Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Out Of Control Popups...please Help


  • Please log in to reply
27 replies to this topic

#1 geoffre

geoffre

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 28 July 2007 - 09:24 AM

ok so at least for a little while my computer was relatively spyware free.
now i can hardly navigate IE without a trillion popups every mouse click.
to add to the problem my computer is now completely unprotected. when using
an older version of zone alarm it worked great...with the upgrade however
everything just slowed to a crawl and it became much more of a hassle.
regardless everything still came through. i'm very frusterated right now.
any help would be greatly appreciated.


heres my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:23:58 AM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\svhost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\DOCUME~1\G30FF\MYDOCU~1\ASKS~1\csrss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\G30FF\My Documents\??mbols\??erinit.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe

61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32

\moexyasw.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft

Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US

ee://aol/imApp
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Abpkhn] "C:\Documents and Settings\G30FF\My Documents\??mbols\??

erinit.exe"
O4 - HKCU\..\Run: [Bruo] "C:\DOCUME~1\G30FF\MYDOCU~1\ASKS~1\csrss.exe" -vt ndrv
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} -

C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...nt/muweb_site.c

ab?1163437834983
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -

http://www.toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) -

http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1

\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1

\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1

\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\fjjjfeoo.exe

(file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown

owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini

(file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:09:20 AM

Posted 28 July 2007 - 12:27 PM

Hello geoffre,

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
More information with a screenshot, can be found here.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Posted Image

#3 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 03 August 2007 - 03:35 PM

i'm sorry it took so long to reply.
just to add a note i didnt have the most recent HJT version and as i was going to search it in google i realized that i now have a new issue. every time i enter anything at websites such as google, wikipedia, etc. and press 'enter' or click 'search' internet explorer immediately closes out...for reasons i dont know. anyway because of this i went into safe mode and did a full AVG and SPYBOT scan which found lots of junk but alas did not fix the problem; just made some of the popups less prevalent. anyway here are the new logs u requested. i apologize again for the delay.



HJT uninstall_list.txt:

Adobe Acrobat 5.0
Adobe ActiveShare 1.5
Adobe Flash Player 9 ActiveX
Adobe Photoshop CS
Adobe Premiere Pro 1.5
Adobe SVG Viewer 3.0
AIM 6
AVG Anti-Spyware 7.5
AVI Splitter
Azureus
Blaze Media Pro
CleanUp!
Codec Pack - All In 1 6.0.2.8
Comcast High-Speed Internet Install Wizard
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Dell AIO Printer A940
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
DivX 5.0.2 Pro Bundle
DivX Codec
DivX Content Uploader
DivX Web Player
DVD Decrypter (Remove Only)
ESPN RunTime
e-Sword
Final Draft 7
FLV Player 1.3.3
Focus Magic
Grand Theft Auto 3 ( GTA )
Guitar Chords Laboratory 1.53
Gunbound Revolution
Half-Life
Half-Life Primary Server 4.1.1.1
Half-Life: Blue Shift
Half-Life: Opposing Force
HiDownload
HijackThis 2.0.2
Hotfix for Windows XP (KB926239)
ICQ 5.1
ImgBurn (Remove Only)
InterActual Player
J2SE Development Kit 5.0 Update 6
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.2_01
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 SDK Standard Edition v1.3.0_02
Java 2 SDK, SE v1.4.2_01
Kazaa Media Desktop 2.0.2
Korean Language Support
LimeWire 4.12.11
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Macromedia Flash MX
MGI PhotoSuite 8.1 (Remove Only)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Global IME for Office XP (Korean)
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Picture It! Photo 2002
Microsoft PowerPoint Viewer 97
Microsoft Streets and Trips 2002
Microsoft Talkit! Plus
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual Keyboard
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Microsoft XML Parser and SDK
mIRC
Modem Helper
MSN Toolbar
MSXML 4.0 SP2 Parser and SDK
MySpaceIM
Nero 6 Ultra Edition
Nic's XviD Decoder
Norton WMI Update
NVIDIA Windows 2000/XP Display Drivers
OIN
Outerinfo
PeerGuardian 2.0
PhoneTools
PICVideo Codecs
PowerDVD
PRO200WL
QuickTime
RealPlayer
RegRun Security Suite Pro
Rhapsody
Rhapsody Player Engine
Santa Cruz
Secure Delivery
Shockwave
Shockwave Player
Sierra Utilities
SiSoftware Sandra Professional 2003 (Jagged Online Edition)
Skype 3.1
Skype Plugin Manager
Snood for Windows version 3.01-W
Soldier of Fortune II - Double Helix MP TEST
Sonic Foundry ACID Style - Techno 3.0a
Sony USB Driver
Spybot - Search & Destroy 1.4
Starcraft
Steam
Storm Codec
SysInfo 2.7
Update for Windows XP (KB898461)
URL Snooper v2.06.05
VCDVaultScript2.12_6.03
VCDVaultScriptp Installer
VideoLAN VLC media player 0.8.4a
Viewpoint Media Player
Web Buying
Winamp (remove only)
WinAntiSpyware 2007 4.0.193.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Service Pack 2
WinPcap 3.1
WinRAR archiver
Xfire (remove only)
Yahoo! Messenger



COMBOFIX.TXT:


"G30FF" - 07-08-03 16:10:06 Service Pack 2 [SAFE MODE]
ComboFix 07-05.01.V - Running from: "C:\Documents and Settings\G30FF\Desktop\Tools\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bbadd.bak1
C:\WINDOWS\system32\bbadd.bak2
C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\bbadd.ini2
C:\WINDOWS\system32\ddabb.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\WINDOWS\retadpu77.exe
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\web buying\v1.7.4\wbuninst.exe
C:\Program Files\web buying\v1.7.4\webbuying.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\Program Files\outerinfo
C:\Program Files\web buying
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\G30FF
C:\qoobox\purity\C\DOCUME~1\G30FF\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\G30FF\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\G30FF\APPLIC~1\STEM~1
C:\qoobox\purity\C\DOCUME~1\G30FF\MYDOCU~1\ASKS~1
C:\qoobox\purity\C\DOCUME~1\G30FF\MYDOCU~1\MBOLS~1
C:\qoobox\purity\C\DOCUME~1\G30FF\MYDOCU~1\ASKS~1\?asks
C:\qoobox\purity\C\DOCUME~1\G30FF\MYDOCU~1\MBOLS~1\??erinit.exe
C:\qoobox\purity\C\Program Files\YMANTE~1
C:\qoobox\purity\C\Program Files\Common Files\WNSXS~1
C:\qoobox\purity\C\WINDOWS\SMBOLS~1
C:\qoobox\purity\C\WINDOWS\SMBOLS~1\s?mbols


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\core


((((((((((((((((((((((((((((((( Files Created from 2007-07-03 to 2007-08-03 ))))))))))))))))))))))))))))))))))


