Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Infections: Virtumonde, Abetterinternet.nail Plus Others


  • Please log in to reply
20 replies to this topic

#1 DGruber58

DGruber58

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 27 July 2006 - 12:41 PM

I followed the spyware clean up thread from the stickies, but still have some recurring infections. AdAware finds Virtumonde, ABetterInternet.nail, a windows object (system32\vtpik.exe), and the MRU list. Spyhunter finds wild tangent reg entries; BookedSpace, Look2Me, NewDotNet, SurfSideKick, Trojan.drev downloader, Trojan.Qoologic files. Spybot S&D finds NoAdware reg entry, Spyhunter itself, virtumonde, and Web Nexus.

I've tried the VundoFix and virtumondebegone but they haven't worked.

Here is my HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 1:04:17 PM, on 7/27/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Winnt\System32\smss.exe
C:\Winnt\system32\winlogon.exe
C:\Winnt\system32\services.exe
C:\Winnt\system32\lsass.exe
C:\Winnt\system32\svchost.exe
C:\Winnt\system32\LEXBCES.EXE
C:\Winnt\system32\spoolsv.exe
C:\Winnt\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1133538246\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Winnt\Cpqdiag\Cpqdfwag.exe
C:\WINNT\System32\svchost.exe
C:\Winnt\system32\LxrJD31s.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Winnt\system32\regsvc.exe
C:\Winnt\system32\MSTask.exe
C:\Winnt\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Winnt\system32\stisvc.exe
C:\Winnt\wanmpsvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Winnt\System32\WBEM\WinMgmt.exe
C:\Winnt\system32\svchost.exe
C:\Winnt\Explorer.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\DRS\PFLN.EXE
C:\Winnt\system32\W3DBSMGR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\Documents and Settings\dhenry\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\Winnt\system32\vtpik.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,gpwmuhu.exe
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\Winnt\system32\mllmm.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\dhenry\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Winnt\Cpqdiag\CpqDfwAg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - blank (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - blank (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Winnt\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153335756562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60C8B0EC-C2E6-4A18-896D-6E253B81F6C8}: NameServer = 198.190.226.3,198.190.226.30
O20 - Winlogon Notify: mllmm - C:\Winnt\system32\mllmm.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1133538246\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\Winnt\Cpqdiag\Cpqdfwag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\Winnt\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Winnt\system32\LEXBCES.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\Winnt\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: Pervasive.SQL - Unknown owner - C:\WINNT\system32\Srvany.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\Winnt\wanmpsvc.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

thanks for any suggestions.

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 27 July 2006 - 08:11 PM

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 DGruber58

DGruber58
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 28 July 2006 - 12:24 PM

thanks. The infected computer is actually my boss's, and I won't be in again until monday. I'll try that and post that log then.

#4 DGruber58

DGruber58
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 31 July 2006 - 01:40 PM

ok here's the combofix log:
Start Time= Mon 07/31/2006 14:28:42.87
Running from: C:\Documents and Settings\dhenry\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmm
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{6D6B8BA1-10E0-403E-8CCB-67A8EDDF09B4}]
@=""

[HKEY_CLASSES_ROOT\clsid\{6D6B8BA1-10E0-403E-8CCB-67A8EDDF09B4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{6D6B8BA1-10E0-403E-8CCB-67A8EDDF09B4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{6D6B8BA1-10E0-403E-8CCB-67A8EDDF09B4}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINNT\SYSTEM32\fpj2031oe.dll
C:\WINNT\SYSTEM32\k226lcfs1f26.dll
C:\WINNT\SYSTEM32\l44qleh51h4.dll
C:\WINNT\SYSTEM32\lv8609lse.dll
C:\WINNT\SYSTEM32\m446lehs1h46.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

14:29:44.53

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\Winnt\system32\fkyekb.exe
C:\Winnt\system32\vtpik.exe
C:\Winnt\system32\gpwmuhu.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-19 14:09:54 127,488 "C:\WINNT\system32\fkyekb.exe"
2006-07-19 16:49:46 288,768 "C:\WINNT\system32\webmsn.exe"
2006-07-19 12:27:06 95,744 "C:\WINNT\system32\smntp.exe"
2006-07-19 12:30:04 48,187 "C:\WINNT\system32\VSL03.exe"
2006-07-19 14:09:50 48,167 "C:\WINNT\system32\VSL05.exe"
2006-07-19 14:09:54 28,672 "C:\WINNT\system32\vtpik.exe"
2006-07-19 14:09:54 23,552 "C:\WINNT\system32\gpwmuhu.exe"
2006-05-31 19:53:34 104,008 "C:\WINNT\system32\AOLDial.dll"
2006-07-19 14:09:54 51,712 "C:\WINNT\system32\lryebjg.dll"
2006-07-19 12:32:34 8,464 "C:\WINNT\system32\sporder.dll"
2006-07-21 12:04:18 278,528 "C:\WINNT\system32\pncrt.dll"
2006-07-28 15:27:52 127,488 "C:\WINNT\system32\kinhv.dat"
2006-06-23 11:22:08 9,216 "C:\WINNT\aadsi.dll"
2006-07-31 14:27:00 388 "C:\WINNT\efflb.dll"
2006-07-22 09:13:50 3,072 "C:\WINNT\mozver.dat"
2006-07-19 14:09:46 53 "C:\WINNT\wclloo.dat"
2006-07-19 14:09:54 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xrlfq.exe"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


