - evil1 12/29/2010 13:50:03.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3063.2465 [GMT -6:00]
Running from: c:\documents and settings\evil1\Desktop\zzz.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.

((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-29 )))))))))))))))))))))))))))))))
.

2010-12-29 16:00 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-12-29 16:00 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-12-29 00:17 . 2010-11-10 02:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{39E804CF-94D8-4AD8-BFA8-A7BA2025D168}\mpengine.dll
2010-12-29 00:15 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-29 00:09 . 2010-12-29 00:10 -------- d-----w- c:\program files\Microsoft Security Client
2010-12-28 23:32 . 2009-06-25 19:20 1446264 ----a-w- c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
2010-12-28 21:37 . 2010-12-28 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-12-27 19:56 . 2010-12-27 19:56 2 --shatr- c:\windows\winstart.bat
2010-12-27 19:55 . 2010-12-29 19:19 -------- d-----w- c:\program files\UnHackMe
2010-12-27 19:41 . 2010-12-27 19:41 388096 ----a-r- c:\documents and settings\evil1\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-27 19:41 . 2010-12-27 19:41 -------- d-----w- c:\program files\Trend Micro
2010-12-27 19:20 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-27 19:19 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-26 23:33 . 2010-12-26 23:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-21 05:25 . 2010-12-26 23:32 -------- d-----w- c:\program files\PSP Grader
2010-12-20 17:34 . 2010-12-24 19:54 -------- d-----w- c:\documents and settings\evil1\Application Data\Dream Aquarium

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-26 04:11 . 2010-11-26 04:11 40960 ----a-r- c:\documents and settings\evil1\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-11-26 04:11 . 2010-11-26 04:11 40960 ----a-r- c:\documents and settings\evil1\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-10-25 03:25 . 2010-10-25 03:25 165264 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-12-27_07.15.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-22 19:08 . 2006-02-21 03:01 23040 c:\windows\system32\fltmc.exe
+ 2009-11-22 19:08 . 2006-02-21 06:57 16896 c:\windows\system32\fltlib.dll
- 2009-11-22 19:08 . 2006-02-28 12:00 16896 c:\windows\system32\fltlib.dll
+ 2009-11-22 19:08 . 2006-02-21 03:01 23040 c:\windows\system32\dllcache\fltmc.exe
- 2009-11-22 19:08 . 2006-02-28 12:00 16896 c:\windows\system32\dllcache\fltlib.dll
+ 2009-11-22 19:08 . 2006-02-21 06:57 16896 c:\windows\system32\dllcache\fltlib.dll
+ 2007-02-15 21:22 . 2007-02-15 21:22 688000 c:\windows\system32\SelfHelpControl.DLL
+ 2009-08-03 21:07 . 2009-08-03 21:07 403816 c:\windows\system32\OGACheckControl.DLL
+ 2009-11-22 19:08 . 2006-02-21 03:01 128896 c:\windows\system32\drivers\fltmgr.sys
+ 2009-11-22 19:08 . 2006-02-21 03:01 128896 c:\windows\system32\dllcache\fltmgr.sys
+ 2010-12-29 00:10 . 2010-12-29 00:10 786432 c:\windows\Installer\12becf.msi
+ 2010-12-29 00:09 . 2010-12-29 00:09 479744 c:\windows\Installer\12bec6.msi
+ 2010-12-29 00:09 . 2010-12-29 00:09 301056 c:\windows\Installer\12bebe.msi
+ 2009-11-23 00:29 . 2010-12-27 21:04 1533592 c:\windows\system32\Restore\rstrlog.dat
+ 2009-06-25 19:20 . 2009-06-25 19:20 1485176 c:\windows\system32\LegitCheckControl.DLL
+ 2010-12-27 19:41 . 2010-12-27 19:41 1094656 c:\windows\Installer\6d6784.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{90d46c30-9f25-4104-aea9-35c3f84477ff}"= "c:\program files\mipony-plugin\tbmip1.dll" [2010-11-08 2735200]

[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{90D46C30-9F25-4104-AEA9-35C3F84477FF}"= "c:\program files\mipony-plugin\tbmip1.dll" [2010-11-08 2735200]

[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"CubeDesktop"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2004-08-04 271872]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-14 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-14 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-14 137752]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 177456]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-26 198160]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [BU]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-27 1202448]
"UnlockerAssistant"="c:\program files\JDownloader\downloads\PORTABLE_SUITE\Unlocker 1.8.8\App\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 718688]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2006-04-27 21:43 98304 ----a-w- c:\program files\ActivIdentity\ActivClient Mini\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2006-04-14 21:55 94208 ----a-w- c:\program files\ActivIdentity\ActivClient Mini\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 14:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 21:08 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 12:00 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 19:13 49152 ----a-w- c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 07:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 09:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-11-01 14:18 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Monitor LE.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Monitor LE.lnk
backup=c:\windows\pss\Device Monitor LE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^evil1^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=c:\documents and settings\evil1\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=c:\windows\pss\PdaNet Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\accrdsub]
2006-04-21 00:39 176128 ----a-w- c:\program files\ActivIdentity\ActivClient Mini\accrdsub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 22:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-04-12 17:15 1383936 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 19:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mumservice]
2010-05-12 19:43 1066304 ----a-w- c:\program files\Motorola\Software Update\mumservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
2007-01-09 21:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2004-08-14 09:42 36864 ------w- c:\program files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-08-03 23:02 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\FlashFXP\\flashfxp.exe"=

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [11/29/2005 4:56 PM 36768]
R2 acachsrv;ActivClient Authentication Service;c:\program files\ActivIdentity\ActivClient Mini\acachsrv.exe [4/12/2006 4:43 PM 81920]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient Mini\accoca.exe [5/2/2006 4:28 PM 135168]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 6:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 6:00 AM 14336]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/22/2010 10:58 PM 91456]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/4/2009 3:22 PM 98304]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2/28/2006 5:05 PM 87808]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/21/2005 11:19 AM 36352]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [9/7/2010 5:35 PM 9472]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [1/22/2007 2:09 PM 34736]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [9/7/2010 5:35 PM 25728]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [4/23/2007 1:13 PM 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [4/30/2007 8:28 AM 172131]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [6/22/2010 9:12 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [6/22/2010 9:12 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [6/22/2010 9:12 PM 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/22/2010 9:12 PM 23936]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [12/22/2009 4:40 PM 17408]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [11/22/2009 6:58 AM 13568]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [11/29/2009 10:09 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-12-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.mp4converter.net/webapp/buy. ... ar1=108427
uInternet Settings,ProxyOverride = *.local
IE: Download with Mipony - file://c:\program files\MiPony\Browser\IEContext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {76F68857-08C0-459B-A392-CF12C1D8B237} = 208.67.222.222,208.67.220.220
TCP: {B760AB00-3400-4049-A720-58175AEE90EE} = 4.2.2.2,4.2.2.1
FF - ProfilePath - c:\documents and settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\
FF - prefs.js: browser.startup.homepage - hxxp://flyingincognitosleep.com/cgi-bin/h.pl
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Live IP Address: {7C9AE782-DB21-4e40-81FB-AD8A53A6233A} - %profile%\extensions\{7C9AE782-DB21-4e40-81FB-AD8A53A6233A}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Foxamp: {F0B24ABB-A42D-4c82-AF2C-3FA6FF27E2C0} - %profile%\extensions\{F0B24ABB-A42D-4c82-AF2C-3FA6FF27E2C0}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: mipony-plugin Toolbar: {90d46c30-9f25-4104-aea9-35c3f84477ff} - %profile%\extensions\{90d46c30-9f25-4104-aea9-35c3f84477ff}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord\firefox\ext
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage - hxxp://flyingincognitosleep.com/cgi-bin/h.pl
FF - user.js: browser.startup.page - 1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-29 13:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-839522115-946487875-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8B22F6DE-8275-78B0-5D0D-184F48EA1290}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hahkcicdhoolndlj"=hex:61,61,00,7c
"jahkcicdhoolndljfdgo"=hex:63,61,69,65,69,6f,00,7c
"papdbefjdinfkpkmeiiidolcngldlgmm"=hex:65,61,6d,67,66,63,6d,66,63,62,00,00

[HKEY_USERS\S-1-5-21-1547161642-839522115-946487875-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DAA6AF02-CA74-38FD-BE85-70665467B007}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abmfolonjnlkohclkjcoklcaknmfljjgib"=hex:69,61,6c,65,6a,64,6a,70,6b,65,6b,6a,
6e,6a,6f,67,6d,69,00,00
"majfllamnojpjionndialhioec"=hex:6f,61,69,6c,6f,64,6f,6e,66,6c,6b,67,61,6b,64,
68,64,66,6f,70,6c,63,63,61,62,64,70,64,6e,6e,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\program files\ActivIdentity\ActivClient Mini\ackpbsc.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\aclog.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acauth.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient Mini\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient Mini\Resources\asphatrc.dll
c:\program files\Common Files\Stardock\mcpstub.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL
c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll
c:\program files\Hewlett-Packard\IAM\Bin\ittal.dll
c:\program files\Hewlett-Packard\IAM\Bin\AuthWiz.dll
c:\program files\ActivIdentity\ActivClient Mini\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient Mini\Resources\acunlockrc.dll
c:\windows\system32\DeviceNP.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'explorer.exe'(3376)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\APSHook.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\msi.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2010-12-29 14:03:10
ComboFix-quarantined-files.txt 2010-12-29 20:02

Pre-Run: 5,799,366,656 bytes free
Post-Run: 5,802,704,896 bytes free

- - End Of File - - F1B3DE063DDFB817233F8B80D4C806C7
teknokidd
Active Member
 
Posts: 12
Joined: December 27th, 2010, 10:21 pm

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby askey127 » December 29th, 2010, 9:10 pm

teknokidd,
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    RegLockDel::
    [HKEY_USERS\S-1-5-21-1547161642-839522115-946487875-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DAA6AF02-CA74-38FD-BE85-70665467B007}*]
    
    [HKEY_USERS\S-1-5-21-1547161642-839522115-946487875-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8B22F6DE-8275-78B0-5D0D-184F48EA1290}*]
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.

