forums Computer Tutorials Computer Help and Spyware Removal File DatabaseUninstall Database Windows Startup Programs Database Computer Resources Computer Glossary Forums Computer Help and Spyware Removal
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
STOPzilla Anti-Spyware

> Forum Guidelines

Read this topic before posting a log.


DO NOT post a ComboFix log unless requested to.


Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

 
Closed TopicStart new topic
> Ie Hijacked And Need Personal Review, HJT log included
gialde
post May 13 2008, 01:03 AM
Post #1


Member
**

Group: Members
Posts: 30
Joined: 19-December 05
Member No.: 45,392
[size="3"][/size]I accidentally clicked yes on a site pop-up install and knew immediately I had jacked up. I'm now working to remove and am almost sure this is the same situation as others on this topic. I just need a personal look from an expert to tell me what my next move is. Please help. Thanks in advance.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:05 AM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ril456.baseball.sportsline.com/scoring/live
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6e93477e-906f-4bec-8edc-73fb1f2045b7} - C:\WINDOWS\system32\cbXRIcYO.dll (file missing)
O2 - BHO: (no name) - {88ebbe0b-5ff8-4b84-b043-71a216374a5b} - C:\WINDOWS\system32\opnnmJde.dll
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [KPDrv4XP] C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE
O4 - HKLM\..\Run: [bcc91538] rundll32.exe "C:\WINDOWS\system32\enihdbpv.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA6261] command /c del "C:\WINDOWS\SYSTEM32\cbXRIcYO.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9944] cmd /c del "C:\WINDOWS\SYSTEM32\cbXRIcYO.dll_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\RunOnce: [SpybotDeletingB1286] command /c del "C:\WINDOWS\SYSTEM32\cbXRIcYO.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1779] cmd /c del "C:\WINDOWS\SYSTEM32\cbXRIcYO.dll_old"
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: BAMMediaPlayerUpdater.lnk = C:\Program Files\BAMMediaPlayer\updater.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: swarmcast.lnk = C:\Program Files\Swarmcast\swarmcast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Swarmcast for MLB_07.lnk = C:\Program Files\Swarmcast\SwarmcastLauncher.exe
O4 - Global Startup: swarmcast.lnk = C:\Program Files\Swarmcast\SwarmcastLauncher.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: www.nasb.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: opnnmJde - C:\WINDOWS\SYSTEM32\opnnmJde.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O24 - Desktop Component 0: (no name) - http://home.tiscali.nl/annejan/swf/timeline.swf

--
End of file - 9995 bytes
Go to the top of the page
 
+Quote Post
gialde
post May 14 2008, 12:30 AM
Post #2


Member
**

Group: Members
Posts: 30
Joined: 19-December 05
Member No.: 45,392
I'm wondering if I've posted incorrectly. Have any moderators/BC administrators seen this post? Please help.
Go to the top of the page
 
+Quote Post
lusitano
post May 14 2008, 10:36 AM
Post #3


Portuguese Malware Fighter
******

Group: HJT Team
Posts: 1,192
Joined: 5-April 07
From: Portugal
Member No.: 122,277
Hi,

Please ComboFix from the links above and follow all instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. "If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!"
  2. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  3. Double click combofix.exe and follow the prompts.
  4. When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  5. Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer


Regards


--------------------

Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Go to the top of the page
 
+Quote Post
gialde
post May 15 2008, 09:55 AM
Post #4


Member
**

Group: Members
Posts: 30
Joined: 19-December 05
Member No.: 45,392
When I go to install recovery console it asks (in a DOS window) which floppy drive by letter. I want the desktop so what do I do? It does not allow me to browse or list a location manually...it just wants a letter as it thinks I'm putting it on floppy disks. What have I done wrong here? I have svc pack 2.
Go to the top of the page
 
+Quote Post
gialde
post May 15 2008, 10:06 AM
Post #5


Member
**

Group: Members
Posts: 30
Joined: 19-December 05
Member No.: 45,392
Never mind...I don't know why I was double-clicking the install. I dragged it onto combofix and it's running now...no worries. I'm logging on to this site through my laptop while it runs on my desktop.
Go to the top of the page
 