07/19/2006 02:09p 127,488 xrlfq.exe.vir
07/19/2006 02:09p 127,488 fkyekb.exe.vir
07/28/2006 03:27p 127,488 kinhv.dat.vir
07/19/2006 02:09p 51,712 lryebjg.dll.vir
07/19/2006 02:09p 28,672 vtpik.exe.vir
07/19/2006 02:09p 23,552 gpwmuhu.exe.vir
07/19/2006 02:09p 53 wclloo.dat.vir
07/24/2006 06:21p 0 mllmm.dll.vir.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-19 16:49:46 288,768 "C:\WINNT\system32\webmsn.exe"
2006-07-19 12:27:06 95,744 "C:\WINNT\system32\smntp.exe"
2006-07-19 12:30:04 48,187 "C:\WINNT\system32\VSL03.exe"
2006-07-19 14:09:50 48,167 "C:\WINNT\system32\VSL05.exe"
2006-05-31 19:53:34 104,008 "C:\WINNT\system32\AOLDial.dll"
2006-07-19 12:32:34 8,464 "C:\WINNT\system32\sporder.dll"
2006-07-21 12:04:18 278,528 "C:\WINNT\system32\pncrt.dll"
2006-06-23 11:22:08 9,216 "C:\WINNT\aadsi.dll"
2006-07-31 14:27:00 388 "C:\WINNT\efflb.dll"
2006-07-22 09:13:50 3,072 "C:\WINNT\mozver.dat"


(((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Winnt\system32\bk.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