2007-08-02 18:04 121,364 --a------ C:\WINDOWS\SYSTEM32\umrncaeo.dll
2007-08-02 18:01 125,460 --a------ C:\WINDOWS\SYSTEM32\reaqcbsx.dll
2007-08-02 17:58 66,068 --a------ C:\WINDOWS\SYSTEM32\raqbamio.exe
2007-08-02 17:56 60,928 --a------ C:\WINDOWS\SYSTEM32\tvhxj.dll
2007-08-02 17:55 66,068 --a------ C:\WINDOWS\SYSTEM32\liobpqos.exe
2007-07-29 11:18 125,972 --a------ C:\WINDOWS\SYSTEM32\udfobijw.dll
2007-07-29 11:17 66,068 --a------ C:\WINDOWS\SYSTEM32\hgxrajuj.exe
2007-07-29 11:17 66,068 --a------ C:\WINDOWS\SYSTEM32\dclmeuxr.exe
2007-07-28 18:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\driver
2007-07-28 18:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\B5
2007-07-28 18:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\B4
2007-07-28 18:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\B3
2007-07-28 18:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\B2
2007-07-28 18:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\B1
2007-07-28 18:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\b02FdUe
2007-07-28 18:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\B0
2007-07-28 18:45 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Skype
2007-07-28 02:47 69,140 --a------ C:\WINDOWS\SYSTEM32\bintknjw.dll
2007-07-28 02:41 66,068 --a------ C:\WINDOWS\SYSTEM32\rexialig.exe
2007-07-13 00:15 66,580 --a------ C:\WINDOWS\SYSTEM32\spdwhrel.dll
2007-07-13 00:14 124,436 --a------ C:\WINDOWS\SYSTEM32\ynrtnvkf.dll
2007-07-13 00:13 66,068 --a------ C:\WINDOWS\SYSTEM32\vajmdsbn.exe
2007-07-12 05:55 172,032 --a------ C:\WINDOWS\SYSTEM32\xnmgrdn.dll
2007-07-12 05:54 26,171 --a------ C:\WINDOWS\SYSTEM32\nnnnonn.dll
2007-07-11 16:40 66,580 --a------ C:\WINDOWS\SYSTEM32\hbpkxqwj.dll
2007-07-11 16:40 124,436 --------- C:\WINDOWS\SYSTEM32\stdhcntv.dll
2007-07-11 16:39 66,068 --a------ C:\WINDOWS\SYSTEM32\mmlskxqb.exe
2007-07-11 16:39 66,068 --a------ C:\WINDOWS\SYSTEM32\kmvqtfxp.exe
2007-07-11 10:14 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\MySpace
2007-07-10 11:33 66,068 --a------ C:\WINDOWS\SYSTEM32\bffaidqp.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-08-03 16:35:08 -------- d-----w C:\DOCUME~1\G30FF\APPLIC~1.\Azureus
2007-08-02 23:29:11 -------- d-----w C:\Program Files\svhost
2007-07-03 18:39:34 -------- d-----w C:\Program Files\WinPop
2007-07-03 17:55:11 -------- d-----w C:\Program Files\poolsv
2007-07-03 16:47:08 512 ----a-w C:\ScanSectorLog.dat
2007-07-03 05:54:07 -------- d-----w C:\Program Files\WinAntiSpyware 2007
2007-07-02 20:03:22 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
2007-06-28 15:24:44 -------- d-----w C:\DOCUME~1\G30FF\APPLIC~1.\WinAntiSpyware 2007
2007-06-27 19:51:17 -------- d-----w C:\Program Files\Common Files\WinAntiSpyware 2007
2007-06-27 14:08:54 918 ----a-w C:\WINDOWS\system32\winpfz32.sys
2007-06-27 14:07:47 79,872 ----a-w C:\WINDOWS\system32\drivers\FOPN.sys
2007-06-26 21:16:54 -------- d-----w C:\Program Files\DivX
2007-06-13 16:38:48 -------- d-----w C:\Program Files\AIM6
2007-06-08 16:16:27 -------- d-----w C:\DOCUME~1\G30FF\APPLIC~1.\MySpace
2007-06-06 18:36:28 6,144 ----a-w C:\WINDOWS\system32\stera.exe
2007-06-06 18:36:28 18,432 ----a-w C:\WINDOWS\system32\drivers\ApiMon.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx"
"{4DDCACED-3451-6FD9-2971-4FB67838F3C9}"="C:\WINDOWS\system32\tvhxj.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{79AB4FA1-E651-4E71-8070-0C00C00D4363}"="C:\Program Files\Common Files\ryxyf83122.dll" [x]
"{7affc5dc-293d-4b0c-a5b7-d304f0d3dad7}"="C:\WINDOWS\system32\xnmgrdn.dll"
"{85589B5D-D53D-4237-A677-46B82EA275F3}"="C:\WINDOWS\xmlhelper2.dll" [x]
"{868865EC-0295-4C7D-B25D-9F65314145E9}"="C:\WINDOWS\system32\xxyyxya.dll" [x]
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"="C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"
"{B0D40A14-DF0D-418C-97C0-46BEF71B2C68}"="C:\WINDOWS\system32\umrncaeo.dll"
"{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}"="C:\WINDOWS\system32\bintknjw.dll"
"{FD751AF8-2DEA-4B77-83AE-A722AFA1E882}"="C:\WINDOWS\system32\ddabb.dll" [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TraySantaCruz"="C:\\WINDOWS\\System32\\tbctray.exe"
"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE"
"svhost"="\"C:\\WINDOWS\\svhost.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"Abpkhn"="\"C:\\Documents and Settings\\G30FF\\My Documents\\??mbols\\??erinit.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\0]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\SYSTEM32\\SYSCF32.DLL"
"Source"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\1]
"Operation"=dword:00000001
"Target"="C:\\WINDOWS\\SYSTEM32\\SYSCF32.DLL"
"Source"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"
"{868865EC-0295-4C7D-B25D-9F65314145E9}"="C:\WINDOWS\system32\xxyyxya.dll" [x]
"{4567AB12-B980-44A5-B259-9B09EBEA6331}"="C:\Program Files\WinAntiSpyware 2007\shellext.dll"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddabb
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyxya

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"winyu.exe"="C:\\WINDOWS\\winyu.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DownloadAccelerator"="C:\\PROGRA~1\\DAP\\DAP.EXE /STARTUP"
"win32hlp"="C:\\WINDOWS\\System32\\win32hlp.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"ptrun32"="C:\\WINDOWS\\System32\\ptrun32\\ptrun32.exe -startup"
"wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"windows auto update"="msblast.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""
"stcloader"="C:\\WINDOWS\\System32\\stcloader.exe"
"slmss"="C:\\Program Files\\Common Files\\slmss\\slmss.exe"
"Rundll32_7"="rundll32.exe C:\\WINDOWS\\System32\\msiefr40.dll,DllRunServer"
"PAV.EXE"="C:\\WINDOWS"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,NewDotNetStartup"
"Mwsvm"="C:\\WINDOWS\\mwsvm.exe"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"DGNTAHNUE"="C:\\WINDOWS\\DGNTAHNUE.exe"
"iefeatures"="C:\\WINDOWS\\System32\\iefeatures.exe"
"CMESys"="\"C:\\Program Files\\Common Files\\CMEII\\CMESys.exe\""
"ClrSchLoader"="C:\\Program Files\\ClearSearch\\Loader.exe"
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AIMWDInstallFilename"="C:\\PROGRA~1\\AIM\\AIMWDI~1.EXE"
"Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~1\\zlclient.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AcBtnMgr_X63.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AcBtnMgr_X63.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\AcBtnMgr_X63.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\LEXMAR~1\\ACBTNM~1.EXE "
"item"="AcBtnMgr_X63.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ACMonitor_X63.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ACMonitor_X63.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\ACMonitor_X63.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\LEXMAR~1\\ACMONI~1.EXE "
"item"="ACMonitor_X63.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RealDownload.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\RealDownload.lnk"
"backup"="C:\\WINDOWS\\pss\\RealDownload.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Real\\REALDO~1\\REALDO~1.EXE -hidden"
"item"="RealDownload"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^G30FF^Start Menu^Programs^Startup^TA_Start.lnk]
"path"="C:\\Documents and Settings\\G30FF\\Start Menu\\Programs\\Startup\\TA_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\TA_Start.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\itpb_11.exe SKY003"
"item"="TA_Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Geoff^Start Menu^Programs^Startup^Autostart ShipSearch.lnk]
"path"="C:\\Documents and Settings\\Geoff\\Start Menu\\Programs\\Startup\\Autostart ShipSearch.lnk"
"backup"="C:\\WINDOWS\\pss\\Autostart ShipSearch.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\SHIPSE~1.0-P\\SHIPSE~1.EXE "
"item"="Autostart ShipSearch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\131470]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="131470"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\131470.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\131516]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="131516"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\131516.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\180ax]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="180ax"
"hkey"="HKLM"
"command"="c:\\windows\\180ax.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\196992]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="196992"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\196992.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\197078]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="197078"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\197078.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\197270]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="197270"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\197270.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\262526]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="262526"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\262526.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\262758]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="262758"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\262758.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\263508]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="263508"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\263508.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\328290]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="328290"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\328290.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\328344]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="328344"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\328344.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4325808]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="4325808"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\4325808.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5833372]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="5833372"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\5833372.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\655996]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="655996"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\655996.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\65880]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="65880"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\65880.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\65886]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="65886"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\65886.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\66116]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="66116"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\66116.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\66152]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="66152"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\66152.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\66154]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="66154"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\66154.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\66162]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="66162"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\66162.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\917702]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="917702"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\917702.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADVCHK"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apinl.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apinl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\apinl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apitz.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apitz"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\apitz.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apply32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apply32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\apply32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bruo]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bsoe"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Geoff\\Application Data\\bsoe.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\crbu32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="crbu32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\crbu32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cscui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cscui"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\cscui.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTRegRun"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\CTRegRun.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dlbabmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell AIO Printer A940\\dlbabmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DIGServices"
"hkey"="HKLM"
"command"="C:\\Program Files\\ESPNRunTime\\DIGServices.exe /brand=ESPN /priority=0 /poll=24"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlbacinf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dlbacinf"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\dlbacinf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadWare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dw"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DownloadWare\\dw.exe\" /H"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fly]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fly"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\fly.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bexoscro"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\bexoscro.dll\",realset"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Heart Spam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mix proxy"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Barb loud does\\mix proxy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\htui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="htui"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\htui.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ielw32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ielw32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ielw32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iexplore.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iexplore"
"hkey"="HKLM"
"command"="C:\\Program Files\\Internet Explorer\\iexplore.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ieyu.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ieyu"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ieyu.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="imekrmig"
"hkey"="HKLM"
"command"="D:\\IME\\IMKR\\imekrmig.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\javadm32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="javadm32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\javadm32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kbdfi]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kbdfi"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\kbdfi.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kbdnec95]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kbdnec95"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\kbdnec95.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxamsp32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxamsp32"
"hkey"="HKLM"
"command"="lxamsp32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcregwiz"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcregwiz.exe /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcupdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLoads Installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dw"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DownloadWare\\dw.exe\" /H"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger Plus! 2\\MsgPlus.exe\" /WinStart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\motoin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm15201518"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\mm15201518.Stub.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnappau"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSVersion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="internetfeatures"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\internetfeatures.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MySpaceIM"
"hkey"="HKCU"
"command"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="navapw32"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pg2"
"hkey"="HKCU"
"command"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\popuppers]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="newpop61"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\newpop61.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="printray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rasdlg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rasdlg"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\rasdlg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RFX_auto_upgrade]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="retadpu77"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunWindowsUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uptodate"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\uptodate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Smc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sygate\\SPF\\Smc.exe -startgui"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StormCodec_Helper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StormSet"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Ringz Studio\\Storm Codec\\StormSet.exe\" /S /opti"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syncui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="syncui"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\syncui.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="reaqcbsx"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\reaqcbsx.dll\",forkonce"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tcmonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tcm"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\THECLE~1\\tcm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcmdmgrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="webbuying"
"hkey"="HKCU"
"command"="C:\\Program Files\\Web Buying\\v1.7.4\\webbuying.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cdaEngine0400"
"hkey"="HKLM"
"command"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="was7"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WinAntiSpyware 2007\\was7.exe\" /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winpop"
"hkey"="HKCU"
"command"="C:\\Program Files\\WinPop\\winpop.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winyu.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winyu"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\winyu.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wmpdxm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wmpdxm"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\wmpdxm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=dword:00000003
"ewido security suite control"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-03 16:20:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-08-03 16:22:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-03 16:22
C:\ComboFix2.txt ... 07-05-01 21:25
C:\ComboFix3.txt ... 07-04-26 19:06

#4 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:09:20 AM

Posted 03 August 2007 - 04:32 PM

Hello geoffre,

I am preparing your fix now, from the time you read this please do not reboot your computer, or some of the files may have changed names and it will be that much more difficult to remove the many infections plaguing your computer.
Posted Image

#5 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:09:20 AM

Posted 03 August 2007 - 05:01 PM

I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program. If it asks to reboot, do not reboot.

Now please create a new Hijackthis Log and post it as a reply.

Edited by __RiP_ChAiN_, 03 August 2007 - 05:28 PM.

Posted Image

#6 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 03 August 2007 - 05:18 PM

ok i did what you said and wow i must have check-marked about 60 things...yikes :thumbsup:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:27 PM, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4DDCACED-3451-6FD9-2971-4FB67838F3C9} - C:\WINDOWS\system32\tvhxj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {79AB4FA1-E651-4E71-8070-0C00C00D4363} - C:\Program Files\Common Files\ryxyf83122.dll (file missing)
O2 - BHO: (no name) - {7affc5dc-293d-4b0c-a5b7-d304f0d3dad7} - C:\WINDOWS\system32\xnmgrdn.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\xxyyxya.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B0D40A14-DF0D-418C-97C0-46BEF71B2C68} - C:\WINDOWS\system32\umrncaeo.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\bintknjw.dll
O2 - BHO: (no name) - {FD751AF8-2DEA-4B77-83AE-A722AFA1E882} - C:\WINDOWS\system32\ddabb.dll (file missing)
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [winyu.exe] C:\WINDOWS\winyu.exe
O4 - HKLM\..\Run: [WinAntiSpyware 2007 Free] "C:\Program Files\WinAntiSpyware 2007\was7.exe" /min
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRA~1\THECLE~1\tcm.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\reaqcbsx.dll",forkonce
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [popuppers] C:\WINDOWS\newpop61.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [javadm32.exe] C:\WINDOWS\system32\javadm32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [imekrmig] D:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [ieyu.exe] C:\WINDOWS\system32\ieyu.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [ielw32.exe] C:\WINDOWS\system32\ielw32.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Heart Spam] C:\PROGRA~1\Barb loud does\mix proxy.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\bexoscro.dll",realset
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [crbu32.exe] C:\WINDOWS\system32\crbu32.exe
O4 - HKLM\..\Run: [apply32.exe] C:\WINDOWS\system32\apply32.exe
O4 - HKLM\..\Run: [apitz.exe] C:\WINDOWS\system32\apitz.exe
O4 - HKLM\..\Run: [apinl.exe] C:\WINDOWS\system32\apinl.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Abpkhn] "C:\Documents and Settings\G30FF\My Documents\??mbols\??erinit.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [wmpdxm] C:\WINDOWS\System32\wmpdxm.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - HKCU\..\Run: [syncui] C:\WINDOWS\System32\syncui.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [rasdlg] C:\WINDOWS\System32\rasdlg.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [kbdnec95] C:\WINDOWS\System32\kbdnec95.exe
O4 - HKCU\..\Run: [kbdfi] C:\WINDOWS\System32\kbdfi.exe
O4 - HKCU\..\Run: [htui] C:\WINDOWS\System32\htui.exe
O4 - HKCU\..\Run: [fly] C:\WINDOWS\System32\fly.exe
O4 - HKCU\..\Run: [dlbacinf] C:\WINDOWS\System32\dlbacinf.exe
O4 - HKCU\..\Run: [cscui] C:\WINDOWS\System32\cscui.exe
O4 - HKCU\..\Run: [Bruo] C:\Documents and Settings\Geoff\Application Data\bsoe.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [917702] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\917702.cpl
O4 - HKCU\..\Run: [66162] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\66162.cpl
O4 - HKCU\..\Run: [66154] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\66154.cpl
O4 - HKCU\..\Run: [66152] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\66152.cpl
O4 - HKCU\..\Run: [66116] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\66116.cpl
O4 - HKCU\..\Run: [65886] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65886.cpl
O4 - HKCU\..\Run: [65880] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65880.cpl
O4 - HKCU\..\Run: [655996] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\655996.cpl
O4 - HKCU\..\Run: [5833372] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\5833372.cpl
O4 - HKCU\..\Run: [4325808] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\4325808.cpl
O4 - HKCU\..\Run: [328344] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\328344.cpl
O4 - HKCU\..\Run: [328290] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\328290.cpl
O4 - HKCU\..\Run: [263508] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\263508.cpl
O4 - HKCU\..\Run: [262758] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\262758.cpl
O4 - HKCU\..\Run: [262526] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\262526.cpl
O4 - HKCU\..\Run: [197270] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\197270.cpl
O4 - HKCU\..\Run: [197078] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\197078.cpl
O4 - HKCU\..\Run: [196992] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\196992.cpl
O4 - HKCU\..\Run: [131516] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131516.cpl
O4 - HKCU\..\Run: [131470] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131470.cpl
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\itpb_11.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163437834983
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ddabb - C:\WINDOWS\system32\ddabb.dll (file missing)
O20 - Winlogon Notify: xxyyxya - xxyyxya.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\fjjjfeoo.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 12576 bytes