+Quote Post
gialde
post May 15 2008, 10:34 AM
Post #6


Member
**

Group: Members
Posts: 30
Joined: 19-December 05
Member No.: 45,392
ComboFix 08-05-12.1 - Anthony 2008-05-15 10:02:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.611 [GMT -5:00]
Running from: C:\Documents and Settings\Anthony\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anthony\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\SYSTEM32\EeegPXbc.ini
C:\WINDOWS\SYSTEM32\EeegPXbc.ini2
C:\WINDOWS\SYSTEM32\eqbwbnbi.ini
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\kqsrqtbh.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ojqeqjbg.ini
C:\WINDOWS\system32\owbybtrp.ini
C:\WINDOWS\system32\OYcIRXbc.ini
C:\WINDOWS\SYSTEM32\OYcIRXbc.ini2
C:\WINDOWS\system32\vpbdhine.ini
C:\WINDOWS\SYSTEM32\WEfLVvut.ini
C:\WINDOWS\SYSTEM32\WEfLVvut.ini2
C:\WINDOWS\system32\wzghui.sys

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
hxxp://mlb.mlb.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWSAPAGENT
-------\Service_NwSapAgent
-------\Service_wzghui


((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-15 09:29 . 2008-05-15 09:29 <DIR> d-------- C:\Documents and Settings\Anthony\.onion
2008-05-15 00:14 . 2008-05-15 00:15 90,304 --a------ C:\WINDOWS\SYSTEM32\ibnbwbqe.dll
2008-05-14 00:11 . 2008-05-14 00:11 318,080 --a------ C:\WINDOWS\SYSTEM32\tuvVLfEW.dll
2008-05-13 00:55 . 2008-05-13 00:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-12 14:32 . 2008-05-12 14:32 91,264 --------- C:\WINDOWS\SYSTEM32\enihdbpv.dll
2008-05-12 02:24 . 2008-05-12 02:24 4,096 --a------ C:\syowpheg.exe
2008-05-12 02:24 . 2008-05-12 02:25 2 --a------ C:\-1127672425
2008-05-12 02:24 . 2008-05-12 02:24 1 --a------ C:\WINDOWS\SYSTEM32\kr_done1de
2008-05-12 02:23 . 2008-05-12 02:23 269,334 --a------ C:\WINDOWS\SYSTEM32\ctfmonb.bmp
2008-05-12 02:23 . 2008-05-12 02:23 160,256 --a------ C:\WINDOWS\SYSTEM32\blackster.scr
2008-05-11 22:34 . 2008-05-11 22:34 <DIR> d-------- C:\Program Files\Micro Innovations
2008-05-11 22:34 . 2008-05-11 22:34 110 --a------ C:\WINDOWS\KEMailKb.UNI
2008-05-11 22:34 . 2008-05-11 22:34 0 --a------ C:\WINDOWS\SelSet.INI
2008-05-11 22:32 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\SYSTEM32\hidserv.dll
2008-05-11 22:32 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hidserv.dll
2008-05-11 22:32 . 2004-08-03 23:58 14,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kbdhid.sys
2008-05-11 22:32 . 2004-08-03 23:58 14,848 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\kbdhid.sys
2008-05-11 22:15 . 2004-08-04 01:56 159,232 --a------ C:\WINDOWS\SYSTEM32\ptpusd.dll
2008-05-11 22:15 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\SYSTEM32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 15:20 --------- d-----w C:\Program Files\BAMMediaPlayer
2008-05-15 15:19 --------- d-----w C:\Program Files\Swarmcast
2008-05-15 13:00 --------- d-----w C:\Documents and Settings\Anthony\Application Data\AVG7
2008-05-13 05:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 04:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-04 02:31 --------- d-----w C:\Program Files\Bodog Poker
2008-04-04 02:29 --------- d-----w C:\Program Files\ESPN Draft Analyzer
2008-03-30 05:47 --------- d-----w C:\Program Files\Lexmark 3100 Series
2008-03-29 05:12 --------- d-----w C:\Documents and Settings\Anthony\Application Data\MP3Rocket
2008-03-21 14:10 --------- d-----w C:\Program Files\Java
2008-03-19 11:51 --------- d-----w C:\Documents and Settings\Anthony\Application Data\ICAClient
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 08:50 10,022 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2008-03-17 07:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-03-17 07:34 --------- d-----w C:\Program Files\Ahead
2008-03-17 07:32 --------- d-----w C:\Program Files\Real
2008-03-17 07:31 --------- d-----w C:\Program Files\palmOne
2008-03-17 07:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2007-10-05 19:19 22,128 ----a-w C:\Documents and Settings\Anthony\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{359b2a7c-f178-431c-b26e-28888d154e77}]
C:\WINDOWS\system32\cbXPgeeE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36c971b5-3262-4745-854c-5e0d7863e7d2}]
2008-05-14 00:11 318080 --a------ C:\WINDOWS\system32\tuvVLfEW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6e93477e-906f-4bec-8edc-73fb1f2045b7}]
C:\WINDOWS\system32\cbXRIcYO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88ebbe0b-5ff8-4b84-b043-71a216374a5b}]
C:\WINDOWS\system32\opnnmJde.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d}]
C:\WINDOWS\system32\jfiehayd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31 126976]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05 323584]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 00:23 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 12:33 579584]
"KEMailKb"="C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE" [2005-08-09 03:27 401408]
"KPDrv4XP"="C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE" [2005-02-21 06:15 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 16:10 219136]