14:32:58.43
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\dfndrdd_6.exe
C:\nwnmdd_6.exe
C:\kybrddd_6.exe
C:\Documents and Settings\DRS\Local Settings\Temporary Internet Files\Content.IE5\6GPTIXPR\drsmartload832a[1].exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-31 14:28:06 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-07-31 14:27:00 388 ( A.... ) "C:\WINNT\efflb.dll"
2006-07-25 15:19:16 65556 ( A.... ) "C:\WINNT\system32\aqdktkgi.exe"
2006-07-25 13:19:42 ( .D... ) "C:\Program Files\WinZip"
2006-07-25 10:56:34 ( .D... ) "C:\Program Files\PacificPoker"
2006-07-24 15:56:10 ( .D... ) "C:\Documents and Settings\dhenry\Application Data\Lavasoft"
2006-07-24 15:56:02 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-22 09:14:10 ( .D... ) "C:\Documents and Settings\dhenry\Application Data\Sun"
2006-07-22 09:13:26 ( .D... ) "C:\Program Files\Java"
2006-07-22 09:11:48 ( AD... ) "C:\Program Files\Common Files"
2006-07-22 09:11:48 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-22 08:14:42 17750 ( A.... ) "C:\WINNT\system32\mqjuprtk.exe"
2006-07-21 12:04:46 157696 ( A.... ) "C:\WINNT\system32\rmoc3260.dll"
2006-07-21 12:04:18 278528 ( A.... ) "C:\WINNT\system32\pncrt.dll"
2006-07-21 12:04:18 6656 ( A.... ) "C:\WINNT\system32\pndx5016.dll"
2006-07-21 12:04:18 5632 ( A.... ) "C:\WINNT\system32\pndx5032.dll"
2006-07-21 12:04:18 ( .D... ) "C:\Program Files\Real"
2006-07-21 10:08:32 17750 ( A.... ) "C:\WINNT\system32\bgrinkxs.exe"
2006-07-20 19:18:22 ( .D... ) "C:\Program Files\Registry Clean Expert"
2006-07-20 18:42:16 20480 ( A.... ) "C:\wksv.exe"
2006-07-20 18:25:02 ( AD... ) "C:\Program Files\Yahoo!"
2006-07-20 16:36:42 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-20 16:32:32 ( .D... ) "C:\Documents and Settings\dhenry\Application Data\Mozilla"
2006-07-20 16:15:08 1063 ( A.... ) "C:\WINNT\system32\jxeceb22.sys"
2006-07-20 16:15:08 1063 ( A.... ) "C:\WINNT\system32\jxeceb22.sys"
2006-07-20 14:25:10 ( AD... ) "C:\Program Files\Spyware Doctor"
2006-07-20 14:17:34 ( AD... ) "C:\Program Files\Crystalys media"
2006-07-20 13:53:00 2609628 ( A.... ) "C:\setup.exe"
2006-07-20 13:42:16 ( .D... ) "C:\Program Files\Common Files\Companion Wizard"
2006-07-20 12:34:46 ( .D... ) "C:\Documents and Settings\dhenry\Application Data\McAfee.com Personal Firewall"
2006-07-20 12:34:00 ( AD... ) "C:\Program Files\AOL"
2006-07-20 12:27:26 23280 ( A.... ) "C:\WINNT\icont.exe"
2006-07-20 12:26:22 ( .D... ) "C:\Program Files\mcafee.com"
2006-07-20 12:24:28 ( .D... ) "C:\Program Files\Common Files\McAfee"
2006-07-20 12:10:38 ( AD... ) "C:\Program Files\Symantec_Client_Security"
2006-07-20 12:03:26 ( AD... ) "C:\Program Files\Symantec"
2006-07-19 16:49:46 288768 ( A.... ) "C:\WINNT\system32\webmsn.exe"
2006-07-19 15:30:34 686 ( A.... ) "C:\PPCleanDeleteAtReboot.bat"
2006-07-19 15:22:34 8112616 ( A.... ) "C:\sdsetup.exe"
2006-07-19 15:14:34 45086 ( A.... ) "C:\WINNT\system32\ordsregj.exe"
2006-07-19 14:59:58 66984 ( A.... ) "C:\STOPzilla_Setup.exe"
2006-07-19 14:30:20 ( .D... ) "C:\Program Files\PartyPoker"
2006-07-19 14:11:36 1392640 ( A.... ) "C:\WINNT\cfg32a.exe"
2006-07-19 14:11:02 ( AD... ) "C:\Program Files\Analog Devices"
2006-07-19 14:10:56 ( AD... ) "C:\Program Files\microsoft frontpage"
2006-07-19 14:10:54 38412 ( A.... ) "C:\WINNT\ssqbn.exe"
2006-07-19 14:10:12 2088960 ( A.... ) "C:\WINNT\cfg32.exe"
2006-07-19 14:09:58 159884 ( A.... ) "C:\WINNT\system32\kwinspez.exe"
2006-07-19 14:09:56 20480 ( A.... ) "C:\stub_sca3.exe"
2006-07-19 14:09:50 48167 ( A.... ) "C:\WINNT\system32\VSL05.exe"
2006-07-19 14:09:38 61440 ( A.... ) "C:\WINNT\system32\jxeceb22.dll"
2006-07-19 14:09:34 2560 ( A.... ) "C:\ac3_0003.exe"
2006-07-19 12:38:12 143360 ( A.... ) "C:\WINNT\win320748055662.exe"
2006-07-19 12:32:48 242230 ( A.... ) "C:\siteError.exe"
2006-07-19 12:32:34 8464 ( A.... ) "C:\WINNT\system32\sporder.dll"
2006-07-19 12:32:24 ( .D... ) "C:\Program Files\Cowabanga"
2006-07-19 12:32:14 587776 ( A.... ) "C:\626_101new.exe"
2006-07-19 12:31:58 2827 ( A.... ) "C:\WINNT\system32\nkl2.exe"
2006-07-19 12:31:56 290816 ( A.... ) "C:\installerwnusnew.exe"
2006-07-19 12:30:54 266240 ( A.... ) "C:\NNSCAA638.EXE"
2006-07-19 12:30:04 48187 ( A.... ) "C:\WINNT\system32\VSL03.exe"
2006-07-19 12:27:24 28672 ( A.... ) "C:\WINNT\system32ftuninst.exe"
2006-07-19 12:27:24 28672 ( A.... ) "C:\WINNT\system32\ftuninst.exe"
2006-07-19 12:27:06 95744 ( A.SH. ) "C:\WINNT\system32\smntp.exe"
2006-06-29 13:28:56 ( .D... ) "C:\Documents and Settings\dhenry\Application Data\Real"
2006-06-23 11:22:08 9216 ( A.... ) "C:\WINNT\aadsi.dll"
2006-06-21 10:57:08 2508 ( A.... ) "C:\Documents and Settings\dhenry\Application Data\$_hpcst$.hpc"
2006-06-21 10:55:40 ( AD... ) "C:\Program Files\Microsoft ActiveSync"
2006-06-15 15:26:44 1142784 ( A.... ) "C:\WINNT\system32\ssn6tuu.exe_tobedeleted"
2006-06-15 15:26:40 24576 ( A.... ) "C:\WINNT\system32\nr1rnqm8.exe"
2006-06-07 13:55:52 3626 ( A.... ) "C:\Program Files\Common Files\vikof.html"
2006-05-31 19:53:34 104008 ( A.... ) "C:\WINNT\system32\AOLDial.dll"
2002-08-23 12:50:24 21952 ( A..H. ) "C:\Program Files\folder.htt"
2002-08-23 12:50:24 271 ( A..H. ) "C:\Program Files\desktop.ini"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-25 15:19 65,556 C:\Winnt\system32\aqdktkgi.exe
2006-07-22 09:13 49,250 C:\Winnt\system32\javaw.exe
2006-07-22 09:13 49,248 C:\Winnt\system32\java.exe
2006-07-22 09:13 127,078 C:\Winnt\system32\javaws.exe
2006-07-22 08:14 17,750 C:\Winnt\system32\mqjuprtk.exe
2006-07-21 12:04 6,656 C:\Winnt\system32\pndx5016.dll
2006-07-21 12:04 5,632 C:\Winnt\system32\pndx5032.dll
2006-07-21 12:04 278,528 C:\Winnt\system32\pncrt.dll
2006-07-21 12:04 157,696 C:\Winnt\system32\rmoc3260.dll
2006-07-21 10:08 17,750 C:\Winnt\system32\bgrinkxs.exe
2006-07-20 13:53 78,488 C:\Winnt\system32\XMD5.dll
2006-07-20 13:53 101,888 C:\Winnt\system32\vb6stkit.dll
2006-07-20 13:52 2,609,628 C:\setup.exe
2006-07-20 12:33 8,704 C:\Winnt\system32\MPFApi.dll
2006-07-20 12:32 41,018 C:\Winnt\system32\EntAPI.dll
2006-07-20 12:30 401,462 C:\Winnt\system32\msvcp60.dll
2006-07-20 12:28 82,432 C:\Winnt\system32\msxml4r.dll
2006-07-20 12:28 44,544 C:\Winnt\system32\msxml4a.dll
2006-07-20 12:27 1,233,920 C:\Winnt\system32\msxml4.dll
2006-07-20 12:24 89,088 C:\Winnt\system32\atl71.dll