-----------------------------------------------------------
REBOOT (RESTART) Your Machine
-----------------------------------------------------------
Now try changing your Firefox home page.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby teknokidd » December 30th, 2010, 12:32 am

askey127 there seems to be NO change, after reboot it still starts up super slow takes 5-8 mins from windows logo to desktop to load, firefox still hijacked by flyingincognitosleep.com and any of the tabs like Tools\Options on Firefox i click on take forever to load...after adding the CFScript to Combofix it ran then notified me that there was a newer version of Combofix and would i like to download it, i naturally said YES could that be the problem,would you like me to run it again this time choosing NO? I await for further instructions....Here's Combofix with CFScript added log:

ComboFix 10-12-29.02 - evil1 12/29/2010 21:16:23.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3063.2379 [GMT -6:00]
Running from: c:\documents and settings\evil1\Desktop\zzz.exe
Command switches used :: c:\documents and settings\evil1\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.

((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-30 )))))))))))))))))))))))))))))))
.

2010-12-29 20:15 . 2010-11-10 02:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{01462912-BD96-45C2-AA9C-B5DFF112C6CF}\mpengine.dll
2010-12-29 16:00 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-12-29 16:00 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-12-29 00:15 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-29 00:09 . 2010-12-29 00:10 -------- d-----w- c:\program files\Microsoft Security Client
2010-12-28 23:32 . 2009-06-25 19:20 1446264 ----a-w- c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
2010-12-28 21:37 . 2010-12-28 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-12-27 19:56 . 2010-12-27 19:56 2 --shatr- c:\windows\winstart.bat
2010-12-27 19:55 . 2010-12-29 19:19 -------- d-----w- c:\program files\UnHackMe
2010-12-27 19:41 . 2010-12-27 19:41 388096 ----a-r- c:\documents and settings\evil1\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-27 19:41 . 2010-12-27 19:41 -------- d-----w- c:\program files\Trend Micro
2010-12-27 19:20 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-27 19:19 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-26 23:33 . 2010-12-26 23:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-21 05:25 . 2010-12-26 23:32 -------- d-----w- c:\program files\PSP Grader
2010-12-20 17:34 . 2010-12-24 19:54 -------- d-----w- c:\documents and settings\evil1\Application Data\Dream Aquarium

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-26 04:11 . 2010-11-26 04:11 40960 ----a-r- c:\documents and settings\evil1\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-11-26 04:11 . 2010-11-26 04:11 40960 ----a-r- c:\documents and settings\evil1\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-10-25 03:25 . 2010-10-25 03:25 165264 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-12-27_07.15.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-22 19:08 . 2006-02-21 03:01 23040 c:\windows\system32\fltmc.exe
+ 2009-11-22 19:08 . 2006-02-21 06:57 16896 c:\windows\system32\fltlib.dll
- 2009-11-22 19:08 . 2006-02-28 12:00 16896 c:\windows\system32\fltlib.dll
+ 2009-11-22 19:08 . 2006-02-21 03:01 23040 c:\windows\system32\dllcache\fltmc.exe
- 2009-11-22 19:08 . 2006-02-28 12:00 16896 c:\windows\system32\dllcache\fltlib.dll
+ 2009-11-22 19:08 . 2006-02-21 06:57 16896 c:\windows\system32\dllcache\fltlib.dll
+ 2007-02-15 21:22 . 2007-02-15 21:22 688000 c:\windows\system32\SelfHelpControl.DLL
+ 2009-08-03 21:07 . 2009-08-03 21:07 403816 c:\windows\system32\OGACheckControl.DLL
+ 2009-11-22 19:08 . 2006-02-21 03:01 128896 c:\windows\system32\drivers\fltmgr.sys
+ 2009-11-22 19:08 . 2006-02-21 03:01 128896 c:\windows\system32\dllcache\fltmgr.sys
+ 2010-12-29 00:10 . 2010-12-29 00:10 786432 c:\windows\Installer\12becf.msi
+ 2010-12-29 00:09 . 2010-12-29 00:09 479744 c:\windows\Installer\12bec6.msi
+ 2010-12-29 00:09 . 2010-12-29 00:09 301056 c:\windows\Installer\12bebe.msi
+ 2009-11-23 00:29 . 2010-12-27 21:04 1533592 c:\windows\system32\Restore\rstrlog.dat
+ 2009-06-25 19:20 . 2009-06-25 19:20 1485176 c:\windows\system32\LegitCheckControl.DLL
+ 2010-12-27 19:41 . 2010-12-27 19:41 1094656 c:\windows\Installer\6d6784.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{90d46c30-9f25-4104-aea9-35c3f84477ff}"= "c:\program files\mipony-plugin\tbmip1.dll" [2010-11-08 2735200]

[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{90D46C30-9F25-4104-AEA9-35C3F84477FF}"= "c:\program files\mipony-plugin\tbmip1.dll" [2010-11-08 2735200]

[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"CubeDesktop"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2004-08-04 271872]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-14 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-14 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-14 137752]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 177456]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-26 198160]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [BU]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-27 1202448]
"UnlockerAssistant"="c:\program files\JDownloader\downloads\PORTABLE_SUITE\Unlocker 1.8.8\App\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 718688]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2006-04-27 21:43 98304 ----a-w- c:\program files\ActivIdentity\ActivClient Mini\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2006-04-14 21:55 94208 ----a-w- c:\program files\ActivIdentity\ActivClient Mini\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 14:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 21:08 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 12:00 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 19:13 49152 ----a-w- c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 07:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 09:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-11-01 14:18 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Monitor LE.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Monitor LE.lnk
backup=c:\windows\pss\Device Monitor LE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^evil1^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=c:\documents and settings\evil1\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=c:\windows\pss\PdaNet Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\accrdsub]
2006-04-21 00:39 176128 ----a-w- c:\program files\ActivIdentity\ActivClient Mini\accrdsub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 22:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-04-12 17:15 1383936 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 19:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mumservice]
2010-05-12 19:43 1066304 ----a-w- c:\program files\Motorola\Software Update\mumservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
2007-01-09 21:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2004-08-14 09:42 36864 ------w- c:\program files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-08-03 23:02 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\FlashFXP\\flashfxp.exe"=

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [11/29/2005 4:56 PM 36768]
R2 acachsrv;ActivClient Authentication Service;c:\program files\ActivIdentity\ActivClient Mini\acachsrv.exe [4/12/2006 4:43 PM 81920]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient Mini\accoca.exe [5/2/2006 4:28 PM 135168]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 6:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 6:00 AM 14336]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/22/2010 10:58 PM 91456]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/4/2009 3:22 PM 98304]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2/28/2006 5:05 PM 87808]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/21/2005 11:19 AM 36352]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [9/7/2010 5:35 PM 9472]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [1/22/2007 2:09 PM 34736]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [9/7/2010 5:35 PM 25728]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [4/23/2007 1:13 PM 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [4/30/2007 8:28 AM 172131]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [6/22/2010 9:12 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [6/22/2010 9:12 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [6/22/2010 9:12 PM 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/22/2010 9:12 PM 23936]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [12/22/2009 4:40 PM 17408]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [11/22/2009 6:58 AM 13568]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [11/29/2009 10:09 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-12-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.mp4converter.net/webapp/buy. ... ar1=108427
uInternet Settings,ProxyOverride = *.local
IE: Download with Mipony - file://c:\program files\MiPony\Browser\IEContext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {76F68857-08C0-459B-A392-CF12C1D8B237} = 208.67.222.222,208.67.220.220
TCP: {B760AB00-3400-4049-A720-58175AEE90EE} = 4.2.2.2,4.2.2.1
FF - ProfilePath - c:\documents and settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\
FF - prefs.js: browser.startup.homepage - hxxp://flyingincognitosleep.com/cgi-bin/h.pl
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Live IP Address: {7C9AE782-DB21-4e40-81FB-AD8A53A6233A} - %profile%\extensions\{7C9AE782-DB21-4e40-81FB-AD8A53A6233A}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Foxamp: {F0B24ABB-A42D-4c82-AF2C-3FA6FF27E2C0} - %profile%\extensions\{F0B24ABB-A42D-4c82-AF2C-3FA6FF27E2C0}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: mipony-plugin Toolbar: {90d46c30-9f25-4104-aea9-35c3f84477ff} - %profile%\extensions\{90d46c30-9f25-4104-aea9-35c3f84477ff}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord\firefox\ext
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage - hxxp://flyingincognitosleep.com/cgi-bin/h.pl
FF - user.js: browser.startup.page - 1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-29 21:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-839522115-946487875-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8B22F6DE-8275-78B0-5D0D-184F48EA1290}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hahkcicdhoolndlj"=hex:61,61,00,7c
"jahkcicdhoolndljfdgo"=hex:63,61,69,65,69,6f,00,7c
"papdbefjdinfkpkmeiiidolcngldlgmm"=hex:65,61,6d,67,66,63,6d,66,63,62,00,00