#7 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:09:20 AM

Posted 03 August 2007 - 05:47 PM

Hello geoffre,

This is a very advanced fix, if you have any questions ask them before proceeding onto the next step.

Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)

(IMPORTANT: DO NOT REBOOT YOUR COMPUTER IF ASKED TO BY A PROGRAM BELOW.)
Azureus
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.2_01
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 SDK Standard Edition v1.3.0_02
Java 2 SDK, SE v1.4.2_01
Kazaa Media Desktop 2.0.2
LimeWire 4.12.11
OIN
Outerinfo
Viewpoint Media Player
Web Buying


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [winyu.exe] C:\WINDOWS\winyu.exe
O4 - HKLM\..\Run: [WinAntiSpyware 2007 Free] "C:\Program Files\WinAntiSpyware 2007\was7.exe" /min
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\reaqcbsx.dll",forkonce
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [popuppers] C:\WINDOWS\newpop61.exe
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [javadm32.exe] C:\WINDOWS\system32\javadm32.exe
O4 - HKLM\..\Run: [ieyu.exe] C:\WINDOWS\system32\ieyu.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [ielw32.exe] C:\WINDOWS\system32\ielw32.exe
O4 - HKLM\..\Run: [Heart Spam] C:\PROGRA~1\Barb loud does\mix proxy.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\bexoscro.dll",realset
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [crbu32.exe] C:\WINDOWS\system32\crbu32.exe
O4 - HKLM\..\Run: [apply32.exe] C:\WINDOWS\system32\apply32.exe
O4 - HKLM\..\Run: [apitz.exe] C:\WINDOWS\system32\apitz.exe
O4 - HKLM\..\Run: [apinl.exe] C:\WINDOWS\system32\apinl.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKCU\..\Run: [Abpkhn] "C:\Documents and Settings\G30FF\My Documents\??mbols\??erinit.exe"
O4 - HKCU\..\Run: [wmpdxm] C:\WINDOWS\System32\wmpdxm.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - HKCU\..\Run: [syncui] C:\WINDOWS\System32\syncui.exe
O4 - HKCU\..\Run: [rasdlg] C:\WINDOWS\System32\rasdlg.exe
O4 - HKCU\..\Run: [kbdnec95] C:\WINDOWS\System32\kbdnec95.exe
O4 - HKCU\..\Run: [kbdfi] C:\WINDOWS\System32\kbdfi.exe
O4 - HKCU\..\Run: [htui] C:\WINDOWS\System32\htui.exe
O4 - HKCU\..\Run: [fly] C:\WINDOWS\System32\fly.exe
O4 - HKCU\..\Run: [dlbacinf] C:\WINDOWS\System32\dlbacinf.exe
O4 - HKCU\..\Run: [cscui] C:\WINDOWS\System32\cscui.exe
O4 - HKCU\..\Run: [Bruo] C:\Documents and Settings\Geoff\Application Data\bsoe.exe
O4 - HKCU\..\Run: [917702] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\917702.cpl
O4 - HKCU\..\Run: [66162] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\66162.cpl
O4 - HKCU\..\Run: [66154] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\66154.cpl
O4 - HKCU\..\Run: [66152] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\66152.cpl
O4 - HKCU\..\Run: [66116] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\66116.cpl
O4 - HKCU\..\Run: [65886] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65886.cpl
O4 - HKCU\..\Run: [65880] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\65880.cpl
O4 - HKCU\..\Run: [655996] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\655996.cpl
O4 - HKCU\..\Run: [5833372] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\5833372.cpl
O4 - HKCU\..\Run: [4325808] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\4325808.cpl
O4 - HKCU\..\Run: [328344] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\328344.cpl
O4 - HKCU\..\Run: [328290] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\328290.cpl
O4 - HKCU\..\Run: [263508] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\263508.cpl
O4 - HKCU\..\Run: [262758] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\262758.cpl
O4 - HKCU\..\Run: [262526] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\262526.cpl
O4 - HKCU\..\Run: [197270] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\197270.cpl
O4 - HKCU\..\Run: [197078] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\197078.cpl
O4 - HKCU\..\Run: [196992] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\196992.cpl
O4 - HKCU\..\Run: [131516] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131516.cpl
O4 - HKCU\..\Run: [131470] rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\131470.cpl
O4 - Startup: TA_Start.lnk = C:\WINDOWS\itpb_11.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab


Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixService.bat. Please save it on your desktop.

sc stop DomainService
sc delete DomainService
sc stop "Net Agent"
sc delete "Net Agent"
exit


Double click FixService.bat. A window will open and close. This is normal.

Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{4DDCACED-3451-6FD9-2971-4FB67838F3C9}"=-
"{79AB4FA1-E651-4E71-8070-0C00C00D4363}"=-
"{7affc5dc-293d-4b0c-a5b7-d304f0d3dad7}"=-
"{85589B5D-D53D-4237-A677-46B82EA275F3}"=-
"{868865EC-0295-4C7D-B25D-9F65314145E9}"=-
"{B0D40A14-DF0D-418C-97C0-46BEF71B2C68}"=-
"{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}"=-
"{FD751AF8-2DEA-4B77-83AE-A722AFA1E882}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"svhost"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Abpkhn"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\0]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\1]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"{868865EC-0295-4C7D-B25D-9F65314145E9}"=-
"{4567AB12-B980-44A5-B259-9B09EBEA6331}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddabb]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyxya]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"winyu.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"DownloadAccelerator"=-
"ptrun32"=-
"windows auto update"=-
"stcloader"=-
"slmss"-
"Rundll32_7"="rundll32.exe"=-
"New.net Startup"="rundll32"=-
"Mwsvm"=-
"DGNTAHNUE"=-
"iefeatures"=-
"CMESys"=-
"ClrSchLoader"=-

Save it to drive C:\ as fix.reg and as Type "All files"