2006-07-20 11:48 73,728 C:\Winnt\system32\asuninst.exe
2006-07-20 11:48 11,776 C:\Winnt\system32\ZPORT4AS.dll
2006-07-19 16:48 288,768 C:\Winnt\system32\webmsn.exe
2006-07-19 15:30 686 C:\PPCleanDeleteAtReboot.bat
2006-07-19 15:22 8,112,616 C:\sdsetup.exe
2006-07-19 15:14 45,086 C:\Winnt\system32\ordsregj.exe
2006-07-19 15:06 465,176 C:\Winnt\system32\wuapi.dll
2006-07-19 15:06 41,240 C:\Winnt\system32\wups.dll
2006-07-19 15:06 194,328 C:\Winnt\system32\wuaueng1.dll
2006-07-19 15:06 18,200 C:\Winnt\system32\wups2.dll
2006-07-19 15:06 172,312 C:\Winnt\system32\wuauclt1.exe
2006-07-19 15:06 127,256 C:\Winnt\system32\wucltui.dll
2006-07-19 14:59 66,984 C:\STOPzilla_Setup.exe
2006-07-19 14:11 1,392,640 C:\Winnt\cfg32a.exe
2006-07-19 14:10 38,412 C:\Winnt\ssqbn.exe
2006-07-19 14:10 2,088,960 C:\Winnt\cfg32.exe
2006-07-19 14:09 61,440 C:\Winnt\system32\jxeceb22.dll
2006-07-19 14:09 48,167 C:\Winnt\system32\VSL05.exe
2006-07-19 14:09 388 C:\Winnt\efflb.dll
2006-07-19 14:09 20,480 C:\stub_sca3.exe
2006-07-19 14:09 2,560 C:\ac3_0003.exe
2006-07-19 14:09 159,884 C:\Winnt\system32\kwinspez.exe
2006-07-19 14:09 1,063 C:\Winnt\system32\jxeceb22.sys
2006-07-19 13:24 23,280 C:\Winnt\icont.exe
2006-07-19 12:38 143,360 C:\Winnt\win320748055662.exe
2006-07-19 12:32 8,464 C:\Winnt\system32\sporder.dll
2006-07-19 12:32 587,776 C:\626_101new.exe
2006-07-19 12:32 242,230 C:\siteError.exe
2006-07-19 12:31 290,816 C:\installerwnusnew.exe
2006-07-19 12:31 2,827 C:\Winnt\system32\nkl2.exe
2006-07-19 12:30 48,187 C:\Winnt\system32\VSL03.exe
2006-07-19 12:30 266,240 C:\NNSCAA638.EXE
2006-07-19 12:27 95,744 C:\Winnt\system32\smntp.exe
2006-07-19 12:27 28,672 C:\Winnt\system32ftuninst.exe
2006-07-19 12:27 28,672 C:\Winnt\system32\ftuninst.exe
2006-07-19 12:27 24,576 C:\Winnt\system32\nr1rnqm8.exe
2006-07-19 12:27 20,480 C:\wksv.exe
2006-07-08 12:24 65,536 C:\Winnt\wanmpsvc.exe
2006-06-23 11:22 9,216 C:\Winnt\aadsi.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"MSConfig"="C:\\Documents and Settings\\dhenry\\Desktop\\msconfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"="C:\\Winnt\\Cpqdiag\\CpqDfwAg.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"qruu"="c:\\stub_113_4_0_4_0new.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^xrlfq.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\xrlfq.exe"
"backup"="C:\\Winnt\\pss\\xrlfq.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\xrlfq.exe"
"item"="xrlfq"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bykxl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fkyekb"
"hkey"="HKCU"
"command"="C:\\Winnt\\system32\\fkyekb.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChkAdmin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CHKADMIN"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StartEAK"
"hkey"="HKLM"
"command"="C:\\Program Files\\COMPAQ\\Easy Access Button Support\\StartEAK.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD50]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CreateCD50"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvLsnr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrvLsnr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Analog Devices\\SoundMAX\\DrvLsnr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ecdvjy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fkyekb"
"hkey"="HKLM"
"command"="C:\\Winnt\\system32\\fkyekb.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fm3032"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark 4200 Series\\Fax\\fm3032.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftexc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mptft"
"hkey"="HKLM"
"command"="C:\\Winnt\\system32\\mptft.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcescomm"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hhl7RfpJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ssn6tuu"
"hkey"="HKLM"
"command"="\"C:\\Winnt\\system32\\ssn6tuu.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1133538246\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\Winnt\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\Winnt\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jxeceb22]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w041e92b.dll,n 001ceb2100000003041e92b"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxbmbmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark 4200 Series\\lxbmbmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTWinModem1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ltmsg"
"hkey"="HKLM"
"command"="ltmsg.exe 9"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Activation"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MPfTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\mcafee.com\\personal firewall\\MPfTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NGClient]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ngctw32"
"hkey"="HKLM"
"command"="C:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntdll.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fkyekb"
"hkey"="HKLM"
"command"="C:\\Winnt\\system32\\fkyekb.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SetRefresh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Application Launcher"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /Minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spywarebot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpywareBot"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SSCRun"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1133538246\\ee\\services\\sscFirewallPlugin\\ver1_205_1_1\\SSCRun.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mobsync"
"hkey"="HKLM"
"command"="mobsync.exe /logon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win320748055662]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win320748055662"
"hkey"="HKLM"
"command"="C:\\Winnt\\win320748055662.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDLL (smntp.exe)]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="smntp"
"hkey"="HKLM"
"command"="rundll32.exe C:\\Winnt\\system32\\smntp.exe,start"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_WinMain]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winexec"
"hkey"="HKLM"
"command"="C:\\Winnt\\winexec.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=dword:00000002