[HKEY_USERS\S-1-5-21-1547161642-839522115-946487875-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DAA6AF02-CA74-38FD-BE85-70665467B007}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abmfolonjnlkohclkjcoklcaknmfljjgib"=hex:69,61,6c,65,6a,64,6a,70,6b,65,6b,6a,
6e,6a,6f,67,6d,69,00,00
"majfllamnojpjionndialhioec"=hex:6f,61,69,6c,6f,64,6f,6e,66,6c,6b,67,61,6b,64,
68,64,66,6f,70,6c,63,63,61,62,64,70,64,6e,6e,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\program files\ActivIdentity\ActivClient Mini\ackpbsc.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\aclog.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acauth.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient Mini\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient Mini\Resources\asphatrc.dll
c:\program files\Common Files\Stardock\mcpstub.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL
c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll
c:\program files\Hewlett-Packard\IAM\Bin\ittal.dll
c:\program files\Hewlett-Packard\IAM\Bin\AuthWiz.dll
c:\program files\ActivIdentity\ActivClient Mini\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient Mini\Resources\acunlockrc.dll
c:\windows\system32\DeviceNP.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'explorer.exe'(3556)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\APSHook.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\msi.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2010-12-29 21:24:30
ComboFix-quarantined-files.txt 2010-12-30 03:24
ComboFix2.txt 2010-12-29 20:03
ComboFix3.txt 2010-12-30 03:14

Pre-Run: 5,813,379,072 bytes free
Post-Run: 5,790,052,352 bytes free

- - End Of File - - 04347157E13503713562D7C5109840F0
teknokidd
Active Member
 
Posts: 12
Joined: December 27th, 2010, 10:21 pm

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby askey127 » December 30th, 2010, 7:25 am

teknokidd,
We will get it.
You can delete ComboFix from your desktop and download the new one. I would also rename it zzz.exe as you download it.
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    RegNull::
    [HKEY_USERS\S-1-5-21-1547161642-839522115-946487875-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DAA6AF02-CA74-38FD-BE85-70665467B007}*]
    
    [HKEY_USERS\S-1-5-21-1547161642-839522115-946487875-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8B22F6DE-8275-78B0-5D0D-184F48EA1290}*]
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
---------------------------------------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :regfind
    flyingincognitosleep
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby teknokidd » December 30th, 2010, 3:16 pm

askey127 well there seems to be 3 improvements after this last Combofix it now takes 4-5 mins from windows logo to desktop and the virtual keyboard for logging on looks to be fixed the keys are showing and no more error popping up,Firefox still hijacked by flyingincognitosleep.com but no more slowness when clicking on Firefox Tools\Options tabs..here are the logs:

Combofix with new CFScript:

ComboFix 10-12-29.04 - evil1 12/30/2010 11:09:32.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3063.2389 [GMT -6:00]
Running from: c:\documents and settings\evil1\Desktop\zzz.exe
Command switches used :: c:\documents and settings\evil1\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.

((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-30 )))))))))))))))))))))))))))))))
.

2010-12-30 03:52 . 2010-11-10 02:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-12-30 03:50 . 2010-11-10 02:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8432A117-F02B-4C1F-8B02-1E90BB3A4C9A}\mpengine.dll
2010-12-29 16:00 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-12-29 16:00 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-12-29 00:15 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-29 00:09 . 2010-12-29 00:10 -------- d-----w- c:\program files\Microsoft Security Client
2010-12-28 23:32 . 2009-06-25 19:20 1446264 ----a-w- c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
2010-12-28 21:37 . 2010-12-28 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-12-27 19:56 . 2010-12-27 19:56 2 --shatr- c:\windows\winstart.bat
2010-12-27 19:55 . 2010-12-29 19:19 -------- d-----w- c:\program files\UnHackMe
2010-12-27 19:41 . 2010-12-27 19:41 388096 ----a-r- c:\documents and settings\evil1\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-27 19:41 . 2010-12-27 19:41 -------- d-----w- c:\program files\Trend Micro
2010-12-27 19:20 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-27 19:19 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-26 23:33 . 2010-12-26 23:33 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-21 05:25 . 2010-12-26 23:32 -------- d-----w- c:\program files\PSP Grader
2010-12-20 17:34 . 2010-12-24 19:54 -------- d-----w- c:\documents and settings\evil1\Application Data\Dream Aquarium

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-26 04:11 . 2010-11-26 04:11 40960 ----a-r- c:\documents and settings\evil1\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-11-26 04:11 . 2010-11-26 04:11 40960 ----a-r- c:\documents and settings\evil1\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-10-25 03:25 . 2010-10-25 03:25 165264 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-12-27_07.15.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-22 19:08 . 2006-02-21 03:01 23040 c:\windows\system32\fltmc.exe
+ 2009-11-22 19:08 . 2006-02-21 06:57 16896 c:\windows\system32\fltlib.dll
- 2009-11-22 19:08 . 2006-02-28 12:00 16896 c:\windows\system32\fltlib.dll
+ 2009-11-22 19:08 . 2006-02-21 03:01 23040 c:\windows\system32\dllcache\fltmc.exe
- 2009-11-22 19:08 . 2006-02-28 12:00 16896 c:\windows\system32\dllcache\fltlib.dll
+ 2009-11-22 19:08 . 2006-02-21 06:57 16896 c:\windows\system32\dllcache\fltlib.dll
+ 2007-02-15 21:22 . 2007-02-15 21:22 688000 c:\windows\system32\SelfHelpControl.DLL
+ 2009-08-03 21:07 . 2009-08-03 21:07 403816 c:\windows\system32\OGACheckControl.DLL
+ 2009-11-22 19:08 . 2006-02-21 03:01 128896 c:\windows\system32\drivers\fltmgr.sys
+ 2009-11-22 19:08 . 2006-02-21 03:01 128896 c:\windows\system32\dllcache\fltmgr.sys
+ 2010-12-29 00:10 . 2010-12-29 00:10 786432 c:\windows\Installer\12becf.msi
+ 2010-12-29 00:09 . 2010-12-29 00:09 479744 c:\windows\Installer\12bec6.msi
+ 2010-12-29 00:09 . 2010-12-29 00:09 301056 c:\windows\Installer\12bebe.msi
+ 2009-11-23 00:29 . 2010-12-27 21:04 1533592 c:\windows\system32\Restore\rstrlog.dat
+ 2009-06-25 19:20 . 2009-06-25 19:20 1485176 c:\windows\system32\LegitCheckControl.DLL
+ 2010-12-27 19:41 . 2010-12-27 19:41 1094656 c:\windows\Installer\6d6784.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{90d46c30-9f25-4104-aea9-35c3f84477ff}"= "c:\program files\mipony-plugin\tbmip1.dll" [2010-11-08 2735200]

[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{90D46C30-9F25-4104-AEA9-35C3F84477FF}"= "c:\program files\mipony-plugin\tbmip1.dll" [2010-11-08 2735200]

[HKEY_CLASSES_ROOT\clsid\{90d46c30-9f25-4104-aea9-35c3f84477ff}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"CubeDesktop"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2004-08-04 271872]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-14 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-14 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-14 137752]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-11-20 488752]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 177456]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-26 198160]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [BU]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-27 1202448]
"UnlockerAssistant"="c:\program files\JDownloader\downloads\PORTABLE_SUITE\Unlocker 1.8.8\App\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 718688]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2006-04-27 21:43 98304 ----a-w- c:\program files\ActivIdentity\ActivClient Mini\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2006-04-14 21:55 94208 ----a-w- c:\program files\ActivIdentity\ActivClient Mini\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 14:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 21:08 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 12:00 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 19:13 49152 ----a-w- c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 07:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 09:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-11-01 14:18 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Monitor LE.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Device Monitor LE.lnk
backup=c:\windows\pss\Device Monitor LE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
backup=c:\windows\pss\WDSmartWare.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^evil1^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=c:\documents and settings\evil1\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=c:\windows\pss\PdaNet Desktop.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\accrdsub]
2006-04-21 00:39 176128 ----a-w- c:\program files\ActivIdentity\ActivClient Mini\accrdsub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 22:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-04-12 17:15 1383936 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 19:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mumservice]
2010-05-12 19:43 1066304 ----a-w- c:\program files\Motorola\Software Update\mumservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
2007-01-09 21:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2004-08-14 09:42 36864 ------w- c:\program files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-08-03 23:02 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\FlashFXP\\flashfxp.exe"=