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

files to delete:
C:\WINDOWS\SYSTEM32\umrncaeo.dll
C:\WINDOWS\SYSTEM32\reaqcbsx.dll
C:\WINDOWS\SYSTEM32\raqbamio.exe
C:\WINDOWS\SYSTEM32\tvhxj.dll
C:\WINDOWS\SYSTEM32\liobpqos.exe
C:\WINDOWS\SYSTEM32\udfobijw.dll
C:\WINDOWS\SYSTEM32\hgxrajuj.exe
C:\WINDOWS\SYSTEM32\dclmeuxr.exe
C:\WINDOWS\SYSTEM32\bintknjw.dll
C:\WINDOWS\SYSTEM32\rexialig.exe
C:\WINDOWS\SYSTEM32\spdwhrel.dll
C:\WINDOWS\SYSTEM32\ynrtnvkf.dll
C:\WINDOWS\SYSTEM32\vajmdsbn.exe
C:\WINDOWS\SYSTEM32\xnmgrdn.dll
C:\WINDOWS\SYSTEM32\nnnnonn.dll
C:\WINDOWS\SYSTEM32\hbpkxqwj.dll
C:\WINDOWS\SYSTEM32\stdhcntv.dll
C:\WINDOWS\SYSTEM32\mmlskxqb.exe
C:\WINDOWS\SYSTEM32\kmvqtfxp.exe
C:\WINDOWS\SYSTEM32\bffaidqp.exe
C:\WINDOWS\system32\stera.exe
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\system32\xxyyxya.dll
C:\WINDOWS\SYSTEM32\SYSCF32.DLL
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\bintknjw.dll
C:\WINDOWS\system32\tvhxj.dll
C:\Program Files\Common Files\ryxyf83122.dll
C:\WINDOWS\system32\xnmgrdn.dll
C:\WINDOWS\xmlhelper2.dll
C:\WINDOWS\system32\xxyyxya.dll
C:\WINDOWS\system32\umrncaeo.dll
C:\WINDOWS\winyu.exe
C:\WINDOWS\msblast.exe
C:\WINDOWS\System32\stcloader.exe
C:\WINDOWS\System32\msiefr40.dll
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\DGNTAHNUE.exe
C:\WINDOWS\System32\iefeatures.exe
C:\WINDOWS\131470.cpl
C:\WINDOWS\131516.cpl
c:\windows\180ax.exe
C:\WINDOWS\196992.cpl
C:\WINDOWS\197078.cpl
C:\WINDOWS\197270.cpl
C:\WINDOWS\262526.cpl
C:\WINDOWS\262758.cpl
C:\WINDOWS\263508.cpl
C:\WINDOWS\328290.cpl
C:\WINDOWS\328344.cpl
C:\WINDOWS\4325808.cpl
C:\WINDOWS\5833372.cpl
C:\WINDOWS\655996.cpl
C:\WINDOWS\65880.cpl
C:\WINDOWS\65886.cpl
C:\WINDOWS\66116.cpl
C:\WINDOWS\66152.cpl
C:\WINDOWS\66154.cpl
C:\WINDOWS\66162.cpl
C:\WINDOWS\917702.cpl
C:\WINDOWS\system32\apinl.exe
C:\WINDOWS\system32\apitz.exe
C:\WINDOWS\system32\apply32.exe
C:\Documents and Settings\Geoff\Application Data\bsoe.exe
C:\WINDOWS\system32\crbu32.exe
C:\WINDOWS\System32\cscui.exe
C:\WINDOWS\System32\dlbacinf.exe
C:\WINDOWS\System32\fly.exe
C:\WINDOWS\system32\bexoscro.dll
C:\WINDOWS\System32\htui.exe
C:\WINDOWS\system32\ielw32.exe
C:\WINDOWS\itpb_11.exe
C:\PROGRA~1\HIPSE~1.0-P
C:\WINDOWS\system32\ieyu.exe
C:\WINDOWS\system32\javadm32.exe
C:\WINDOWS\System32\kbdfi.exe
C:\WINDOWS\System32\kbdnec95.exe
C:\WINDOWS\itpb_11.exe
C:\WINDOWS\mm15201518.Stub.exe
C:\WINDOWS\System32\internetfeatures.exe
C:\WINDOWS\newpop61.exe
C:\WINDOWS\System32\rasdlg.exe
C:\WINDOWS\retadpu77.exe
C:\WINDOWS\uptodate.exe
C:\WINDOWS\system32\reaqcbsx.dll
C:\WINDOWS\winyu.exe
C:\WINDOWS\System32\wmpdxm.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\drivers\ApiMon.sys
C:\WINDOWS\system32\drivers\FOPN.sys

folders to delete:
C:\PROGRA~1\NEWDOT~1
C:\WINDOWS\System32\ptrun32
C:\PROGRA~1\DAP
C:\PROGRA~1\Barb loud does
C:\PROGRA~1\THECLE~1
C:\Program Files\Web Buying
C:\Program Files\WinAntiSpyware 2007
C:\Program Files\WinPop
C:\Program Files\DownloadWare
C:\Program Files\Messenger Plus! 2
C:\Program Files\Ringz Studio\Storm Codec
C:\Program Files\DownloadWare
C:\WINDOWS\SYSTEM32\driver
C:\WINDOWS\SYSTEM32\B5
C:\WINDOWS\SYSTEM32\B4
C:\WINDOWS\SYSTEM32\B3
C:\WINDOWS\SYSTEM32\B2
C:\WINDOWS\SYSTEM32\B1
C:\WINDOWS\SYSTEM32\b02FdUe
C:\WINDOWS\SYSTEM32\B0
C:\DOCUME~1\G30FF\APPLIC~1.\Azureus
C:\Program Files\svhost
C:\Program Files\WinPop
C:\Program Files\poolsv
C:\Program Files\WinAntiSpyware 2007
C:\DOCUME~1\G30FF\APPLIC~1.\WinAntiSpyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\Program Files\Common Files\slmss
C:\Program Files\Common Files\CMEII
C:\Program Files\ClearSearch
C:\Program Files\WinAntiSpyware 2007

programs to launch on reboot:
C:\fix.reg

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Posted Image

#8 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 03 August 2007 - 06:51 PM

ok all finished. just a couple minor issues that i noticed.
firstly when trying to delete kazaa i got the following error msg:

Error in C:\WINDOWS\System32\cd_clint.dll
Midding entry:ServiceRunDll

Similiar msgs popped up regarding ICQlite, which i have had the damnest time trying to get rid of, and wild tangent. other than that, everything else was smooth sailing~!


AVENGER.TXT

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rrfeddsr

*******************

Script file located at: \??\C:\WINDOWS\wacmxpky.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\umrncaeo.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\reaqcbsx.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\raqbamio.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\tvhxj.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\liobpqos.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\udfobijw.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\hgxrajuj.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\dclmeuxr.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\bintknjw.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\rexialig.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\spdwhrel.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\ynrtnvkf.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\vajmdsbn.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\xnmgrdn.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\nnnnonn.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\hbpkxqwj.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\stdhcntv.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\mmlskxqb.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\kmvqtfxp.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\bffaidqp.exe deleted successfully.
File C:\WINDOWS\system32\stera.exe deleted successfully.
File C:\WINDOWS\tasks\At1.job deleted successfully.
File C:\WINDOWS\tasks\At10.job deleted successfully.
File C:\WINDOWS\tasks\At11.job deleted successfully.
File C:\WINDOWS\tasks\At12.job deleted successfully.
File C:\WINDOWS\tasks\At13.job deleted successfully.
File C:\WINDOWS\tasks\At14.job deleted successfully.
File C:\WINDOWS\tasks\At15.job deleted successfully.
File C:\WINDOWS\tasks\At16.job deleted successfully.
File C:\WINDOWS\tasks\At17.job deleted successfully.
File C:\WINDOWS\tasks\At18.job deleted successfully.
File C:\WINDOWS\tasks\At19.job deleted successfully.
File C:\WINDOWS\tasks\At2.job deleted successfully.
File C:\WINDOWS\tasks\At20.job deleted successfully.
File C:\WINDOWS\tasks\At21.job deleted successfully.
File C:\WINDOWS\tasks\At22.job deleted successfully.
File C:\WINDOWS\tasks\At23.job deleted successfully.
File C:\WINDOWS\tasks\At24.job deleted successfully.
File C:\WINDOWS\tasks\At3.job deleted successfully.
File C:\WINDOWS\tasks\At4.job deleted successfully.
File C:\WINDOWS\tasks\At5.job deleted successfully.
File C:\WINDOWS\tasks\At6.job deleted successfully.
File C:\WINDOWS\tasks\At7.job deleted successfully.
File C:\WINDOWS\tasks\At8.job deleted successfully.
File C:\WINDOWS\tasks\At9.job deleted successfully.