Contents of the 'Scheduled Tasks' folder
C:\Winnt\tasks\Ad-Aware SE Personal.job
C:\Winnt\tasks\DRS_Backup.job
C:\Winnt\tasks\SAVDefn.job
C:\Winnt\tasks\Spybot - Search & Destroy.job

Completion time: Mon 07/31/2006 14:33:03.23
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

and here is the hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 2:39:07 PM, on 7/31/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Winnt\System32\smss.exe
C:\Winnt\system32\winlogon.exe
C:\Winnt\system32\services.exe
C:\Winnt\system32\lsass.exe
C:\Winnt\system32\svchost.exe
C:\Winnt\system32\LEXBCES.EXE
C:\Winnt\system32\spoolsv.exe
C:\Winnt\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1133538246\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Winnt\Cpqdiag\Cpqdfwag.exe
C:\WINNT\System32\svchost.exe
C:\Winnt\system32\LxrJD31s.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Winnt\system32\regsvc.exe
C:\Winnt\system32\MSTask.exe
C:\Winnt\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Winnt\system32\stisvc.exe
C:\Winnt\wanmpsvc.exe
C:\Winnt\Explorer.EXE
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Winnt\System32\WBEM\WinMgmt.exe
C:\Winnt\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\dhenry\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\Winnt\system32\mllmm.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\dhenry\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Winnt\Cpqdiag\CpqDfwAg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - blank (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - blank (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Winnt\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153335756562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60C8B0EC-C2E6-4A18-896D-6E253B81F6C8}: NameServer = 198.190.226.3,198.190.226.30
O20 - Winlogon Notify: mllmm - C:\Winnt\system32\mllmm.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1133538246\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\Winnt\Cpqdiag\Cpqdfwag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\Winnt\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Winnt\system32\LEXBCES.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\Winnt\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: Pervasive.SQL - Unknown owner - C:\WINNT\system32\Srvany.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\Winnt\wanmpsvc.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe


thanks

#5 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 31 July 2006 - 03:10 PM

Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HijackThis log.