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [11/29/2005 4:56 PM 36768]
R2 acachsrv;ActivClient Authentication Service;c:\program files\ActivIdentity\ActivClient Mini\acachsrv.exe [4/12/2006 4:43 PM 81920]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient Mini\accoca.exe [5/2/2006 4:28 PM 135168]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 6:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 6:00 AM 14336]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/22/2010 10:58 PM 91456]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/4/2009 3:22 PM 98304]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2/28/2006 5:05 PM 87808]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/21/2005 11:19 AM 36352]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [9/7/2010 5:35 PM 9472]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [1/22/2007 2:09 PM 34736]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [9/7/2010 5:35 PM 25728]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [4/23/2007 1:13 PM 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [4/30/2007 8:28 AM 172131]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [6/22/2010 9:12 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [6/22/2010 9:12 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [6/22/2010 9:12 PM 42752]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/22/2010 9:12 PM 23936]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [12/22/2009 4:40 PM 17408]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [11/22/2009 6:58 AM 13568]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [11/29/2009 10:09 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-12-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.mp4converter.net/webapp/buy. ... ar1=108427
uInternet Settings,ProxyOverride = *.local
IE: Download with Mipony - file://c:\program files\MiPony\Browser\IEContext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {76F68857-08C0-459B-A392-CF12C1D8B237} = 208.67.222.222,208.67.220.220
TCP: {B760AB00-3400-4049-A720-58175AEE90EE} = 4.2.2.2,4.2.2.1
FF - ProfilePath - c:\documents and settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Live IP Address: {7C9AE782-DB21-4e40-81FB-AD8A53A6233A} - %profile%\extensions\{7C9AE782-DB21-4e40-81FB-AD8A53A6233A}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Foxamp: {F0B24ABB-A42D-4c82-AF2C-3FA6FF27E2C0} - %profile%\extensions\{F0B24ABB-A42D-4c82-AF2C-3FA6FF27E2C0}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: mipony-plugin Toolbar: {90d46c30-9f25-4104-aea9-35c3f84477ff} - %profile%\extensions\{90d46c30-9f25-4104-aea9-35c3f84477ff}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord\firefox\ext
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: browser.startup.homepage - hxxp://flyingincognitosleep.com/cgi-bin/h.pl
FF - user.js: browser.startup.page - 1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-30 11:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\ActivIdentity\ActivClient Mini\ackpbsc.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\aclog.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acauth.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient Mini\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient Mini\Resources\asphatrc.dll
c:\program files\Common Files\Stardock\mcpstub.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL
c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll
c:\program files\Hewlett-Packard\IAM\Bin\ittal.dll
c:\program files\Hewlett-Packard\IAM\Bin\AuthWiz.dll
c:\program files\ActivIdentity\ActivClient Mini\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient Mini\Resources\acunlockrc.dll
c:\windows\system32\DeviceNP.dll
c:\windows\system32\IfxWlxEN.dll
c:\program files\Hewlett-Packard\IAM\Bin\STEngine.dll

- - - - - - - > 'explorer.exe'(432)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\APSHook.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\msi.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2010-12-30 11:23:11
ComboFix-quarantined-files.txt 2010-12-30 17:22
ComboFix2.txt 2010-12-30 03:24
ComboFix3.txt 2010-12-29 20:03
ComboFix4.txt 2010-12-30 17:05

Pre-Run: 5,604,540,416 bytes free
Post-Run: 5,580,468,224 bytes free

- - End Of File - - A74DAF971E52698CCA7A6242EEFEC16A

SystemLook Log:

SystemLook 04.09.10 by jpshortstuff
Log created at 12:27 on 30/12/2010 by evil1
Administrator - Elevation successful

========== regfind ==========

Searching for "flyingincognitosleep"
No data found.

-= EOF =-
teknokidd
Active Member
 
Posts: 12
Joined: December 27th, 2010, 10:21 pm

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby askey127 » December 30th, 2010, 4:20 pm

teknokidd,
We will get it figured out, and get your machine updated.
---------------------------------------------
Run a Scan with OTL
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • When the window appears, In the Standard Registry box, click All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location
      as OTL (should be on your desktop).
    • Make sure Notepad's Format, Wordwrap is unchecked.
    • Please copy the contents of each of these files, one at a time, and post them in your next reply.
  • Use separate replies if you wish.

Separate questions:
Do you use CD-RW disks at all (the kind you can rewrite)?
What do you know about ActivIdentity? This software may restrict what you can do with the machine.
Is this machine used in a Corporate setting?

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby teknokidd » December 30th, 2010, 6:23 pm

askey127, No on CD-RW but yes on Cd-r,Dvd-r..ActivIdentity?? first time hearing about it i would guess maybe has to do with Hp security like fingerprint reader or other. Ive never used it in a Corporate setting i did buy it used 2yrs ago but i had the hdd and the ram upgraded..Here are the logs:

OTL.Txt:

OTL logfile created on: 12/30/2010 3:20:55 PM - Run 1
OTL by OldTimer - Version 3.2.18.2 Folder = C:\Documents and Settings\evil1\Desktop
Windows XP Tablet PC Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.42 Gb Total Space | 5.33 Gb Free Space | 4.96% Space Free | Partition Type: NTFS
Drive D: | 107.42 Gb Total Space | 84.50 Gb Free Space | 78.67% Space Free | Partition Type: NTFS
Drive E: | 83.24 Gb Total Space | 66.73 Gb Free Space | 80.17% Space Free | Partition Type: NTFS

Computer Name: EVILLAPTOP | User Name: evil1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/30 15:12:53 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\evil1\Desktop\OTL.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/04/02 15:19:36 | 000,091,456 | ---- | M] () -- C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
PRC - [2010/04/02 15:19:32 | 000,279,360 | ---- | M] (Motorola) -- C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
PRC - [2009/11/25 18:09:50 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/10/26 03:33:40 | 000,015,872 | ---- | M] () -- C:\Program Files\JDownloader\downloads\PORTABLE_SUITE\Unlocker 1.8.8\App\Unlocker\UnlockerAssistant.exe
PRC - [2009/10/10 15:07:08 | 000,320,832 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2009/09/30 17:57:20 | 000,718,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
PRC - [2009/09/04 15:22:22 | 000,098,304 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
PRC - [2009/06/16 09:58:08 | 000,020,480 | ---- | M] (Memeo) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
PRC - [2009/02/27 06:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2009/02/27 05:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2009/02/27 05:40:52 | 001,202,448 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
PRC - [2009/02/27 05:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2008/08/30 17:10:42 | 001,562,381 | ---- | M] () -- C:\Program Files\iPod Access for Windows\iPAHelper.exe
PRC - [2007/09/02 12:58:52 | 000,495,616 | ---- | M] () -- C:\Program Files\RocketDock\RocketDock.exe
PRC - [2007/02/07 01:30:00 | 000,065,536 | R--- | M] (Cognizance Corporation) -- C:\Program Files\Hewlett-Packard\IAM\Bin\asghost.exe
PRC - [2007/01/05 17:36:48 | 000,872,448 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/11/01 06:10:10 | 000,293,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wisptis.exe
PRC - [2006/10/09 11:23:06 | 000,697,976 | ---- | M] () -- C:\WINDOWS\SMINST\Scheduler.exe
PRC - [2006/05/02 16:28:48 | 000,135,168 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient Mini\accoca.exe
PRC - [2006/04/12 16:43:38 | 000,081,920 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient Mini\acachsrv.exe
PRC - [2006/04/10 17:56:36 | 000,081,920 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient Mini\acevents.exe
PRC - [2006/03/03 15:28:18 | 000,136,736 | ---- | M] (Infineon Technologies AG) -- C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
PRC - [2006/02/28 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/05/10 11:31:22 | 000,241,664 | ---- | M] (Stardock) -- C:\Program Files\Common Files\Stardock\sdmcp.exe
PRC - [2005/04/12 11:15:04 | 000,869,376 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe
PRC - [2002/08/29 03:41:28 | 000,035,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tabbtnu.exe