C:\Documents and Settings\Anthony\Start Menu\Programs\Startup\
BAMMediaPlayerUpdater.lnk - C:\Program Files\BAMMediaPlayer\updater.exe [2006-03-16 19:19:34 159744]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-06-08 02:10:08 344064]
swarmcast.lnk - C:\Program Files\Swarmcast\swarmcast.exe [2007-04-04 23:45:48 14415800]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-08-25 21:18:04 24576]
Swarmcast for MLB_07.lnk - C:\Program Files\Swarmcast\SwarmcastLauncher.exe [2007-04-04 23:45:48 895416]
swarmcast.lnk - C:\Program Files\Swarmcast\SwarmcastLauncher.exe [2007-04-04 23:45:48 895416]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-02-05 14:29:20 54512]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\jfiehayd.dll [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88EBBE0B-5FF8-4B84-B043-71A216374A5B}"= C:\WINDOWS\system32\opnnmJde.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnmJde]
opnnmJde.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.l3acm"= l3codecp.acm
"VIDC.I263"= i263_32.drv
"msacm.l3codec"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Anthony\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\024h Lucky Reminder]
C:\Program Files\024h Lucky Reminder\LuckyReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 12:28 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2004-06-15 23:17 69705 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
--a------ 2004-06-15 23:22 106571 C:\Program Files\ATI Multimedia\main\launchpd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a------ 2004-04-16 07:43 196608 C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
--a------ 2003-09-15 22:00 270336 C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 3100 Series]
--a------ 2003-09-03 21:33 106496 C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXBRKsk]
--a------ 2003-06-13 09:57 294912 C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
--a------ 2005-12-13 10:51 1951976 C:\Program Files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 10:42 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyFalcon]
C:\Program Files\SpyFalcon\SpyFalcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Swapper]
C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"ewido security suite control"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"x10nets"=3 (0x3)
"SymWSC"=2 (0x2)
"MDM"=2 (0x2)
"InstallShield Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\WINDOWS\\SYSTEM32\\rundll32.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Swarmcast\\swarmcast.exe"=
"C:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"C:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\javaw.exe"=
"C:\\Program Files\\Phantom EFX\\OnlineCasino\\Bin\\Prelauncher.exe"=
"C:\\Program Files\\Phantom EFX\\OnlineCasino\\Launcher\\OLCLauncher.exe"=
"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\javaw.exe"=
"C:\\Program Files\\Atari\\Civilization III\\Civ3PTW\\Civilization3X.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=

R2 HIDKbFlt;HIDKbFlt.SvcDesc%;C:\WINDOWS\system32\DRIVERS\HIDKbFlt.sys [2005-07-25 05:13]
S3 cusbohcn;cusbohcn;C:\DOCUME~1\Anthony\LOCALS~1\Temp\cusbohcn.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\CitrixICA.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 15:03:48 C:\WINDOWS\Tasks\User_Feed_Synchronization-{13FA0432-3362-46AA-918B-250B77F380F0}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 10:16:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\SYSTEM32\cisvc.exe
C:\WINDOWS\SYSTEM32\snmp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
.
**************************************************************************
.
Completion time: 2008-05-15 10:32:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 15:31:52

Pre-Run: 7,770,488,832 bytes free
Post-Run: 10,088,824,832 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

268 --- E O F --- 2008-04-12 17:33:07


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:26 AM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Swarmcast\swarmcast.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ril456.baseball.sportsline.com/scoring/live
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://local.swarmcast.net:8001/proxy.pac
O2 - BHO: (no name) - {359b2a7c-f178-431c-b26e-28888d154e77} - C:\WINDOWS\system32\cbXPgeeE.dll (file missing)
O2 - BHO: (no name) - {36c971b5-3262-4745-854c-5e0d7863e7d2} - C:\WINDOWS\system32\tuvVLfEW.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6e93477e-906f-4bec-8edc-73fb1f2045b7} - C:\WINDOWS\system32\cbXRIcYO.dll (file missing)
O2 - BHO: (no name) - {88ebbe0b-5ff8-4b84-b043-71a216374a5b} - C:\WINDOWS\system32\opnnmJde.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [KPDrv4XP] C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: BAMMediaPlayerUpdater.lnk = C:\Program Files\BAMMediaPlayer\updater.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: swarmcast.lnk = C:\Program Files\Swarmcast\swarmcast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Swarmcast for MLB_07.lnk = C:\Program Files\Swarmcast\SwarmcastLauncher.exe
O4 - Global Startup: swarmcast.lnk = C:\Program Files\Swarmcast\SwarmcastLauncher.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: www.nasb.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: opnnmJde - opnnmJde.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O24 - Desktop Component 0: (no name) - http://home.tiscali.nl/annejan/swf/timeline.swf