===============

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#6 DGruber58

DGruber58
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 31 July 2006 - 05:47 PM

When I click run as task, nothing happens. I let it sit for a minute :thumbsup: but nothing happens. if I just click scan for Vundo, it cannot find anything. Any ideas?

#7 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 31 July 2006 - 06:22 PM

Make sure you put vundofix in C:\
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#8 DGruber58

DGruber58
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 01 August 2006 - 03:15 PM

Ok, after putting it in C:, it worked, but it didn't find any Virtumonde files. I'm running spysweeper now, so I'll post new logs in a few.

#9 DGruber58

DGruber58
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 01 August 2006 - 03:55 PM

ok here is the spysweeper log:

4:47 PM: Removal process completed. Elapsed time 00:00:29
4:46 PM: Quarantining All Traces: videodome cookie
4:46 PM: Quarantining All Traces: 2o7.net cookie
4:46 PM: Quarantining All Traces: exitexchange cookie
4:46 PM: Quarantining All Traces: tacoda cookie
4:46 PM: Quarantining All Traces: yieldmanager cookie
4:46 PM: Quarantining All Traces: deskwizz
4:46 PM: Quarantining All Traces: mrfindalot hijack
4:46 PM: Quarantining All Traces: command
4:46 PM: Quarantining All Traces: logih adware
4:46 PM: Quarantining All Traces: linkmaker
4:46 PM: Quarantining All Traces: siteerror hijacker
4:46 PM: Quarantining All Traces: trojan-downloader-basebar
4:46 PM: Quarantining All Traces: trojan-dropper-joiner
4:46 PM: Quarantining All Traces: zquest
4:46 PM: Quarantining All Traces: bookedspace
4:46 PM: Quarantining All Traces: enbrowser
4:46 PM: Quarantining All Traces: forethought
4:46 PM: Quarantining All Traces: winantivirus pro
4:46 PM: Quarantining All Traces: mit toolbar
4:46 PM: Quarantining All Traces: safesearch
4:46 PM: Quarantining All Traces: visfx
4:46 PM: Quarantining All Traces: trojan-downloader-ac2
4:46 PM: Quarantining All Traces: zenosearchassistant
4:46 PM: Quarantining All Traces: clkoptimizer
4:46 PM: Quarantining All Traces: trojan-downloader-209.167.111.10x
4:46 PM: Quarantining All Traces: virtumonde
4:46 PM: Removal process initiated
4:46 PM: Traces Found: 85
4:46 PM: Full Sweep has completed. Elapsed time 00:10:31
4:46 PM: File Sweep Complete, Elapsed Time: 00:08:43
4:45 PM: C:\WINNT\RGFuIEhlbnJ5\l3IRKH15vBLc.vbs (ID = 185675)
4:45 PM: Warning: Failed to access drive D:
4:45 PM: Warning: Failed to open file "c:\drs\training\2fri-h.txt". The operation completed successfully
4:45 PM: Warning: Failed to open file "c:\drs\training\2fri-l.txt". The operation completed successfully
4:45 PM: Warning: Failed to open file "c:\drs\training\1tue-h.txt". The operation completed successfully
4:45 PM: Warning: Failed to open file "c:\drs\training\1tue-l.txt". The operation completed successfully
4:45 PM: Warning: Failed to open file "c:\documents and settings\dhenry\application data\mozilla\firefox\profiles\xoktvekb.default user\parent.lock". The operation completed successfully
4:45 PM: C:\QooBox\xrlfq.exe.vir (ID = 268995)
4:45 PM: C:\WINNT\system32ftuninst.exe (ID = 315429)
4:45 PM: C:\Program Files\microsoft frontpage\xumyhucix.html (ID = 323861)
4:45 PM: C:\Program Files\Common Files\vikof.html (ID = 310472)
4:45 PM: Found Adware: deskwizz
4:45 PM: C:\WINNT\aadsi.dll (ID = 323385)
4:44 PM: C:\WINNT\system32\nr1rnqm8.exe (ID = 320457)
4:44 PM: C:\WINNT\pss\xrlfq.exeCommon Startup (ID = 268995)
4:44 PM: C:\Program Files\Analog Devices\vifyt.dll (ID = 301391)
4:44 PM: C:\WINNT\cfg32a.exe (ID = 310417)
4:44 PM: C:\WINNT\win320748055662.exe (ID = 320461)
4:44 PM: C:\WINNT\ssqbn.exe (ID = 323511)
4:44 PM: C:\WINNT\system32\ssn6tuu.exe_tobedeleted (ID = 315428)
4:44 PM: Found Adware: linkmaker
4:44 PM: c:\winnt\downloaded program files\uwa6p_0001_n91m1807netinstaller.exe (ID = 327827)
4:44 PM: C:\Documents and Settings\Default User\Desktop\TagASaurus.exe (ID = 244271)
4:44 PM: C:\626_101new.exe (ID = 320775)
4:44 PM: Found Adware: visfx
4:44 PM: C:\WINNT\system32\ftuninst.exe (ID = 315429)
4:44 PM: C:\installerwnusnew.exe (ID = 271215)
4:43 PM: C:\siteError.exe (ID = 325654)
4:43 PM: Found Adware: siteerror hijacker
4:43 PM: C:\WINNT\system32\VSL05.exe (ID = 299775)
4:43 PM: C:\WINNT\lt.exe (ID = 319946)
4:43 PM: Found Trojan Horse: trojan-downloader-basebar
4:43 PM: C:\QooBox\lryebjg.dll.vir (ID = 268933)
4:43 PM: C:\WINNT\cfg32.exe (ID = 309922)
4:43 PM: C:\stub_sca3.exe (ID = 294169)
4:43 PM: C:\WINNT\system32\VSL03.exe (ID = 297448)
4:43 PM: Found Trojan Horse: trojan-dropper-joiner
4:43 PM: C:\ac3_0003.exe (ID = 319965)
4:42 PM: C:\Program Files\Analog Devices\auxe.exe (ID = 302027)
4:42 PM: Found Adware: zquest
4:42 PM: C:\WINNT\system32\jxeceb22.dll (ID = 320289)
4:42 PM: Found Trojan Horse: trojan-downloader-ac2
4:39 PM: C:\WINNT\system32\ordsregj.exe (ID = 293)
4:39 PM: Found Adware: zenosearchassistant
4:39 PM: C:\QooBox\gpwmuhu.exe.vir (ID = 268932)
4:38 PM: C:\QooBox\kinhv.dat.vir (ID = 268995)
4:38 PM: C:\QooBox\fkyekb.exe.vir (ID = 268995)
4:38 PM: C:\QooBox\vtpik.exe.vir (ID = 268934)
4:38 PM: Found Adware: clkoptimizer
4:37 PM: C:\Program Files\Crystalys media (11 subtraces) (ID = 2147506546)
4:37 PM: C:\WINNT\zAbstract (5 subtraces) (ID = 2147518024)
4:37 PM: Found Adware: bookedspace
4:37 PM: Starting File Sweep
4:37 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:37 PM: c:\documents and settings\drs\cookies\drs@videodome[1].txt (ID = 3638)
4:37 PM: Found Spy Cookie: videodome cookie
4:37 PM: c:\documents and settings\drs\cookies\drs@tacoda[2].txt (ID = 6444)
4:37 PM: c:\documents and settings\drs\cookies\drs@partygaming.122.2o7[1].txt (ID = 1958)
4:37 PM: Found Spy Cookie: 2o7.net cookie
4:37 PM: c:\documents and settings\drs\cookies\drs@exitexchange[1].txt (ID = 2633)
4:37 PM: c:\documents and settings\drs\cookies\drs@count1.exitexchange[1].txt (ID = 2634)
4:37 PM: Found Spy Cookie: exitexchange cookie
4:37 PM: c:\documents and settings\drs\cookies\drs@anad.tacoda[2].txt (ID = 6445)
4:37 PM: Found Spy Cookie: tacoda cookie
4:37 PM: c:\documents and settings\drs\cookies\drs@ad.yieldmanager[2].txt (ID = 3751)
4:37 PM: Found Spy Cookie: yieldmanager cookie
4:37 PM: Starting Cookie Sweep
4:37 PM: Registry Sweep Complete, Elapsed Time:00:00:11
4:37 PM: HKU\S-1-5-21-1044922333-2082104615-93339178-1005\software\classes\clsid\band.mitbho\ (ID = 1127768)
4:37 PM: HKU\S-1-5-21-1044922333-2082104615-93339178-1005\software\classes\clsid\clsid\{6379a99a-9102-446c-a837-0623e1810d75}\ (ID = 1127721)
4:37 PM: HKU\S-1-5-21-1044922333-2082104615-93339178-1005\software\system\sysuid\ (ID = 731748)
4:37 PM: Found Adware: enbrowser
4:37 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 1554130)
4:37 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 1354274)
4:37 PM: Found Adware: mrfindalot hijack
4:37 PM: HKLM\software\microsoft\windows\currentversion\uninstall\treewood\ (ID = 1352578)
4:37 PM: Found Adware: forethought
4:37 PM: HKLM\software\classes\avexplorer.shellextension.2\ (ID = 1216217)
4:37 PM: HKLM\software\classes\avexplorer.shellextension\ (ID = 1216211)
4:37 PM: HKCR\avexplorer.shellextension.2\ (ID = 1216028)
4:37 PM: HKCR\avexplorer.shellextension\ (ID = 1216022)
4:37 PM: Found Adware: winantivirus pro
4:37 PM: HKLM\software\microsoft\windows\currentversion\ || shellregid (ID = 1172355)
4:37 PM: Found Trojan Horse: trojan-downloader-209.167.111.10x
4:37 PM: HKLM\system\currentcontrolset\services\dp1112\ (ID = 1138322)
4:37 PM: HKLM\software\crystalys media\ (ID = 1103482)
4:37 PM: Found Adware: mit toolbar
4:37 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (ID = 1016072)
4:37 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (ID = 1016064)
4:37 PM: Found Adware: command
4:37 PM: HKLM\software\classes\clsid\{54645654-2225-4455-44a1-9f4543d34546}\ (ID = 945846)
4:37 PM: HKCR\clsid\{54645654-2225-4455-44a1-9f4543d34546}\ (ID = 945838)
4:37 PM: Found Adware: logih adware
4:37 PM: HKLM\software\classes\msevents.msevents.1\ (ID = 749157)
4:37 PM: HKLM\software\classes\msevents.msevents\ (ID = 749153)
4:37 PM: HKCR\msevents.msevents.1\ (ID = 749136)
4:37 PM: HKCR\msevents.msevents\ (ID = 749130)
4:37 PM: Found Adware: virtumonde
4:37 PM: HKCR\typelib\{193fc180-7e97-467e-8cdd-b4385f6d20c4}\ (ID = 140365)
4:37 PM: HKLM\software\classes\typelib\{193fc180-7e97-467e-8cdd-b4385f6d20c4}\ (ID = 140341)
4:37 PM: HKLM\software\classes\interface\{82b382fd-f0cb-444f-9c9c-1ed4ab39e5c0}\ (ID = 140335)
4:37 PM: HKLM\software\classes\interface\{6baf0c72-19b4-46e7-a9b0-c272c79442c0}\ (ID = 140333)
4:37 PM: HKCR\interface\{82b382fd-f0cb-444f-9c9c-1ed4ab39e5c0}\ (ID = 140328)
4:37 PM: HKCR\interface\{6baf0c72-19b4-46e7-a9b0-c272c79442c0}\ (ID = 140326)
4:37 PM: Found Adware: safesearch
4:37 PM: Starting Registry Sweep
4:37 PM: Memory Sweep Complete, Elapsed Time: 00:00:52
4:36 PM: Starting Memory Sweep
4:36 PM: Sweep initiated using definitions version 731
4:36 PM: Spy Sweeper 5.0.5.1286 started
4:36 PM: | Start of Session, Tuesday, August 01, 2006 |
********