File C:\WINDOWS\system32\xxyyxya.dll not found!
Deletion of file C:\WINDOWS\system32\xxyyxya.dll failed!

Could not process line:
C:\WINDOWS\system32\xxyyxya.dll
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\SYSCF32.DLL not found!
Deletion of file C:\WINDOWS\SYSTEM32\SYSCF32.DLL failed!

Could not process line:
C:\WINDOWS\SYSTEM32\SYSCF32.DLL
Status: 0xc0000034



File C:\WINDOWS\system32\ddabb.dll not found!
Deletion of file C:\WINDOWS\system32\ddabb.dll failed!

Could not process line:
C:\WINDOWS\system32\ddabb.dll
Status: 0xc0000034



File C:\WINDOWS\system32\bintknjw.dll not found!
Deletion of file C:\WINDOWS\system32\bintknjw.dll failed!

Could not process line:
C:\WINDOWS\system32\bintknjw.dll
Status: 0xc0000034



File C:\WINDOWS\system32\tvhxj.dll not found!
Deletion of file C:\WINDOWS\system32\tvhxj.dll failed!

Could not process line:
C:\WINDOWS\system32\tvhxj.dll
Status: 0xc0000034



File C:\Program Files\Common Files\ryxyf83122.dll not found!
Deletion of file C:\Program Files\Common Files\ryxyf83122.dll failed!

Could not process line:
C:\Program Files\Common Files\ryxyf83122.dll
Status: 0xc0000034



File C:\WINDOWS\system32\xnmgrdn.dll not found!
Deletion of file C:\WINDOWS\system32\xnmgrdn.dll failed!

Could not process line:
C:\WINDOWS\system32\xnmgrdn.dll
Status: 0xc0000034



File C:\WINDOWS\xmlhelper2.dll not found!
Deletion of file C:\WINDOWS\xmlhelper2.dll failed!

Could not process line:
C:\WINDOWS\xmlhelper2.dll
Status: 0xc0000034



File C:\WINDOWS\system32\xxyyxya.dll not found!
Deletion of file C:\WINDOWS\system32\xxyyxya.dll failed!

Could not process line:
C:\WINDOWS\system32\xxyyxya.dll
Status: 0xc0000034



File C:\WINDOWS\system32\umrncaeo.dll not found!
Deletion of file C:\WINDOWS\system32\umrncaeo.dll failed!

Could not process line:
C:\WINDOWS\system32\umrncaeo.dll
Status: 0xc0000034



File C:\WINDOWS\winyu.exe not found!
Deletion of file C:\WINDOWS\winyu.exe failed!

Could not process line:
C:\WINDOWS\winyu.exe
Status: 0xc0000034



File C:\WINDOWS\msblast.exe not found!
Deletion of file C:\WINDOWS\msblast.exe failed!

Could not process line:
C:\WINDOWS\msblast.exe
Status: 0xc0000034



File C:\WINDOWS\System32\stcloader.exe not found!
Deletion of file C:\WINDOWS\System32\stcloader.exe failed!

Could not process line:
C:\WINDOWS\System32\stcloader.exe
Status: 0xc0000034



File C:\WINDOWS\System32\msiefr40.dll not found!
Deletion of file C:\WINDOWS\System32\msiefr40.dll failed!

Could not process line:
C:\WINDOWS\System32\msiefr40.dll
Status: 0xc0000034



File C:\WINDOWS\mwsvm.exe not found!
Deletion of file C:\WINDOWS\mwsvm.exe failed!

Could not process line:
C:\WINDOWS\mwsvm.exe
Status: 0xc0000034



File C:\WINDOWS\DGNTAHNUE.exe not found!
Deletion of file C:\WINDOWS\DGNTAHNUE.exe failed!

Could not process line:
C:\WINDOWS\DGNTAHNUE.exe
Status: 0xc0000034



File C:\WINDOWS\System32\iefeatures.exe not found!
Deletion of file C:\WINDOWS\System32\iefeatures.exe failed!

Could not process line:
C:\WINDOWS\System32\iefeatures.exe
Status: 0xc0000034



File C:\WINDOWS\131470.cpl not found!
Deletion of file C:\WINDOWS\131470.cpl failed!

Could not process line:
C:\WINDOWS\131470.cpl
Status: 0xc0000034



File C:\WINDOWS\131516.cpl not found!
Deletion of file C:\WINDOWS\131516.cpl failed!

Could not process line:
C:\WINDOWS\131516.cpl
Status: 0xc0000034



File c:\windows\180ax.exe not found!
Deletion of file c:\windows\180ax.exe failed!

Could not process line:
c:\windows\180ax.exe
Status: 0xc0000034



File C:\WINDOWS\196992.cpl not found!
Deletion of file C:\WINDOWS\196992.cpl failed!

Could not process line:
C:\WINDOWS\196992.cpl
Status: 0xc0000034



File C:\WINDOWS\197078.cpl not found!
Deletion of file C:\WINDOWS\197078.cpl failed!

Could not process line:
C:\WINDOWS\197078.cpl
Status: 0xc0000034



File C:\WINDOWS\197270.cpl not found!
Deletion of file C:\WINDOWS\197270.cpl failed!

Could not process line:
C:\WINDOWS\197270.cpl
Status: 0xc0000034



File C:\WINDOWS\262526.cpl not found!
Deletion of file C:\WINDOWS\262526.cpl failed!

Could not process line:
C:\WINDOWS\262526.cpl
Status: 0xc0000034



File C:\WINDOWS\262758.cpl not found!
Deletion of file C:\WINDOWS\262758.cpl failed!

Could not process line:
C:\WINDOWS\262758.cpl
Status: 0xc0000034



File C:\WINDOWS\263508.cpl not found!
Deletion of file C:\WINDOWS\263508.cpl failed!

Could not process line:
C:\WINDOWS\263508.cpl
Status: 0xc0000034



File C:\WINDOWS\328290.cpl not found!
Deletion of file C:\WINDOWS\328290.cpl failed!

Could not process line:
C:\WINDOWS\328290.cpl
Status: 0xc0000034



File C:\WINDOWS\328344.cpl not found!
Deletion of file C:\WINDOWS\328344.cpl failed!

Could not process line:
C:\WINDOWS\328344.cpl
Status: 0xc0000034



File C:\WINDOWS\4325808.cpl not found!
Deletion of file C:\WINDOWS\4325808.cpl failed!

Could not process line:
C:\WINDOWS\4325808.cpl
Status: 0xc0000034



File C:\WINDOWS\5833372.cpl not found!
Deletion of file C:\WINDOWS\5833372.cpl failed!

Could not process line:
C:\WINDOWS\5833372.cpl
Status: 0xc0000034



File C:\WINDOWS\655996.cpl not found!
Deletion of file C:\WINDOWS\655996.cpl failed!

Could not process line:
C:\WINDOWS\655996.cpl
Status: 0xc0000034



File C:\WINDOWS\65880.cpl not found!
Deletion of file C:\WINDOWS\65880.cpl failed!

Could not process line:
C:\WINDOWS\65880.cpl
Status: 0xc0000034



File C:\WINDOWS\65886.cpl not found!
Deletion of file C:\WINDOWS\65886.cpl failed!

Could not process line:
C:\WINDOWS\65886.cpl
Status: 0xc0000034



File C:\WINDOWS\66116.cpl not found!
Deletion of file C:\WINDOWS\66116.cpl failed!

Could not process line:
C:\WINDOWS\66116.cpl
Status: 0xc0000034



File C:\WINDOWS\66152.cpl not found!
Deletion of file C:\WINDOWS\66152.cpl failed!

Could not process line:
C:\WINDOWS\66152.cpl
Status: 0xc0000034



File C:\WINDOWS\66154.cpl not found!
Deletion of file C:\WINDOWS\66154.cpl failed!