========== Modules (SafeList) ==========

MOD - [2010/12/30 15:12:53 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\evil1\Desktop\OTL.exe
MOD - [2009/10/26 03:33:32 | 000,004,608 | ---- | M] () -- C:\Program Files\JDownloader\downloads\PORTABLE_SUITE\Unlocker 1.8.8\App\Unlocker\UnlockerHook.dll
MOD - [2007/09/02 12:57:36 | 000,069,632 | ---- | M] () -- C:\Program Files\RocketDock\RocketDock.dll
MOD - [2007/03/26 12:03:20 | 000,057,344 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\patrolpro.dll
MOD - [2007/02/26 03:49:00 | 000,070,144 | R--- | M] (Bioscrypt Inc.) -- C:\WINDOWS\system32\APSHook.dll
MOD - [2006/02/28 06:00:00 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2006/02/28 06:00:00 | 000,250,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\SPTIP.dll
MOD - [2006/02/28 06:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MSCTFP.dll
MOD - [2006/02/28 06:00:00 | 000,062,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\SPGRMR.dll
MOD - [2004/08/04 00:57:02 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2002/08/29 03:41:08 | 000,023,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Journal\nbmaptip.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/04/02 15:19:36 | 000,091,456 | ---- | M] () [Auto | Running] -- C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe -- (MotoConnect Service)
SRV - [2009/09/04 15:22:22 | 000,098,304 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
SRV - [2009/06/16 09:58:08 | 000,020,480 | ---- | M] (Memeo) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe -- (WDSmartWareBackgroundService)
SRV - [2009/02/27 06:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2009/02/27 05:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
SRV - [2009/02/27 05:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)
SRV - [2008/08/30 17:10:42 | 001,562,381 | ---- | M] () [Auto | Running] -- C:\Program Files\iPod Access for Windows\iPAHelper.exe -- (iPAHelper.exe)
SRV - [2007/04/30 08:28:34 | 000,172,131 | ---- | M] (Hewlett-Packard Ltd) [On_Demand | Stopped] -- C:\WINDOWS\system32\flcdlock.exe -- (FLCDLOCK)
SRV - [2007/02/07 01:30:00 | 000,074,240 | R--- | M] (Cognizance Corporation) [Auto | Running] -- C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll -- (ASBroker)
SRV - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/06/22 05:14:00 | 000,131,584 | R--- | M] (Cognizance Corporation) [Auto | Running] -- C:\Program Files\Hewlett-Packard\IAM\Bin\ASChnl.dll -- (ASChannel)
SRV - [2006/05/02 16:28:48 | 000,135,168 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\ActivIdentity\ActivClient Mini\accoca.exe -- (accoca)
SRV - [2006/04/12 16:43:38 | 000,081,920 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\ActivIdentity\ActivClient Mini\acachsrv.exe -- (acachsrv)
SRV - [2005/04/12 11:15:04 | 000,869,376 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\evil1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2009/10/27 11:02:14 | 000,023,936 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motport.sys -- (motport)
DRV - [2009/10/27 11:02:14 | 000,023,936 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2009/09/09 18:24:14 | 000,062,424 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xusb21.sys -- (xusb21)
DRV - [2009/06/19 15:59:34 | 000,019,712 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2009/06/05 11:42:28 | 000,017,408 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\netaapl.sys -- (Netaapl)
DRV - [2009/05/08 10:56:12 | 000,042,752 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motodrv.sys -- (MotDev)
DRV - [2009/03/04 09:31:32 | 004,202,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
DRV - [2009/02/13 12:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2009/01/29 16:18:00 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2008/10/19 22:00:06 | 000,025,728 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\androidusb.sys -- (androidusb)
DRV - [2008/08/13 16:23:56 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/10/01 13:27:40 | 000,281,600 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2007/09/26 06:01:32 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel(R)
DRV - [2007/09/14 19:09:44 | 000,213,696 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/08/24 11:22:56 | 005,776,928 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/06/18 16:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/06/01 11:27:00 | 000,145,288 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atswpdrv.sys -- (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor)
DRV - [2007/04/23 13:13:44 | 000,030,008 | ---- | M] (Hewlett-Packard Development Company L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DAMDrv.sys -- (DAMDrv)
DRV - [2007/01/22 14:09:38 | 000,034,736 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wisdpen.sys -- (wisdpen)
DRV - [2006/09/28 14:32:14 | 000,009,472 | ---- | M] (June Fabrics Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pnetmdm.sys -- (pnetmdm)
DRV - [2006/08/28 14:40:48 | 001,160,320 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/06/28 09:54:00 | 000,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2006/02/28 17:05:00 | 000,087,808 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2006/02/28 06:00:00 | 000,088,448 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2006/02/28 06:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2006/02/28 06:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2006/02/27 16:48:20 | 000,401,664 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2006/02/27 16:45:48 | 001,342,602 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2006/02/27 16:43:44 | 000,030,363 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2006/02/27 16:43:06 | 000,057,096 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/02/27 16:40:16 | 000,148,168 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2006/01/10 01:00:04 | 000,022,016 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Accelerometer.sys -- (Accelerometer)
DRV - [2006/01/10 01:00:04 | 000,017,920 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\hpdskflt.sys -- (hpdskflt)
DRV - [2005/11/30 10:12:36 | 000,162,560 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/11/29 16:56:28 | 000,036,768 | ---- | M] (Infineon Technologies AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\psd.sys -- (PersonalSecureDrive)
DRV - [2005/10/26 10:01:02 | 000,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/10/21 11:19:34 | 000,036,352 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2005/04/12 11:07:50 | 000,099,456 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2005/04/12 11:07:30 | 000,029,056 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2005/04/12 11:07:26 | 000,028,160 | ---- | M] (Nero AG) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\InCDrm.sys -- (incdrm)
DRV - [2005/01/07 17:07:18 | 000,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/04/16 12:57:58 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2001/08/17 06:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\..\URLSearchHook: {90d46c30-9f25-4104-aea9-35c3f84477ff} - C:\Program Files\mipony-plugin\tbmip1.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://flyingincognitosleep.com/cgi-bin/h.pl"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.2
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.1
FF - prefs.js..extensions.enabledItems: {4BBDD651-70CF-4821-84F8-2B918CF89CA3}:6.3.3.2
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.14.2
FF - prefs.js..extensions.enabledItems: {F0B24ABB-A42D-4c82-AF2C-3FA6FF27E2C0}:0.3.11
FF - prefs.js..extensions.enabledItems: smartwebprinting@hp.com:4.5
FF - prefs.js..extensions.enabledItems: {7C9AE782-DB21-4e40-81FB-AD8A53A6233A}:1.83
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
FF - prefs.js..extensions.enabledItems: {90d46c30-9f25-4104-aea9-35c3f84477ff}:2.5.6.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8081

FF - user.js..browser.startup.homepage: "http://flyingincognitosleep.com/cgi-bin/h.pl"

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/02/12 12:07:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/27 15:01:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/28 17:32:25 | 000,000,000 | ---D | M]