--
End of file - 9950 bytes
Go to the top of the page
 
+Quote Post
lusitano
post May 15 2008, 12:04 PM
Post #7


Portuguese Malware Fighter
******

Group: HJT Team
Posts: 1,192
Joined: 5-April 07
From: Portugal
Member No.: 122,277
Hello,

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.If you are unsure of how to use Add or Remove Programs, the please see this tutorial:
How To Remove An Installed Program From Your Computer


Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
CODE
File::
C:\WINDOWS\SYSTEM32\ibnbwbqe.dll
C:\WINDOWS\SYSTEM32\tuvVLfEW.dll
C:\WINDOWS\SYSTEM32\enihdbpv.dll
C:\syowpheg.exe
C:\WINDOWS\SYSTEM32\ctfmonb.bmp
C:\WINDOWS\SYSTEM32\blackster.scr
C:\WINDOWS\system32\cbXPgeeE.dll
C:\WINDOWS\system32\cbXRIcYO.dll
C:\WINDOWS\system32\opnnmJde.dll
C:\WINDOWS\system32\jfiehayd.dll
Folder::
C:\-1127672425
C:\WINDOWS\SYSTEM32\kr_done1de
C:\Program Files\SpyFalcon
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{359b2a7c-f178-431c-b26e-28888d154e77}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36c971b5-3262-4745-854c-5e0d7863e7d2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6e93477e-906f-4bec-8edc-73fb1f2045b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88ebbe0b-5ff8-4b84-b043-71a216374a5b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88EBBE0B-5FF8-4B84-B043-71A216374A5B}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnmJde]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyFalcon]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall



--------------------

Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Go to the top of the page
 
+Quote Post
gialde
post May 15 2008, 10:30 PM
Post #8


Member
**

Group: Members
Posts: 30
Joined: 19-December 05
Member No.: 45,392
ComboFix 08-05-12.1 - Anthony 2008-05-15 21:57:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.634 [GMT -5:00]
Running from: C:\Documents and Settings\Anthony\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anthony\Desktop\CFScript.txt.txt
* Created a new restore point

FILE ::
C:\syowpheg.exe
C:\WINDOWS\SYSTEM32\blackster.scr
C:\WINDOWS\system32\cbXPgeeE.dll
C:\WINDOWS\system32\cbXRIcYO.dll
C:\WINDOWS\SYSTEM32\ctfmonb.bmp
C:\WINDOWS\SYSTEM32\enihdbpv.dll
C:\WINDOWS\SYSTEM32\ibnbwbqe.dll
C:\WINDOWS\system32\jfiehayd.dll
C:\WINDOWS\system32\opnnmJde.dll
C:\WINDOWS\SYSTEM32\tuvVLfEW.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1127672425\
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\syowpheg.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\SYSTEM32\blackster.scr
C:\WINDOWS\SYSTEM32\ctfmonb.bmp
C:\WINDOWS\SYSTEM32\enihdbpv.dll
C:\WINDOWS\SYSTEM32\ibnbwbqe.dll
C:\WINDOWS\SYSTEM32\kr_done1de\
C:\WINDOWS\SYSTEM32\tuvVLfEW.dll
C:\WINDOWS\SYSTEM32\WEfLVvut.ini
C:\WINDOWS\SYSTEM32\WEfLVvut.ini2
C:\WINDOWS\SYSTEM32\ybryujxu.ini