Could not process line:
C:\WINDOWS\66154.cpl
Status: 0xc0000034



File C:\WINDOWS\66162.cpl not found!
Deletion of file C:\WINDOWS\66162.cpl failed!

Could not process line:
C:\WINDOWS\66162.cpl
Status: 0xc0000034



File C:\WINDOWS\917702.cpl not found!
Deletion of file C:\WINDOWS\917702.cpl failed!

Could not process line:
C:\WINDOWS\917702.cpl
Status: 0xc0000034



File C:\WINDOWS\system32\apinl.exe not found!
Deletion of file C:\WINDOWS\system32\apinl.exe failed!

Could not process line:
C:\WINDOWS\system32\apinl.exe
Status: 0xc0000034



File C:\WINDOWS\system32\apitz.exe not found!
Deletion of file C:\WINDOWS\system32\apitz.exe failed!

Could not process line:
C:\WINDOWS\system32\apitz.exe
Status: 0xc0000034



File C:\WINDOWS\system32\apply32.exe not found!
Deletion of file C:\WINDOWS\system32\apply32.exe failed!

Could not process line:
C:\WINDOWS\system32\apply32.exe
Status: 0xc0000034



Could not open file C:\Documents and Settings\Geoff\Application Data\bsoe.exe for deletion
Deletion of file C:\Documents and Settings\Geoff\Application Data\bsoe.exe failed!

Could not process line:
C:\Documents and Settings\Geoff\Application Data\bsoe.exe
Status: 0xc000003a



File C:\WINDOWS\system32\crbu32.exe not found!
Deletion of file C:\WINDOWS\system32\crbu32.exe failed!

Could not process line:
C:\WINDOWS\system32\crbu32.exe
Status: 0xc0000034



File C:\WINDOWS\System32\cscui.exe not found!
Deletion of file C:\WINDOWS\System32\cscui.exe failed!

Could not process line:
C:\WINDOWS\System32\cscui.exe
Status: 0xc0000034



File C:\WINDOWS\System32\dlbacinf.exe not found!
Deletion of file C:\WINDOWS\System32\dlbacinf.exe failed!

Could not process line:
C:\WINDOWS\System32\dlbacinf.exe
Status: 0xc0000034



File C:\WINDOWS\System32\fly.exe not found!
Deletion of file C:\WINDOWS\System32\fly.exe failed!

Could not process line:
C:\WINDOWS\System32\fly.exe
Status: 0xc0000034



File C:\WINDOWS\system32\bexoscro.dll not found!
Deletion of file C:\WINDOWS\system32\bexoscro.dll failed!

Could not process line:
C:\WINDOWS\system32\bexoscro.dll
Status: 0xc0000034



File C:\WINDOWS\System32\htui.exe not found!
Deletion of file C:\WINDOWS\System32\htui.exe failed!

Could not process line:
C:\WINDOWS\System32\htui.exe
Status: 0xc0000034



File C:\WINDOWS\system32\ielw32.exe not found!
Deletion of file C:\WINDOWS\system32\ielw32.exe failed!

Could not process line:
C:\WINDOWS\system32\ielw32.exe
Status: 0xc0000034



File C:\WINDOWS\itpb_11.exe not found!
Deletion of file C:\WINDOWS\itpb_11.exe failed!

Could not process line:
C:\WINDOWS\itpb_11.exe
Status: 0xc0000034



File C:\PROGRA~1\HIPSE~1.0-P not found!
Deletion of file C:\PROGRA~1\HIPSE~1.0-P failed!

Could not process line:
C:\PROGRA~1\HIPSE~1.0-P
Status: 0xc0000034



File C:\WINDOWS\system32\ieyu.exe not found!
Deletion of file C:\WINDOWS\system32\ieyu.exe failed!

Could not process line:
C:\WINDOWS\system32\ieyu.exe
Status: 0xc0000034



File C:\WINDOWS\system32\javadm32.exe not found!
Deletion of file C:\WINDOWS\system32\javadm32.exe failed!

Could not process line:
C:\WINDOWS\system32\javadm32.exe
Status: 0xc0000034



File C:\WINDOWS\System32\kbdfi.exe not found!
Deletion of file C:\WINDOWS\System32\kbdfi.exe failed!

Could not process line:
C:\WINDOWS\System32\kbdfi.exe
Status: 0xc0000034



File C:\WINDOWS\System32\kbdnec95.exe not found!
Deletion of file C:\WINDOWS\System32\kbdnec95.exe failed!

Could not process line:
C:\WINDOWS\System32\kbdnec95.exe
Status: 0xc0000034



File C:\WINDOWS\itpb_11.exe not found!
Deletion of file C:\WINDOWS\itpb_11.exe failed!

Could not process line:
C:\WINDOWS\itpb_11.exe
Status: 0xc0000034



File C:\WINDOWS\mm15201518.Stub.exe not found!
Deletion of file C:\WINDOWS\mm15201518.Stub.exe failed!

Could not process line:
C:\WINDOWS\mm15201518.Stub.exe
Status: 0xc0000034



File C:\WINDOWS\System32\internetfeatures.exe not found!
Deletion of file C:\WINDOWS\System32\internetfeatures.exe failed!

Could not process line:
C:\WINDOWS\System32\internetfeatures.exe
Status: 0xc0000034



File C:\WINDOWS\newpop61.exe not found!
Deletion of file C:\WINDOWS\newpop61.exe failed!

Could not process line:
C:\WINDOWS\newpop61.exe
Status: 0xc0000034



File C:\WINDOWS\System32\rasdlg.exe not found!
Deletion of file C:\WINDOWS\System32\rasdlg.exe failed!

Could not process line:
C:\WINDOWS\System32\rasdlg.exe
Status: 0xc0000034



File C:\WINDOWS\retadpu77.exe not found!
Deletion of file C:\WINDOWS\retadpu77.exe failed!

Could not process line:
C:\WINDOWS\retadpu77.exe
Status: 0xc0000034



File C:\WINDOWS\uptodate.exe not found!
Deletion of file C:\WINDOWS\uptodate.exe failed!

Could not process line:
C:\WINDOWS\uptodate.exe
Status: 0xc0000034



File C:\WINDOWS\system32\reaqcbsx.dll not found!
Deletion of file C:\WINDOWS\system32\reaqcbsx.dll failed!

Could not process line:
C:\WINDOWS\system32\reaqcbsx.dll
Status: 0xc0000034



File C:\WINDOWS\winyu.exe not found!
Deletion of file C:\WINDOWS\winyu.exe failed!

Could not process line:
C:\WINDOWS\winyu.exe
Status: 0xc0000034



File C:\WINDOWS\System32\wmpdxm.exe not found!
Deletion of file C:\WINDOWS\System32\wmpdxm.exe failed!

Could not process line:
C:\WINDOWS\System32\wmpdxm.exe
Status: 0xc0000034

File C:\WINDOWS\system32\winpfz32.sys deleted successfully.
File C:\WINDOWS\system32\drivers\ApiMon.sys deleted successfully.
File C:\WINDOWS\system32\drivers\FOPN.sys deleted successfully.


Folder C:\PROGRA~1\NEWDOT~1 not found!
Deletion of folder C:\PROGRA~1\NEWDOT~1 failed!

Could not process line:
C:\PROGRA~1\NEWDOT~1
Status: 0xc0000034



Folder C:\WINDOWS\System32\ptrun32 not found!
Deletion of folder C:\WINDOWS\System32\ptrun32 failed!

Could not process line:
C:\WINDOWS\System32\ptrun32
Status: 0xc0000034

Folder C:\PROGRA~1\DAP deleted successfully.


Folder C:\PROGRA~1\Barb loud does not found!
Deletion of folder C:\PROGRA~1\Barb loud does failed!

Could not process line:
C:\PROGRA~1\Barb loud does
Status: 0xc0000034

Folder C:\PROGRA~1\THECLE~1 deleted successfully.


Folder C:\Program Files\Web Buying not found!
Deletion of folder C:\Program Files\Web Buying failed!

Could not process line:
C:\Program Files\Web Buying
Status: 0xc0000034

Folder C:\Program Files\WinAntiSpyware 2007 deleted successfully.
Folder C:\Program Files\WinPop deleted successfully.


Folder C:\Program Files\DownloadWare not found!
Deletion of folder C:\Program Files\DownloadWare failed!

Could not process line:
C:\Program Files\DownloadWare
Status: 0xc0000034



Folder C:\Program Files\Messenger Plus! 2 not found!
Deletion of folder C:\Program Files\Messenger Plus! 2 failed!

Could not process line:
C:\Program Files\Messenger Plus! 2
Status: 0xc0000034

Folder C:\Program Files\Ringz Studio\Storm Codec deleted successfully.


Folder C:\Program Files\DownloadWare not found!
Deletion of folder C:\Program Files\DownloadWare failed!

Could not process line:
C:\Program Files\DownloadWare
Status: 0xc0000034

Folder C:\WINDOWS\SYSTEM32\driver deleted successfully.
Folder C:\WINDOWS\SYSTEM32\B5 deleted successfully.
Folder C:\WINDOWS\SYSTEM32\B4 deleted successfully.
Folder C:\WINDOWS\SYSTEM32\B3 deleted successfully.
Folder C:\WINDOWS\SYSTEM32\B2 deleted successfully.
Folder C:\WINDOWS\SYSTEM32\B1 deleted successfully.
Folder C:\WINDOWS\SYSTEM32\b02FdUe deleted successfully.
Folder C:\WINDOWS\SYSTEM32\B0 deleted successfully.


Could not open folder C:\DOCUME~1\G30FF\APPLIC~1.\Azureus for deletion
Deletion of folder C:\DOCUME~1\G30FF\APPLIC~1.\Azureus failed!

Could not process line:
C:\DOCUME~1\G30FF\APPLIC~1.\Azureus
Status: 0xc000003a

Folder C:\Program Files\svhost deleted successfully.


Folder C:\Program Files\WinPop not found!
Deletion of folder C:\Program Files\WinPop failed!

Could not process line:
C:\Program Files\WinPop
Status: 0xc0000034

Folder C:\Program Files\poolsv deleted successfully.


Folder C:\Program Files\WinAntiSpyware 2007 not found!
Deletion of folder C:\Program Files\WinAntiSpyware 2007 failed!

Could not process line:
C:\Program Files\WinAntiSpyware 2007
Status: 0xc0000034



Could not open folder C:\DOCUME~1\G30FF\APPLIC~1.\WinAntiSpyware 2007 for deletion
Deletion of folder C:\DOCUME~1\G30FF\APPLIC~1.\WinAntiSpyware 2007 failed!

Could not process line:
C:\DOCUME~1\G30FF\APPLIC~1.\WinAntiSpyware 2007
Status: 0xc000003a

Folder C:\Program Files\Common Files\WinAntiSpyware 2007 deleted successfully.


Folder C:\Program Files\Common Files\slmss not found!
Deletion of folder C:\Program Files\Common Files\slmss failed!

Could not process line:
C:\Program Files\Common Files\slmss
Status: 0xc0000034



Folder C:\Program Files\Common Files\CMEII not found!
Deletion of folder C:\Program Files\Common Files\CMEII failed!

Could not process line:
C:\Program Files\Common Files\CMEII
Status: 0xc0000034



Folder C:\Program Files\ClearSearch not found!
Deletion of folder C:\Program Files\ClearSearch failed!

Could not process line:
C:\Program Files\ClearSearch
Status: 0xc0000034



Folder C:\Program Files\WinAntiSpyware 2007 not found!
Deletion of folder C:\Program Files\WinAntiSpyware 2007 failed!

Could not process line:
C:\Program Files\WinAntiSpyware 2007
Status: 0xc0000034

Program C:\fix.reg successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.








HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:03 PM, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4DDCACED-3451-6FD9-2971-4FB67838F3C9} - C:\WINDOWS\system32\tvhxj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {79AB4FA1-E651-4E71-8070-0C00C00D4363} - C:\Program Files\Common Files\ryxyf83122.dll (file missing)
O2 - BHO: (no name) - {7affc5dc-293d-4b0c-a5b7-d304f0d3dad7} - C:\WINDOWS\system32\xnmgrdn.dll (file missing)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\xxyyxya.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B0D40A14-DF0D-418C-97C0-46BEF71B2C68} - C:\WINDOWS\system32\umrncaeo.dll (file missing)
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\bintknjw.dll (file missing)
O2 - BHO: (no name) - {FD751AF8-2DEA-4B77-83AE-A722AFA1E882} - C:\WINDOWS\system32\ddabb.dll (file missing)
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRA~1\THECLE~1\tcm.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [imekrmig] D:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163437834983
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\fjjjfeoo.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7923 bytes

#9 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:09:20 AM

Posted 04 August 2007 - 10:44 AM

Hello geoffre,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {4DDCACED-3451-6FD9-2971-4FB67838F3C9} - C:\WINDOWS\system32\tvhxj.dll (file missing)
O2 - BHO: (no name) - {79AB4FA1-E651-4E71-8070-0C00C00D4363} - C:\Program Files\Common Files\ryxyf83122.dll (file missing)
O2 - BHO: (no name) - {7affc5dc-293d-4b0c-a5b7-d304f0d3dad7} - C:\WINDOWS\system32\xnmgrdn.dll (file missing)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\xxyyxya.dll (file missing)
O2 - BHO: (no name) - {B0D40A14-DF0D-418C-97C0-46BEF71B2C68} - C:\WINDOWS\system32\umrncaeo.dll (file missing)
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\bintknjw.dll (file missing)
O2 - BHO: (no name) - {FD751AF8-2DEA-4B77-83AE-A722AFA1E882} - C:\WINDOWS\system32\ddabb.dll (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixService1.bat. Please save it on your desktop.

sc stop DomainService
sc delete DomainService
sc stop "Net Agent"
sc delete "Net Agent"
exit


Please post back with a fresh HJT log and an update on how your computer is running.
Double click FixService1.bat. A window will open and close. This is normal.

Edited by __RiP_ChAiN_, 04 August 2007 - 10:44 AM.

Posted Image

#10 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 08 August 2007 - 11:14 AM

WOW
just want to give a HUGE thanks for all of your help.
my computer is running 200% better now thanks to all your hardwork.
i'm really thankful for people like you out there that dedicate yourselves to helping out those of us who FUBAR our systems.
it is very much appreciated.

as a side note right now i'm using comodo firewall pro to guard my computer. do you think that is sufficient? theres always bunches of svchost.exe that request access and while i allow them i'm not sure how to tell which of those is necessary and which are not.

#11 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 09 August 2007 - 02:03 PM

oh sorry heres the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:17 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163437834983
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\fjjjfeoo.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 3900 bytes

#12 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:09:20 AM

Posted 11 August 2007 - 02:10 AM

Hello geoffre,

as a side note right now i'm using comodo firewall pro to guard my computer. do you think that is sufficient? theres always bunches of svchost.exe that request access and while i allow them i'm not sure how to tell which of those is necessary and which are not.

That should be a sufficient firewall, as long as the filename is svchost.exe it should be alright to allow it.

Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService]

Save it to your desktop as fix133.reg and as Type "All files"
Double click on fix133.reg and allow when prompted to let it merge with the registry.

Then please post back with a new HijackThis log.
Posted Image

#13 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 12 August 2007 - 09:31 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:03 AM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163437834983
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 3960 bytes

#14 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:09:20 AM

Posted 12 August 2007 - 01:41 PM

Hello geoffre,

Your HJT log looks good, is your computer is running pretty good?

Edited by __RiP_ChAiN_, 12 August 2007 - 01:41 PM.

Posted Image

#15 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 13 August 2007 - 10:54 AM

so far so good~!!

thanks for everything!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users