[2009/11/23 21:24:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\evil1\Application Data\Mozilla\Extensions
[2010/12/30 12:49:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\extensions
[2010/04/01 18:49:40 | 000,000,000 | ---D | M] (Screengrab) -- C:\Documents and Settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
[2010/10/29 14:59:47 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/06/14 22:25:36 | 000,000,000 | ---D | M] (FEBE) -- C:\Documents and Settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
[2010/05/04 22:48:22 | 000,000,000 | ---D | M] (Live IP Address) -- C:\Documents and Settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\extensions\{7C9AE782-DB21-4e40-81FB-AD8A53A6233A}
[2010/11/03 23:40:05 | 000,000,000 | ---D | M] (mipony-plugin Toolbar) -- C:\Documents and Settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\extensions\{90d46c30-9f25-4104-aea9-35c3f84477ff}
[2010/10/29 14:59:50 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/12/26 17:31:49 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/06/08 23:51:19 | 000,000,000 | ---D | M] (Foxamp) -- C:\Documents and Settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\extensions\{F0B24ABB-A42D-4c82-AF2C-3FA6FF27E2C0}
[2010/06/23 01:31:46 | 000,000,000 | ---D | M] ("Virtual Keyboard") -- C:\Documents and Settings\evil1\Application Data\Mozilla\Firefox\Profiles\6rw8d2vm.default\extensions\vkeyboard@isul
[2010/12/29 13:38:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/12 12:07:14 | 000,000,000 | ---D | M] (HP Smart Web Printing) -- C:\PROGRAM FILES\HP\DIGITAL IMAGING\SMART WEB PRINTING\MOZILLAADDON3
[2009/11/25 18:10:30 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD\FIREFOX\EXT
[2010/01/15 22:45:03 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2010/12/22 21:49:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Credential Manager for HP ProtectTools) - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll (Bioscrypt Inc.)
O2 - BHO: (FlashFXP Helper for Internet Explorer) - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Program Files\FlashFXP\IEFlash.dll (IniCom Networks, Inc.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKCU\..\Toolbar\WebBrowser: (mipony-plugin Toolbar) - {90D46C30-9F25-4104-AEA9-35C3F84477FF} - C:\Program Files\mipony-plugin\tbmip1.dll (Conduit Ltd.)
O4 - HKLM..\Run: [CognizanceTS] C:\Program Files\Hewlett-Packard\IAM\Bin\ASTSVCC.dll (Cognizance Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe File not found
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe ()
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TabletWizard] C:\WINDOWS\Help\splshwrp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\JDownloader\downloads\PORTABLE_SUITE\Unlocker 1.8.8\App\Unlocker\UnlockerAssistant.exe ()
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKLM..\Run: [XboxStat] C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe (Microsoft Corporation)
O4 - HKCU..\Run: [CubeDesktop] File not found
O4 - HKCU..\Run: [RocketDock] C:\Program Files\RocketDock\RocketDock.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 [2010/12/28 15:35:50 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 [2010/12/28 15:35:50 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 [2010/12/28 15:35:50 | 000,000,000 | ---D | M]
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download with Mipony - C:\Program Files\MiPony\Browser\IEContext.htm ()
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} http://go.microsoft.com/fwlink/?LinkId=82580 (Microsoft Genuine Advantage Self Support Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ackpbsc: DllName - C:\Program Files\ActivIdentity\ActivClient Mini\ackpbsc.dll - C:\Program Files\ActivIdentity\ActivClient Mini\ackpbsc.dll (ActivIdentity)
O20 - Winlogon\Notify\acunlock: DllName - C:\Program Files\ActivIdentity\ActivClient Mini\acunlock.dll - C:\Program Files\ActivIdentity\ActivClient Mini\acunlock.dll (ActivIdentity)
O20 - Winlogon\Notify\DeviceNP: DllName - DeviceNP.dll - C:\WINDOWS\System32\DeviceNP.dll (Hewlett-Packard Limited)
O20 - Winlogon\Notify\IfxWlxEN: DllName - IfxWlxEN.dll - C:\WINDOWS\System32\IfxWlxEN.dll (Infineon Technologies AG)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\MCPClient: DllName - C:\Program Files\Common Files\Stardock\mcpstub.dll - C:\Program Files\Common Files\Stardock\MCPStub.dll (Stardock)
O20 - Winlogon\Notify\OneCard: DllName - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Cognizance Corporation)
O20 - Winlogon\Notify\TabBtnWL: DllName - TabBtnWL.dll - C:\WINDOWS\System32\tabbtnwl.dll (Microsoft Corporation)
O20 - Winlogon\Notify\tpgwlnotify: DllName - tpgwlnot.dll - C:\WINDOWS\System32\tpgwlnot.dll (Microsoft Corporation)
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\Program Files\Common Files\Stardock\MCPCore.dll (Stardock)
O24 - Desktop WallPaper: C:\Documents and Settings\evil1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\evil1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/22 13:11:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 15:42:20 | 000,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 15:42:20 | 000,000,024 | ---- | M] () - E:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/30 15:13:00 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\evil1\Desktop\OTL.exe
[2010/12/30 11:23:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/12/29 10:00:14 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2010/12/29 10:00:14 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2010/12/28 18:15:33 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/12/28 18:09:31 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2010/12/28 17:44:38 | 002,923,248 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\evil1\Desktop\WindowsXP-KB914882-x86-ENU.exe
[2010/12/28 17:35:28 | 007,866,472 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\evil1\Desktop\mseinstall.exe
[2010/12/28 15:37:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/12/28 15:34:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\evil1\Desktop\1
[2010/12/28 15:32:13 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\evil1\Desktop\MGADiag.exe
[2010/12/27 13:55:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\evil1\My Documents\RegRun2
[2010/12/27 13:55:31 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2010/12/27 13:41:36 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/12/27 13:20:00 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/27 13:19:54 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/21 00:04:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\evil1\My Documents\UmdStreamComposer
[2010/12/20 23:25:04 | 000,000,000 | ---D | C] -- C:\Program Files\PSP Grader
[2010/12/20 11:34:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\evil1\Application Data\Dream Aquarium
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/30 15:12:53 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\evil1\Desktop\OTL.exe
[2010/12/30 12:43:03 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/12/30 12:37:25 | 000,000,435 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2010/12/30 12:34:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/30 12:12:32 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\evil1\Desktop\SystemLook.exe
[2010/12/30 11:04:26 | 004,011,739 | R--- | M] () -- C:\Documents and Settings\evil1\Desktop\zzz.exe
[2010/12/29 13:08:48 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\evil1\Desktop\HiJackThis.lnk
[2010/12/28 18:18:11 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/28 18:11:02 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2010/12/28 18:07:49 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/12/28 17:44:48 | 002,923,248 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\evil1\Desktop\WindowsXP-KB914882-x86-ENU.exe
[2010/12/28 17:35:28 | 007,866,472 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\evil1\Desktop\mseinstall.exe
[2010/12/28 15:34:02 | 000,453,632 | ---- | M] () -- C:\Documents and Settings\evil1\Desktop\CKScanner.exe
[2010/12/28 15:32:17 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\evil1\Desktop\MGADiag.exe
[2010/12/27 14:00:05 | 000,000,678 | ---- | M] () -- C:\Documents and Settings\evil1\Desktop\Reanimator.lnk
[2010/12/27 13:56:01 | 000,001,688 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2010/12/27 13:56:01 | 000,000,002 | RHS- | M] () -- C:\WINDOWS\winstart.bat
[2010/12/27 13:20:01 | 000,000,822 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/23 16:30:39 | 000,001,658 | ---- | M] () -- C:\Documents and Settings\evil1\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/23 16:30:39 | 000,001,640 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/12/22 21:49:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/12/20 23:25:04 | 000,000,744 | ---- | M] () -- C:\Documents and Settings\evil1\Desktop\PSP Grader.lnk
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/20 11:34:32 | 000,000,728 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Dream Aquarium.lnk
[2010/12/18 12:05:34 | 000,000,738 | ---- | M] () -- C:\Documents and Settings\evil1\Application Data\Microsoft\Internet Explorer\Quick Launch\FlashFXP.lnk
[2010/12/18 12:05:34 | 000,000,720 | ---- | M] () -- C:\Documents and Settings\evil1\Desktop\FlashFXP.lnk
[2010/12/16 21:29:58 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/12/13 07:36:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/12/08 21:29:49 | 000,038,400 | ---- | M] () -- C:\Documents and Settings\evil1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/30 12:12:36 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\evil1\Desktop\SystemLook.exe
[2010/12/30 10:57:55 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/12/29 13:42:06 | 004,011,739 | R--- | C] () -- C:\Documents and Settings\evil1\Desktop\zzz.exe
[2010/12/28 18:11:02 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2010/12/28 15:34:01 | 000,453,632 | ---- | C] () -- C:\Documents and Settings\evil1\Desktop\CKScanner.exe
[2010/12/27 14:00:05 | 000,000,678 | ---- | C] () -- C:\Documents and Settings\evil1\Desktop\Reanimator.lnk
[2010/12/27 13:56:01 | 000,000,002 | RHS- | C] () -- C:\WINDOWS\winstart.bat
[2010/12/27 13:41:38 | 000,002,447 | ---- | C] () -- C:\Documents and Settings\evil1\Desktop\HiJackThis.lnk
[2010/12/27 13:20:01 | 000,000,822 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/23 16:30:39 | 000,001,658 | ---- | C] () -- C:\Documents and Settings\evil1\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/23 16:30:39 | 000,001,640 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/12/20 23:25:04 | 000,000,744 | ---- | C] () -- C:\Documents and Settings\evil1\Desktop\PSP Grader.lnk
[2010/12/20 11:34:32 | 000,000,728 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Dream Aquarium.lnk
[2010/12/18 12:05:34 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\evil1\Application Data\Microsoft\Internet Explorer\Quick Launch\FlashFXP.lnk
[2010/12/18 12:05:34 | 000,000,720 | ---- | C] () -- C:\Documents and Settings\evil1\Desktop\FlashFXP.lnk
[2010/08/17 01:20:41 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\evil1\Application Data\winscp.rnd
[2010/05/04 20:59:20 | 000,000,062 | ---- | C] () -- C:\WINDOWS\MyProg.ini
[2010/04/15 12:46:01 | 000,000,288 | ---- | C] () -- C:\Documents and Settings\evil1\Application Data\iPod Access v4 Prefs
[2010/04/15 12:45:32 | 000,000,041 | -H-- | C] () -- C:\Documents and Settings\evil1\Application Data\iPodAccessv4_OwnerName
[2010/04/15 12:45:32 | 000,000,041 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\iPodAccessv4_OwnerName
[2010/04/15 12:42:51 | 000,000,011 | -H-- | C] () -- C:\Documents and Settings\evil1\Application Data\iPodAccess_Time
[2010/02/12 11:59:29 | 000,000,677 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2010/01/14 16:50:37 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/13 15:55:28 | 000,161,280 | ---- | C] () -- C:\WINDOWS\System32\TALBC.DLL
[2010/01/13 15:33:27 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\FlicPlusSDK_Win32_API.dll
[2009/12/25 17:35:51 | 000,038,400 | ---- | C] () -- C:\Documents and Settings\evil1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/05 17:48:01 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/01 12:07:16 | 000,424,560 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/11/25 00:55:10 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/11/25 00:55:09 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/11/25 00:55:08 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/11/25 00:55:08 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/11/25 00:55:07 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/11/25 00:55:04 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/11/22 15:57:27 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\std201mt.dll
[2009/11/22 15:47:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\evil1\Local Settings\Application Data\QSwitch.txt
[2009/11/22 15:47:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\evil1\Local Settings\Application Data\DSwitch.txt
[2009/11/22 15:47:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\evil1\Local Settings\Application Data\AtStart.txt
[2009/11/22 15:40:26 | 000,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/11/22 15:08:58 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2009/11/22 15:08:58 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2009/11/22 15:08:58 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2009/11/22 15:08:58 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2009/11/22 15:08:58 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2009/11/22 15:08:58 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2009/11/22 14:31:33 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll
[2009/11/22 13:18:43 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\evil1\Local Settings\Application Data\fusioncache.dat
[2009/11/22 06:55:33 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2009/04/16 13:24:14 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2009/04/16 13:24:14 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2009/04/16 13:24:14 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2009/04/16 13:24:14 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\Ogg.dll
[2007/04/30 08:31:14 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\flcdlmsg.dll
[2007/01/31 16:02:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/03/06 10:41:02 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\AMV_DecDLL.dll
[2006/02/28 06:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2006/02/27 16:51:36 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2004/09/16 13:26:40 | 000,012,634 | ---- | C] () -- C:\WINDOWS\System32\drivers\ADFUUD.SYS
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[1998/05/07 02:10:00 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\ODMA32.dll