----- BITS: Possible infected sites -----

hxxp://mlb.mlb.com
hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-15 21:39 . 2008-05-15 21:39 <DIR> d-------- C:\Documents and Settings\Anthony\.onion
2008-05-15 21:26 . 2008-05-15 21:27 <DIR> d-------- C:\Program Files\roguescanfix
2008-05-15 21:04 . 2008-05-15 21:04 91,328 --a------ C:\WINDOWS\SYSTEM32\uxjuyrby.dll
2008-05-13 00:55 . 2008-05-13 00:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-12 02:24 . 2008-05-12 02:25 2 --a------ C:\-1127672425
2008-05-12 02:24 . 2008-05-12 02:24 1 --a------ C:\WINDOWS\SYSTEM32\kr_done1de
2008-05-11 22:34 . 2008-05-11 22:34 <DIR> d-------- C:\Program Files\Micro Innovations
2008-05-11 22:34 . 2008-05-11 22:34 110 --a------ C:\WINDOWS\KEMailKb.UNI
2008-05-11 22:34 . 2008-05-11 22:34 0 --a------ C:\WINDOWS\SelSet.INI
2008-05-11 22:32 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\SYSTEM32\hidserv.dll
2008-05-11 22:32 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hidserv.dll
2008-05-11 22:32 . 2004-08-03 23:58 14,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kbdhid.sys
2008-05-11 22:32 . 2004-08-03 23:58 14,848 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\kbdhid.sys
2008-05-11 22:15 . 2004-08-04 01:56 159,232 --a------ C:\WINDOWS\SYSTEM32\ptpusd.dll
2008-05-11 22:15 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\SYSTEM32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 02:38 --------- d-----w C:\Program Files\Swarmcast
2008-05-16 02:37 --------- d-----w C:\Program Files\BAMMediaPlayer
2008-05-16 02:37 --------- d-----w C:\Documents and Settings\Anthony\Application Data\AVG7
2008-05-13 05:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 04:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-04 02:31 --------- d-----w C:\Program Files\Bodog Poker
2008-04-04 02:29 --------- d-----w C:\Program Files\ESPN Draft Analyzer
2008-03-30 05:47 --------- d-----w C:\Program Files\Lexmark 3100 Series
2008-03-29 05:12 --------- d-----w C:\Documents and Settings\Anthony\Application Data\MP3Rocket
2008-03-21 14:10 --------- d-----w C:\Program Files\Java
2008-03-19 11:51 --------- d-----w C:\Documents and Settings\Anthony\Application Data\ICAClient
2008-03-17 07:35 --------- d-----w C:\Program Files\Full Tilt Poker
2008-03-17 07:34 --------- d-----w C:\Program Files\Ahead
2008-03-17 07:32 --------- d-----w C:\Program Files\Real
2008-03-17 07:31 --------- d-----w C:\Program Files\palmOne
2008-03-17 07:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-05 19:19 22,128 ----a-w C:\Documents and Settings\Anthony\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-05-15_10.31.33.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-15 15:14:24 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-16 03:06:51 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-16 03:07:26 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_1ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31 126976]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 21:05 323584]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 00:23 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 12:33 579584]
"KEMailKb"="C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE" [2005-08-09 03:27 401408]
"KPDrv4XP"="C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE" [2005-02-21 06:15 40960]
"bcc91538"="C:\WINDOWS\system32\uxjuyrby.dll" [2008-05-15 21:04 91328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 16:10 219136]

C:\Documents and Settings\Anthony\Start Menu\Programs\Startup\
BAMMediaPlayerUpdater.lnk - C:\Program Files\BAMMediaPlayer\updater.exe [2006-03-16 19:19:34 159744]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-06-08 02:10:08 344064]
swarmcast.lnk - C:\Program Files\Swarmcast\swarmcast.exe [2007-04-04 23:45:48 14415800]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-08-25 21:18:04 24576]
Swarmcast for MLB_07.lnk - C:\Program Files\Swarmcast\SwarmcastLauncher.exe [2007-04-04 23:45:48 895416]
swarmcast.lnk - C:\Program Files\Swarmcast\SwarmcastLauncher.exe [2007-04-04 23:45:48 895416]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-02-05 14:29:20 54512]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.l3acm"= l3codecp.acm
"VIDC.I263"= i263_32.drv
"msacm.l3codec"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Anthony\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\024h Lucky Reminder]
C:\Program Files\024h Lucky Reminder\LuckyReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 12:28 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2004-06-15 23:17 69705 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
--a------ 2004-06-15 23:22 106571 C:\Program Files\ATI Multimedia\main\launchpd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a------ 2004-04-16 07:43 196608 C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
--a------ 2003-09-15 22:00 270336 C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 3100 Series]
--a------ 2003-09-03 21:33 106496 C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXBRKsk]
--a------ 2003-06-13 09:57 294912 C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
--a------ 2005-12-13 10:51 1951976 C:\Program Files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 10:42 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Swapper]
C:\Program Files\Revolutionary Stuff\Swapper.NET\Swapper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"ewido security suite control"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"x10nets"=3 (0x3)
"SymWSC"=2 (0x2)
"MDM"=2 (0x2)
"InstallShield Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\WINDOWS\\SYSTEM32\\run