and the hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 4:49:03 PM, on 8/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Winnt\System32\smss.exe
C:\Winnt\system32\winlogon.exe
C:\Winnt\system32\services.exe
C:\Winnt\system32\lsass.exe
C:\Winnt\system32\svchost.exe
C:\Winnt\system32\LEXBCES.EXE
C:\Winnt\system32\spoolsv.exe
C:\Winnt\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1133538246\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Winnt\Cpqdiag\Cpqdfwag.exe
C:\WINNT\System32\svchost.exe
C:\Winnt\system32\LxrJD31s.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Winnt\system32\regsvc.exe
C:\Winnt\system32\MSTask.exe
C:\Winnt\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Winnt\system32\stisvc.exe
C:\Winnt\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Winnt\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Winnt\System32\WBEM\WinMgmt.exe
C:\Winnt\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\freecell.exe
C:\Documents and Settings\dhenry\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\dhenry\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Winnt\Cpqdiag\CpqDfwAg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - blank (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - blank (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Winnt\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153335756562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60C8B0EC-C2E6-4A18-896D-6E253B81F6C8}: NameServer = 198.190.226.3,198.190.226.30
O20 - Winlogon Notify: WRNotifier - C:\Winnt\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1133538246\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\Winnt\Cpqdiag\Cpqdfwag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\Winnt\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Winnt\system32\LEXBCES.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\Winnt\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: Pervasive.SQL - Unknown owner - C:\WINNT\system32\Srvany.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\Winnt\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

thanks

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 01 August 2006 - 04:16 PM

That looks good - BUT what is disabled in msconfig - we might have other things to fix.

How are things?
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 DGruber58

DGruber58
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 01 August 2006 - 04:50 PM

That looks good - BUT what is disabled in msconfig - we might have other things to fix.

How are things?


the computer is running well. Adaware and spysweeper aren't finding anything. I have spy sweeper running again just to make sure.

I have most start up items disabled with msconfig. Some of them are recognizeable as to what they are, others, I don't know.

mobsync and spysweeperUI are the only checked startup items.

Here is a list of unchecked startup items:
DirectCD (Roxio CD creator)
AOLDial

fkyekb command: C:\Winnt\system32\fkyekb.exe reg_run
location: software\microsoft\windows\currentversion\run

CHKADMIN
StartEAK
CreateCD50
DrvLsnr

fkyekb command: C:\Winnt\system32\fkyekb.exe reg_run
location: software\microsoft\windows\currentversion\run

fm3032 (fax machine)

mptft command: C:\Winnt\system32\mptft.exe
location: software\microsoft\windows\currentversion\run

wcescomm (MS Activesync)

ssn6tuu command: C:\Winnt\system32\ssn6tuu.exe
location: software\microsoft\windows\currentversion\run

AOLSoftware

hkcmd command: C:\Winnt\system32\hkcmd.exe
location: software\microsoft\windows\currentversion\run

igfxtray command: C:\Winnt\system32\igfxtray.exe
location: software\microsoft\windows\currentversion\run

RUNDLL32 command: RUNDLL32.EXE (bunch of characters)
location: software\microsoft\windows\currentversion\run

lxbmbmgr (printer/fax)

ltmsg command: ltmsg.exe 9
location: software\microsoft\windows\currentversion\run

Activation (MS Money)
MPfTray (mcafee)
ngctw32 (Symantec)

fkyekb command: C:\Winnt\system32\fkyekb.exe reg_run
location: software\microsoft\windows\currentversion\run

PortAOL command: C:\Program Files\Pure Networks\Port Magic.exe
gttask (quicktime)
RealPlay (real player)
SetRefresh command: C:\Program Files\Compaq\SetRefresh.exe
Application Launcher (sony ericson related)
SpywareBot
SSCRun (something for AOL)
jusched (java)
mobsync
realsched (real player)
win320748055662 cmd: win320748055662.exe

smntp cmd: rundll32.exe C:\Winnt\system32\smntp.exe,start
location: software\microsoft\windows\currentversion\run

winexec cmd: C:\Winnt\winexec.exe
location: software\microsoft\windows\currentversion\run
xrlfq cmd: C:\Documents and Settings\All Users\Start Menu\Programs\xrlfq.exe
location: Common Startup


I provided information for the ones I'm unsure of. Many of the files don't exist.
thanks

#12 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 01 August 2006 - 06:02 PM

Enable all entries so that we can clean things up - turning them off in msconfig does not fix the prob!
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#13 DGruber58

DGruber58
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 01 August 2006 - 07:40 PM

Enable all entries so that we can clean things up - turning them off in msconfig does not fix the prob!


ok. did that, now the computer is running much slower. I have to go, so I couldn't finish the spysweeper scan. this is the log so far:

8:31 PM: Removal process completed. Elapsed time 00:00:57
8:31 PM: Quarantining All Traces: dollarrevenue
8:31 PM: Quarantining All Traces: linkmaker
8:31 PM: Quarantining All Traces: forethought
8:31 PM: Quarantining All Traces: trojan-phisher-raven
8:31 PM: Quarantining All Traces: trojan-downloader-209.167.111.10x
8:30 PM: Removal process initiated
8:30 PM: Sweep Status: 5 Items Found
8:30 PM: Traces Found: 6
8:30 PM: File Sweep Complete, Elapsed Time: 00:27:35
8:30 PM: Sweep Canceled
8:27 PM: Warning: Failed to access drive D:
8:24 PM: Warning: Failed to open file "c:\drs\training\2fri-h.txt". The operation completed successfully
8:24 PM: Warning: Failed to open file "c:\drs\training\2fri-l.txt". The operation completed successfully
8:24 PM: Warning: Failed to open file "c:\drs\training\1tue-h.txt". The operation completed successfully
8:24 PM: Warning: Failed to open file "c:\drs\training\1tue-l.txt". The operation completed successfully
8:10 PM: C:\Documents and Settings\dhenry\Local Settings\Temporary Internet Files\Content.IE5\ODW3A5OD\drsmartload832a[1].exe (ID = 328562)
8:10 PM: Found Adware: dollarrevenue
8:02 PM: Starting File Sweep
8:02 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:02 PM: Starting Cookie Sweep
8:02 PM: Registry Sweep Complete, Elapsed Time:00:00:13
8:02 PM: HKLM\software\microsoft\windows\currentversion\run\ || hhl7rfpj (ID = 1390030)
8:02 PM: Found Adware: linkmaker
8:02 PM: HKLM\software\microsoft\windows\currentversion\run\ || ftexc (ID = 1352574)
8:02 PM: Found Adware: forethought
8:02 PM: HKLM\software\microsoft\windows\currentversion\run\ || _winmain (ID = 1169124)
8:02 PM: HKLM\software\microsoft\windows\currentversion\run\ || ntdll.dll (ID = 1044887)
8:02 PM: Found Trojan Horse: trojan-phisher-raven
8:02 PM: Starting Registry Sweep
8:02 PM: Memory Sweep Complete, Elapsed Time: 00:01:19
8:01 PM: Starting Memory Sweep
8:00 PM: HKLM\software\microsoft\windows\currentversion\run\ || _winmain (ID = 1169125)
8:00 PM: Found Trojan Horse: trojan-downloader-209.167.111.10x
8:00 PM: Sweep initiated using definitions version 731
8:00 PM: Spy Sweeper 5.0.5.1286 started
8:00 PM: | Start of Session, Tuesday, August 01, 2006 |

and my hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 8:37:48 PM, on 8/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Winnt\System32\smss.exe
C:\Winnt\system32\winlogon.exe
C:\Winnt\system32\services.exe
C:\Winnt\system32\lsass.exe
C:\Winnt\system32\svchost.exe
C:\Winnt\system32\LEXBCES.EXE
C:\Winnt\system32\spoolsv.exe
C:\Winnt\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1133538246\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Winnt\Cpqdiag\Cpqdfwag.exe
C:\WINNT\System32\svchost.exe
C:\Winnt\system32\LxrJD31s.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Winnt\system32\regsvc.exe
C:\Winnt\system32\MSTask.exe
C:\Winnt\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Winnt\system32\stisvc.exe
C:\Winnt\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Winnt\System32\WBEM\WinMgmt.exe
C:\Winnt\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Winnt\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Winnt\system32\ltmsg.exe
C:\Winnt\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\AOL\1133538246\ee\aolsoftware.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Common Files\AOL\1133538246\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCEvtHdlr.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\program files\common files\aol\1133538246\ee\services\sscAntiSpywarePlugin\ver1_205_1_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1133538246\ee\aolssc.exe
C:\Winnt\system32\W3DBSMGR.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\dhenry\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - blank (file missing)
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [WinDLL (smntp.exe)] "rundll32.exe" C:\Winnt\system32\smntp.exe,start
O4 - HKLM\..\Run: [win320748055662] C:\Winnt\win320748055662.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [sscRun] "C:\Program Files\Common Files\AOL\1133538246\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCRun.exe"
O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SetRefresh] "C:\Program Files\Compaq\SetRefresh\SetRefresh.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [NGClient] "C:\Program Files\Symantec\Ghost\ngctw32.exe"
O4 - HKLM\..\Run: [MPFExe] "C:\Program Files\mcafee.com\personal firewall\MPfTray.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [LTWinModem1] "ltmsg.exe" 9
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [jxeceb22] "RUNDLL32.EXE" w041e92b.dll,n 001ceb2100000003041e92b
O4 - HKLM\..\Run: [IgfxTray] C:\Winnt\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Winnt\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1133538246\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ecdvjy] C:\Winnt\system32\fkyekb.exe reg_run
O4 - HKLM\..\Run: [DrvLsnr] "C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [CPQEASYACC] "C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe"
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Winnt\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [bykxl] C:\Winnt\system32\fkyekb.exe reg_run
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153335756562
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/...FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60C8B0EC-C2E6-4A18-896D-6E253B81F6C8}: NameServer = 198.190.226.3,198.190.226.30
O20 - Winlogon Notify: WRNotifier - C:\Winnt\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1133538246\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\Winnt\Cpqdiag\Cpqdfwag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\Winnt\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Winnt\system32\LEXBCES.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\Winnt\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: Pervasive.SQL - Unknown owner - C:\WINNT\system32\Srvany.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\Winnt\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

thanks for your help, it's greatly appreciated.

#14 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 02 August 2006 - 03:22 PM

<<I couldn't finish the spysweeper scan>>

We need for it to complete to get rif od the junk


You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT – mark them, close IE, click fix checked

O4 - HKLM\..\Run: [WinDLL (smntp.exe)] "rundll32.exe" C:\Winnt\system32\smntp.exe,start

O4 - HKLM\..\Run: [win320748055662] C:\Winnt\win320748055662.exe

O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKLM\..\Run: [jxeceb22] "RUNDLL32.EXE" w041e92b.dll,n 001ceb2100000003041e92b

O4 - HKLM\..\Run: [ecdvjy] C:\Winnt\system32\fkyekb.exe reg_run

O4 - HKCU\..\Run: [bykxl] C:\Winnt\system32\fkyekb.exe reg_run

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Winnt\system32\smntp.exe
C:\Winnt\win320748055662.exe
C:\Program Files\SpywareBot
C:\Winnt\system32\w041e92b.dll
C:\Winnt\system32\fkyekb.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#15 DGruber58

DGruber58
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 02 August 2006 - 07:49 PM

I had to leave, so I had to quit the scan. It said it had 5min remaining for about 15 minutes...
I work tomorrow, so I can get a full scan and clean up what's left.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users