========== LOP Check ==========

[2010/12/27 15:01:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/11/24 00:26:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2010/06/22 22:20:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2010/04/15 12:42:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Findley Designs
[2009/11/22 16:02:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Infineon
[2009/12/13 00:31:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OfficeRecovery
[2009/11/29 22:10:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital
[2009/12/30 22:03:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/12/22 16:41:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/01/25 21:54:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\4Media Software Studio
[2010/11/15 22:51:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\Azureus
[2010/05/06 11:25:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\BatteryBar
[2009/12/22 16:38:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\CopyTrans
[2010/03/10 13:06:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\DataCast
[2010/12/24 13:54:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\Dream Aquarium
[2010/01/13 17:00:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\EzySoft
[2010/11/18 01:17:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\FileZilla
[2010/06/30 14:07:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\Fortune Fountain Ltd
[2010/01/15 22:47:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\Foxit
[2009/11/22 16:02:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\Infineon
[2010/12/11 15:21:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\Mipony
[2009/12/13 00:32:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\OfficeRecovery
[2010/12/22 20:52:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\Otze
[2009/11/29 23:47:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\Radmin
[2009/11/22 15:06:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\SampleView
[2010/04/23 20:14:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\TeamViewer
[2010/11/06 14:25:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\Thinking Minds Budiling Bytes
[2009/11/29 22:10:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\Western Digital
[2010/01/27 23:25:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\WindSolutions
[2010/05/06 11:40:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\WinPatrol
[2010/12/30 12:43:03 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



< End of report >
teknokidd
Active Member
 
Posts: 12
Joined: December 27th, 2010, 10:21 pm

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby teknokidd » December 30th, 2010, 6:25 pm

OTL Extras log:

OTL Extras logfile created on: 12/30/2010 3:20:55 PM - Run 1
OTL by OldTimer - Version 3.2.18.2 Folder = C:\Documents and Settings\evil1\Desktop
Windows XP Tablet PC Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.42 Gb Total Space | 5.33 Gb Free Space | 4.96% Space Free | Partition Type: NTFS
Drive D: | 107.42 Gb Total Space | 84.50 Gb Free Space | 78.67% Space Free | Partition Type: NTFS
Drive E: | 83.24 Gb Total Space | 66.73 Gb Free Space | 80.17% Space Free | Partition Type: NTFS

Computer Name: EVILLAPTOP | User Name: evil1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1 -- [2010/12/28 15:35:50 | 000,000,000 | ---D | M]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1 -- [2010/12/28 15:35:50 | 000,000,000 | ---D | M]
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1 -- [2010/12/28 15:35:50 | 000,000,000 | ---D | M]
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe:*:Enabled:hpqcopy2.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)
"C:\Program Files\FlashFXP\flashfxp.exe" = C:\Program Files\FlashFXP\flashfxp.exe:*:Enabled:FlashFXP v3 -- (IniCom Networks, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\SMINST\Scheduler.exe" = C:\WINDOWS\SMINST\Scheduler.exe:*:Enabled:Scheduler -- ()
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe:*:Enabled:hpqcopy2.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)
"C:\Program Files\TeamViewer\Version5\TeamViewer.exe" = C:\Program Files\TeamViewer\Version5\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)
"C:\Program Files\FlashFXP\flashfxp.exe" = C:\Program Files\FlashFXP\flashfxp.exe:*:Enabled:FlashFXP v3 -- (IniCom Networks, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0515803B-5068-4599-8666-963E143C7381}" = HP Smart Card Security for ProtectTools 5.00 D4
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{07FB17D8-7DB6-4F06-80C4-8BE1719CB6A1}" = hpWLPGInstaller
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{1965C9BB-9114-4A50-AEC7-E62414BB117B}" = EASEUS Data Recovery Wizard Professional 4.3.6
"{1EBEC42C-5E3F-4077-933B-411E33A0C3A4}" = Motorola Driver Installation 4.6.0
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20C11E32-103F-429F-98A4-DA24486D140F}" = MediaBrowser LE
"{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{25976E4A-42F1-43B7-854B-301C646E6F2A}_is1" = MyMenu 1.2
"{26B914C5-5565-4C96-A40C-8E0228D6C457}" = WD SmartWare
"{2DB165DC-DDB4-403F-B985-19F3EC7D0357}" = HP ProtectTools Security Manager
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.30 J1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3912A629-0020-0005-3131-2FBA74D4DF0A}" = InterVideo WinDVD
"{3F4EC965-28EF-45C3-B063-04B25D4E9679}" = HP Integrated Module with Bluetooth wireless technology
"{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup and Recovery Manager Installer
"{42E2EEB2-D48E-4A47-B181-32ECA031D93B}" = DJ_AIO_06_F2400_SW_Min
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{48CF6549-B45D-4313-9927-EFCCC8A3493F}" = TIPCI
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4BA3DDD4-BC91-48B2-8896-7A02C34829D7}" = HP Embedded Security for ProtectTools
"{53DA6CFE-7CDE-4F72-9E23-39AAC686DE17}" = iPhone Folders
"{55B52830-024A-443E-AF61-61E1E71AFA1B}" = Device Access Manager for HP ProtectTools
"{5A347920-4AFC-11D5-9FB0-800649886934}" = SDFormatter
"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes
"{5D97A4A7-C274-4B63-86D9-07A33435F505}" = InterVideo DVD Check
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{68A10D12-0D0F-4212-BDE6-D87FAD32A8FA}" = SmartWebPrinting
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69DAC00A-7665-4E9B-B441-093D40736429}" = HP BatteryCheck 1.00 A7
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BAA71B6-8F43-4C72-931A-3354ABB0258A}" = F2400
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{7059BDA7-E1DB-442C-B7A1-6144596720A4}" = HP Update
"{75ECB75A-522C-4312-8DE7-597CDA9D96A3}" = HP Mobile Data Protection System
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = LiveUpdate BVRP Software
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{7FD8B0C1-CDDA-4B4D-A577-B2E3570EA3A3}_is1" = iPhone Explorer 0.973
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{861AE636-7123-446C-AB79-D898B9442716}" = PixRecovery
"{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}" = MP3 Player Utilities 4.17
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{922E8525-AC7E-4294-ACAA-43712D4423C0}" = Adobe Flash Player 10 ActiveX
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{97480A25-F284-42B6-A453-7F39E30D6DB0}" = EASEUS Photo Recovery 2.1.1
"{97CDE011-0EE1-424F-A60F-6BBADC337C17}" = ActivClient Mini
"{98FD8BB5-59A9-4163-883C-2997F7BB59D9}" = Microsoft Video Screensaver
"{9B8A821E-1FCE-45D1-8BEC-738F5AAB20D8}" = Radmin Viewer 3.4
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5CE7175-080D-49AC-B5A3-E7E3502428F5}" = HP Wireless Assistant
"{AE052EF7-2640-48D7-8915-69B810D975CB}" = HP BIOS Configuration for ProtectTools 2.00 D1
"{AE8705FB-E13C-40A9-8A2D-68D6733FBFC2}" = Status
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom NetXtreme Ethernet Controller
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{BE41F3D2-FC73-4C3E-A2C2-5D2B08A5B2D0}" = Credential Manager for HP ProtectTools
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C19BE821-89B1-4A96-AC7C-873810C0CB5F}" = ContentSAFER for Wizmax
"{C1FCDCA1-2759-4E5E-84EE-3A665BB2F513}" = iPhoneBrowser
"{C20CE592-B0F8-4D20-BF31-0151CA6331A6}" = EmoDio
"{C3C538E5-524C-4253-AA74-0EEEF34990EA}" = DiscJuggler
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C75CDBA2-3C86-481e-BD10-BDDA758F9DFF}" = hpPrintProjects
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{C97DE62E-31E2-4146-AD23-4C6B0C028BCE}" = HP Java Card Security for ProtectTools 1.00 B4
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CDBF8C2D-04B0-4F9B-9AE1-7422F7F0EC94}" = HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DACB19BF-B853-42FA-A686-8F55E065CA10}" = 91 PC Suite for iPhone
"{DBDFA37B-CFC7-4C37-98F8-04CF326CD327}_is1" = FlashFXP v3
"{DC0A5F99-FD66-433F-9D3A-05DCBA64BE42}" = TrayApp
"{DCFD26A8-60A5-4C69-A52D-264D0386FDB3}" = Microsoft Xbox 360 Accessories 1.2
"{E5FCCD4A-1619-48AB-AB37-E0A678FD3FF1}" = Motorola Software Update
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}" = mobile PhoneTools
"{F22FD942-651D-4EE8-BD6F-7E0AF5E17625}" = Intel(R) PROSet/Wireless WiFi Software
"{F42051C0-6158-4656-BEF4-C43D5C480DC0}" = AuthenTec Fingerprint Sensor Minimum Install
"{FAF26102-09D7-4C58-AB01-0D59A2E517CA}" = Copy
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"BatteryBar" = BatteryBar (remove only)
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"Cole2k Media - Nero Audio Plugin Pack" = Cole2k Media - Nero Audio Plugin Pack
"CopyTrans Suite" = CopyTrans Suite (remove only)
"Dream Aquarium_is1" = Dream Aquarium 1.24
"Driver Genius Professional Edition_is1" = Driver Genius Professional Edition
"Dziobas Rar Player_is1" = Dziobas Rar Player 0.009.50
"Easy Photo Recovery 2.6" = Easy Photo Recovery 2.6
"FileZilla Client" = FileZilla Client 3.3.2.1
"FormatFactory" = FormatFactory 1.85
"Foxit Reader" = Foxit Reader
"Greatis Reanimator_is1" = RegRun Reanimator
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Print Projects" = HP Print Projects 1.0
"HP Smart Web Printing" = HP Smart Web Printing 4.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"iMagic Inventory_is1" = iMagic Inventory 1.93
"InCD!UninstallKey" = InCD
"InstallShield_{48CF6549-B45D-4313-9927-EFCCC8A3493F}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"Instant Invoice n CashBook 2007_is1" = Instant Invoice n CashBook 2007
"iPod Access for Windows_is1" = iPod Access for Windows v4.4
"JDownloader" = JDownloader
"JPEG Recovery Pro 4.0" = JPEG Recovery Pro 4.0
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.4.4
"Liquid Desktop" = Liquid Desktop 3D Screensaver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"MiPony" = MiPony 1.1.2
"mipony-plugin Toolbar" = mipony-plugin Toolbar
"mIRC" = mIRC
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyFreeCodec" = MyFreeCodec
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"Nero BurnRights!UninstallKey" = Nero BurnRights
"NeroVision!UninstallKey" = Nero Digital
"NMIX!UninstallKey" = NeroMIX
"PdaNet_is1" = PdaNet for Android 1.12
"ProInst" = Intel PROSet Wireless
"PSP Grader" = PSP Grader v006 - Lite
"RAR Repair Tool_is1" = RAR Repair Tool v.4.0
"RealPlayer 12.0" = RealPlayer
"RealPlayer 6.0" = RealPlayer
"RightClick" = RightClick
"RocketDock_is1" = RocketDock 1.3.5
"Shop for HP Supplies" = Shop for HP Supplies
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Talisman 3" = Talisman 3
"TeamViewer 5" = TeamViewer 5
"WacomPenabled" = Wacom Pen Driver 2.7
"WBFS Manager 3.0" = WBFS Manager 3.0
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinISO_is1" = WinISO 5.3
"WinPatrol" = WinPatrol 2009
"WinRAR archiver" = WinRAR archiver
"winscp3_is1" = WinSCP 4.2.8
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01005" = Microsoft User-Mode Driver Framework Feature Pack 1.5
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/26/2010 7:12:43 PM | Computer Name = EVILLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iFrmewrk.exe, version 12.4.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/26/2010 7:19:24 PM | Computer Name = EVILLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module tbmip1.dll, version 5.7.3.1, fault address 0x0014bc46.

Error - 12/26/2010 7:39:44 PM | Computer Name = EVILLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application MotoConnectService.exe, version 0.0.0.0, faulting
module kernel32.dll, version 5.1.2600.3541, fault address 0x0002f3a9.

Error - 12/26/2010 8:30:20 PM | Computer Name = EVILLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application AvastUI.exe, version 5.0.677.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/27/2010 2:55:40 AM | Computer Name = EVILLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application MotoConnectService.exe, version 0.0.0.0, faulting
module kernel32.dll, version 5.1.2600.3541, fault address 0x0002f3a9.

Error - 12/28/2010 7:54:20 PM | Computer Name = EVILLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application MotoConnectService.exe, version 0.0.0.0, faulting
module kernel32.dll, version 5.1.2600.3541, fault address 0x0002f3a9.

Error - 12/29/2010 12:00:16 PM | Computer Name = EVILLAPTOP | Source = ESENT | ID = 485
Description = wuauclt (5152) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log"
failed with system error 32 (0x00000020): "The process cannot access the file because
it is being used by another process. ". The delete file operation will fail with
error -1032 (0xfffffbf8).

Error - 12/29/2010 3:00:40 PM | Computer Name = EVILLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3989, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/30/2010 1:56:10 AM | Computer Name = EVILLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application flashfxp.exe, version 3.3.1.1089, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/30/2010 1:56:11 AM | Computer Name = EVILLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application flashfxp.exe, version 3.3.1.1089, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 12/30/2010 2:02:27 PM | Computer Name = EVILLAPTOP | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 12/30/2010 2:02:27 PM | Computer Name = EVILLAPTOP | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 12/30/2010 2:02:27 PM | Computer Name = EVILLAPTOP | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Western Digital\WD
SmartWare\WD Drive Manager\MFC80U.DLL. Reference error message: The operation completed
successfully. .

Error - 12/30/2010 2:02:30 PM | Computer Name = EVILLAPTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 12/30/2010 2:02:30 PM | Computer Name = EVILLAPTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 12/30/2010 2:02:30 PM | Computer Name = EVILLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Windows Driver Foundation - User-mode Driver Framework service
terminated with the following error: %%31

Error - 12/30/2010 2:05:56 PM | Computer Name = EVILLAPTOP | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 12/30/2010 2:05:57 PM | Computer Name = EVILLAPTOP | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 12/30/2010 2:05:57 PM | Computer Name = EVILLAPTOP | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 12/30/2010 2:10:17 PM | Computer Name = EVILLAPTOP | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.8 for the Network Card with network
address 00130250831E has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >
teknokidd
Active Member
 
Posts: 12
Joined: December 27th, 2010, 10:21 pm

Re: Help! with hxxp://flyingincognitosleep.com/cgi-bin/h.pl

Unread postby askey127 » December 31st, 2010, 10:19 am

teknokidd,
Your C: drive does not have enough free space. (Right click C: drive in My Computer, choose Properties).
You need 15% free space for XP to run properly, or more actually, to eventually install Service pack 3.
You should have a look at the drive and see what can be moved to another drive, or DVDs.
Photos and Videos use a lot of space and are good candidates.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

ActivClient Mini


Take extra care in answering questions posed by any Uninstaller.
----------------------------------------------
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    Code: Select all
    :processes
    killallprocesses
    
    :OTL
    FF - prefs.js..browser.startup.homepage: "http://flyingincognitosleep.com/cgi-bin/h.pl"
    FF - user.js..browser.startup.homepage: "http://flyingincognitosleep.com/cgi-bin/h.pl"
    FF - prefs.js..extensions.enabledItems: {7C9AE782-DB21-4e40-81FB-AD8A53A6233A}:1.83
    FF - prefs.js..network.proxy.http_port: 8081
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O20 - Winlogon\Notify\ackpbsc: DllName - C:\Program Files\ActivIdentity\ActivClient Mini\ackpbsc.dll - C:\Program Files\ActivIdentity\ActivClient Mini\ackpbsc.dll (ActivIdentity)
    O20 - Winlogon\Notify\acunlock: DllName - C:\Program Files\ActivIdentity\ActivClient Mini\acunlock.dll - C:\Program Files\ActivIdentity\ActivClient Mini\acunlock.dll (ActivIdentity)
    [2009/11/24 00:26:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
    [2010/11/15 22:51:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\evil1\Application Data\Azureus
    
    :Commands
    [EMPTYTEMP]
    [Reboot]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 12 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware