Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups Out Of Control


  • Please log in to reply
13 replies to this topic

#1 MamaRamona

MamaRamona

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 08 August 2006 - 06:28 PM

hello.

My computer was recently infected with SurfSideKick 3, and although I believe that I have gotten rid of that, I am still having a problem with pop-ups. I walk away from my computer for a few minutes and come back to 10-20 pop-up windows. I am posting my HJT log in the hopes that someone might be able to direct me in getting rid of the problem.

Thanks in advance,
MR

--------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:24:23 PM, on 8/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\cplmcm.exe
C:\Program Files\Common Files\AOL\1139464748\ee\aolsoftware.exe
c:\program files\common files\aol\1139464748\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1139464748\ee\aolsoftware.exe
C:\WINDOWS\System32\imapi.exe
c:\program files\common files\aol\1139464748\ee\aexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: (no name) - {DA576681-8BFE-4BAA-B5D9-3602D5169AFF} - C:\Program Files\Online Services\nifyzasu.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [SystemTools]
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151215330384
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O18 - Filter: text/html - - (no file)
O20 - Winlogon Notify: logons - C:\WINDOWS\System32\redist.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WKSSVC (Windows Kernel System Service) - Unknown owner - C:\WINDOWS\cplmcm.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:21 AM

Posted 09 August 2006 - 04:37 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) You are missing one important program on that computer - an antivirus!
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer.
AVG and Avast are excellent, free antivirus programs..
Never install more than one antivirus on your system - several together can cause problems and decrease performance.

2) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {DA576681-8BFE-4BAA-B5D9-3602D5169AFF} - C:\Program Files\Online Services\nifyzasu.dll
O18 - Filter: text/html - - (no file)
O20 - Winlogon Notify: logons - C:\WINDOWS\System32\redist.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

3) Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

4) Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#3 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 09 August 2006 - 02:19 PM

hi David,

thanks so much for your help. I went through the steps and the following are the results you requested...

----------

Uninstall Manager List...

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop CS
ALi AGP Driver 2.00
Alps Pointing-device Driver
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Instant Messenger
AOL Pictures Tools (version 10.1.0.0)
AOL Toolbar
AOL Uninstaller
AOL You've Got Pictures Screensaver
AT&T Connection Services Manager
Atheros Client Utility
BadCopy Pro
BHODemon 2.0.0.22
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Corel Paint Shop Pro X
Costco Photo Organizer
Dell Photo Printer 720
Dell Photo Printer 720 Logger
Digital Photo Recovery 2.0.3
DPR FlashBack
DPR FlashBack (C:\Program Files\DPRFlashBack\)
Drag'n Drop CD+DVD
DVD-RAM Driver
EasyCleaner
eIMAGE Recovery
ewido security suite
FinePixViewer Resource
FinePixViewer Ver.5.0
FUJIFILM USB Driver
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.2 - Scanjet 3970 Series
ImageMixer VCD2 LE for FinePix
InterVideo WinDVD 4
iPod for Windows 2005-09-23
Ipswitch WS_FTP Professional 2006
iTunes
J2SE Runtime Environment 5.0 Update 1
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
KODAK EASYSHARE Gallery Upload ActiveX Control
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office XP Professional with FrontPage
Microsoft Works 7.0
mmCARD Recovery
Music Visualizer Library 1.4.00
My Wal-Mart Digital Photo Center
Net MD Simple Burner
Notebook Maximizer
OfotoNow
OpenMG Limited Patch 3.2-03-02-21-08
OpenMG Limited Patch 3.2-03-04-14-02
OpenMG Limited Patch 3.2-03-04-17-02
OpenMG Secure Module 3.2
Paint Shop Pro 7 Anniversary Edition
Panda ActiveScan
Persian Rug
PHOTORECOVERY® for Digital Media 3.0
PhotoStreamer 2
Picasa 2
PictureGear 4.1Lite
Pure Networks Port Magic
QuickTime
RAW FILE CONVERTER LE
RealPlayer Basic
Realtek Fast Ethernet Adapter Driver
Recover My Files
Registrar Registry Manager 4.04
Registrar Registry Manager 4.04 (Lite Edition)
rocbox
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB921883)
Skype 2.5
Software Suite
SonicStage 1.5.53
SoundMAX
Spy Sweeper
Spybot - Search & Destroy 1.4
SurfHere by Toshiba
TOSHIBA Access
TOSHIBA ConfigFree
TOSHIBA Console
TOSHIBA Controls
Toshiba Hotkey Utility for Display Devices
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad On/Off Utility V2.05.00
TOSHIBA Utilities
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
URL Organizer 2
Verizon SmartCall
Verizon Yahoo! Applications
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB916281
Windows XP Hotfix - KB918439
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See q329112 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) q329623
Windows XP Hotfix (SP2) Q329834
Windows XP Hotfix (SP2) Q810090
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810583
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q814033


------------------------------------


Combofix Log...


Start Time= Wed 08/09/2006 15:07:37.65
Running from: C:\DOCUME~1\MARISA~1\DESKTOP\UNUSED~1\COMBOFIX.EXE

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-09 02:15:18 65536 ( A.... ) "C:\drsmartload.exe"
2006-08-09 02:15:08 20480 ( A.... ) "C:\aolfixed.exe"
2006-08-09 00:05:10 20480 ( A.... ) "C:\installfix.exe"
2006-08-08 19:39:48 20480 ( A.... ) "C:\drsmartload849a8b5.exe"
2006-08-08 19:39:42 20480 ( A.... ) "C:\drsmartload46a8b5.exe"
2006-08-08 19:39:38 20480 ( A.... ) "C:\drsmartload45a8b5.exe"
2006-08-08 19:39:30 77824 ( A.... ) "C:\dfndrff_8.exe"
2006-08-07 18:03:20 178279 ( A.... ) "C:\AimFix.exe"
2006-08-07 17:58:38 ( .D... ) "C:\Program Files\TheSearchAccelerator"
2006-08-07 17:58:36 517168 ( A.... ) "C:\ucmoreiex.exe"
2006-08-07 17:58:18 ( .D... ) "C:\Program Files\System Icons"
2006-08-07 17:58:18 ( .D... ) "C:\Program Files\System Files"
2006-08-07 17:58:06 27648 ( A.... ) "C:\dist13.exe"
2006-08-07 17:57:52 30208 ( A.... ) "C:\SS1001newer.exe"
2006-08-07 17:57:30 48190 ( A.... ) "C:\RDFX4.exe"
2006-08-07 17:57:26 94208 ( A.... ) "C:\kybrdff_8.exe"
2006-08-07 17:57:16 32768 ( A.... ) "C:\nwnmff_8.exe"
2006-08-07 17:57:04 20480 ( A.... ) "C:\instalAIM.exe"
2006-08-06 10:51:18 61440 ( A.... ) "C:\kybrdfg_8.exe"
2006-08-06 10:50:52 32768 ( A.... ) "C:\nwnmfg_8.exe"
2006-08-06 10:50:26 20480 ( A.... ) "C:\AOLFix.exe"
2006-08-05 22:33:10 ( .D... ) "C:\Program Files\America Online 9.0b"
2006-08-04 17:12:54 1167 ( A.... ) "C:\WINDOWS\system32\mrcfb8af.sys"
2006-08-04 17:12:54 1167 ( A.... ) "C:\WINDOWS\system32\mrcfb8af.sys"
2006-08-04 13:12:58 61952 ( A.... ) "C:\WINDOWS\system32\mrcfb8af.dll"
2006-08-04 00:13:20 20480 ( A.... ) "C:\AolInstall.exe"
2006-08-03 23:36:18 20480 ( A.... ) "C:\aolconnectfix.exe"
2006-08-03 22:22:32 20480 ( A.... ) "C:\aolconnectionfix.exe"
2006-08-02 04:54:34 20480 ( A.... ) "C:\FirewallUpdate.exe"
2006-08-02 00:33:58 20480 ( A.... ) "C:\sasdaskldh.exe"
2006-08-02 00:26:40 20480 ( A.... ) "C:\sasdasaskldh.exe"
2006-07-31 23:02:02 86016 ( A.... ) "C:\kybrdff_7.exe"
2006-07-31 23:01:52 32768 ( A.... ) "C:\nwnmff_7.exe"
2006-07-31 23:01:34 20480 ( A.... ) "C:\saskldh.exe"
2006-07-31 00:31:10 20480 ( A.... ) "C:\systels32.exe"
2006-07-30 03:34:52 32768 ( A.... ) "C:\kybrdfg_7.exe"
2006-07-30 03:34:42 32768 ( A.... ) "C:\nwnmfg_7.exe"
2006-07-30 03:34:34 20480 ( A.... ) "C:\systems32.exe"
2006-07-28 17:50:04 4182 ( A.SH. ) "C:\WINDOWS\system32\KGyGaAvL.sys"
2006-07-28 17:50:04 4182 ( A.SH. ) "C:\WINDOWS\system32\KGyGaAvL.sys"
2006-07-25 22:09:32 32768 ( A.... ) "C:\nwnmef_7.exe"
2006-07-25 22:08:54 29696 ( A.... ) "C:\WINDOWS\system32\w19146b2.dll"
2006-07-25 22:08:52 2560 ( A.... ) "C:\ac3_0003.exe"
2006-07-25 22:08:48 587776 ( A.... ) "C:\626_101newer.exe"
2006-07-25 22:07:50 32768 ( A.... ) "C:\kybrdef_7.exe"
2006-07-25 13:10:34 100554 ( ..SHR ) "C:\WINDOWS\cplmcm.exe"
2006-07-15 01:44:12 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\Skype"
2006-07-15 01:43:54 ( .D... ) "C:\Program Files\Skype"
2006-07-14 11:53:28 307200 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-09 05:58:04 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\Jasc"
2006-06-24 18:38:32 ( .D... ) "C:\Program Files\ToniArts"
2006-06-24 02:58:14 ( .D... ) "C:\Program Files\Webroot"
2006-06-24 02:58:14 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\Webroot"
2006-06-22 08:05:02 ( .D... ) "C:\Program Files\PIXELA"
2006-06-22 08:02:34 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\FUJIFILM"
2006-06-22 08:01:04 ( .D... ) "C:\Program Files\FinePixViewer"
2006-06-22 07:57:54 ( .D... ) "C:\Program Files\REGSHAVE"
2006-06-21 21:01:54 0 ( A.... ) "C:\Documents and Settings\Marisa Diver\Application Data\internaldb41.dat"
2006-06-21 01:00:40 32976 ( A.... ) "C:\WINDOWS\system32\uninstIcn.exe"
2006-06-19 04:29:56 ( .D... ) "C:\Program Files\elticons"
2006-06-19 04:24:36 ( .D... ) "C:\Program Files\Cowabanga"
2006-06-16 10:46:40 5 ( A.... ) "C:\WINDOWS\dkmv.dll"
2006-06-16 10:13:56 40 ( A.... ) "C:\WINDOWS\system32\winitn.dll"
2006-06-16 10:13:56 40 ( A.... ) "C:\WINDOWS\system32\kakle.dll"
2006-06-16 10:13:50 2535424 ( A.... ) "C:\WINDOWS\system32\agsaamj.dll"
2006-06-16 10:13:50 1986560 ( A.... ) "C:\WINDOWS\system32\akll.dll"
2006-06-16 10:13:50 1245184 ( A.... ) "C:\WINDOWS\system32\bkll.dll"
2006-06-16 10:13:50 1212416 ( A.... ) "C:\WINDOWS\system32\ckll.dll"
2006-06-16 10:13:50 987136 ( A.... ) "C:\WINDOWS\system32\agsaamh.dll"
2006-06-16 10:13:50 610304 ( A.... ) "C:\WINDOWS\system32\agsaamg.dll"
2006-06-16 10:13:50 331776 ( A.... ) "C:\WINDOWS\system32\agsaama.dll"
2006-06-16 10:13:50 237568 ( A.... ) "C:\WINDOWS\system32\lame_enc.dll"
2006-06-16 10:13:50 196608 ( A.... ) "C:\WINDOWS\system32\maag.dll"
2006-06-16 10:13:50 90112 ( A.... ) "C:\WINDOWS\system32\agsaami.dll"
2006-06-16 10:13:48 372736 ( A.... ) "C:\WINDOWS\system32\agsaamc.dll"
2006-06-13 13:48:32 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\Mozilla"
2006-06-13 13:48:30 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-06-13 00:09:40 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\acccore"
2006-06-13 00:07:46 ( .D... ) "C:\Program Files\AOD"
2006-06-12 07:44:02 16 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq8.exe"
2006-06-12 07:43:10 7022 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq6.exe"
2006-06-12 07:42:48 8184 ( A.... ) "C:\WINDOWS\system32\kernels8.exe"
2006-06-08 18:19:52 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-02 13:39:54 579888 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-06-02 13:39:46 402736 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-02 13:39:46 286000 ( ..... ) "C:\WINDOWS\system32\WgaTray.exe"
2006-05-29 20:13:56 5619 ( A.... ) "C:\WINDOWS\system32\sachostm.exe"
2006-05-26 23:11:56 157696 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-05-26 22:19:50 163840 ( A.... ) "C:\WINDOWS\system32\JGDW400.DLL"
2006-05-26 15:40:58 1339904 ( A.... ) "C:\WINDOWS\system32\SHDOCVW.DLL"
2006-05-25 00:48:30 93 ( A.... ) "C:\WINDOWS\system32\d.bat"
2006-05-23 00:00:52 488144 ( A.... ) "C:\Program Files\HJTsetup.exe"
2006-05-22 17:21:28 49140 ( A.... ) "C:\pasmew.dll"
2006-05-22 12:41:34 15198 ( A.... ) "C:\WINDOWS\file1.exe"
2006-05-21 21:21:36 7621 ( A.... ) "C:\WINDOWS\system32\1820.exe"
2006-05-20 02:15:20 25491129 ( A.... ) "C:\Program Files\photopospro_setup.exe"
2006-05-20 02:10:36 12716752 ( A.... ) "C:\Program Files\acdsee.exe"
2006-05-20 01:20:52 55808 ( A.... ) "C:\Program Files\wpmsetup1.exe"
2006-05-19 15:52:28 2702848 ( A.... ) "C:\WINDOWS\system32\MSHTML.DLL"
2006-05-19 13:57:46 5352752 ( A.... ) "C:\Program Files\Setup_FreeConverter.exe"
2006-05-19 08:15:34 140288 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:15:34 83456 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-19 08:15:34 70656 ( A.... ) "C:\WINDOWS\system32\ws2_32.dll"
2006-05-19 08:15:34 54272 ( A.... ) "C:\WINDOWS\system32\ipv6mon.dll"
2006-05-19 08:15:34 31232 ( A.... ) "C:\WINDOWS\system32\inetmib1.dll"
2006-05-19 08:15:34 13312 ( A.... ) "C:\WINDOWS\system32\wship6.dll"
2006-05-19 08:15:32 103936 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:15:32 95232 ( A.... ) "C:\WINDOWS\system32\6to4svc.dll"
2006-05-19 04:51:02 159232 ( A.... ) "C:\WINDOWS\system32\xpob2res.dll"
2006-05-19 04:46:02 48640 ( A.... ) "C:\WINDOWS\system32\ipv6.exe"
2006-05-19 04:44:56 83456 ( A.... ) "C:\WINDOWS\system32\netsh.exe"
2006-05-18 01:58:56 458752 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-14 05:13:42 364544 ( A.... ) "C:\WINDOWS\system32\ipsmsnap.dll"
2006-05-14 05:13:42 334848 ( A.... ) "C:\WINDOWS\system32\ipsecsnp.dll"
2006-05-14 05:13:42 257536 ( A.... ) "C:\WINDOWS\system32\oakley.dll"
2006-05-14 05:13:42 169984 ( A.... ) "C:\WINDOWS\system32\rasmans.dll"
2006-05-14 05:13:42 159744 ( A.... ) "C:\WINDOWS\system32\ipsecsvc.dll"
2006-05-14 05:13:42 98304 ( A.... ) "C:\WINDOWS\system32\polstore.dll"
2006-05-14 05:13:42 29184 ( A.... ) "C:\WINDOWS\system32\winipsec.dll"
2006-02-10 02:04:54 69632 ( A.... ) "C:\Program Files\VundoFix.exe"
2006-02-09 06:33:30 2262376 ( A.... ) "C:\Program Files\tmasv30-us.exe"
2006-02-08 20:56:54 1691344 ( A.... ) "C:\Program Files\BHODemon20Setup_2022.exe"
2006-02-08 04:38:10 212849 ( A.... ) "C:\Program Files\hijackthis.zip"
2006-02-07 04:40:14 5037072 ( A.... ) "C:\Program Files\spybotsd14.exe"
2006-02-07 04:23:20 532480 ( A.... ) "C:\Program Files\cwshredder.exe"
2006-02-07 03:53:18 41900 ( A.... ) "C:\Program Files\WarezP2P_TDL.exe"
2006-02-07 03:51:16 49464 ( A.... ) "C:\Program Files\XoftSpy[1].v4.21.142.WinALL.Incl.Keygen-ViRiLiTY.ZIP"
2006-02-07 03:02:42 1940160 ( A.... ) "C:\Program Files\XoftSpy421_147.exe"
2006-02-06 19:14:34 7446 ( A.... ) "C:\Program Files\aswclnr.log"
2006-02-06 18:01:50 361504 ( A.... ) "C:\Program Files\aswclnr.exe"
2005-10-26 04:12:28 9728 ( ..... ) "C:\Program Files\Thumbs.db"
2005-10-11 01:55:56 5317848 ( A.... ) "C:\Program Files\CostcoOrganizer.exe"
2005-09-21 17:16:54 109710304 ( A.... ) "C:\Program Files\Corel_PaintShopPro1000_EN_TBYB_TrialESD.exe"
2005-09-20 06:42:06 5398453 ( A.... ) "C:\Program Files\PRC-Demo.zip"
2005-09-20 06:35:10 38674 ( A.... ) "C:\Program Files\mdr.exe"
2005-09-20 06:32:38 940536 ( A.... ) "C:\Program Files\badcopy3d.exe"
2005-09-20 05:38:52 2598509 ( A.... ) "C:\Program Files\FlashBk.exe"
2005-09-20 05:34:04 4337050 ( A.... ) "C:\Program Files\RecoverMyFiles-Setup.exe"
2005-09-20 04:49:40 592335 ( A.... ) "C:\Program Files\dir.zip"
2005-09-19 15:23:38 859729 ( A.... ) "C:\Program Files\dprdemo.exe"
2005-09-19 14:27:24 1089590 ( A.... ) "C:\Program Files\omedina.zip"
2005-08-01 05:57:50 464368 ( A.... ) "C:\Program Files\actionis.sit"
2005-07-30 23:08:54 10769800 ( A.... ) "C:\Program Files\WSFTP_ProT128_Install.exe"
2005-07-17 23:07:12 565880 ( A.... ) "C:\Program Files\fotofinish_trial.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SystemTools"=" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"kbdhco"="C:\\WINDOWS\\System32\\kbdhco.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe\" -quiet"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\YORKPH~1\\YORKPH~1\\data\\Xtras\\mssysmgr.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN\\qumymu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\ComPlus Applications\\nikokiju.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0B\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\dlbcserv.lnk"
"backup"="C:\\WINDOWS\\pss\\dlbcserv.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DELLPH~1\\dlbcserv.exe "
"item"="dlbcserv"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Exif Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Exif Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\FINEPI~1\\QuickDCF.exe "
"item"="Exif Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Trend Micro Anti-Spyware.lnk"
"backup"="C:\\WINDOWS\\pss\\Trend Micro Anti-Spyware.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\TRENDM~1\\Tmas\\Tmas.exe -autostart"
"item"="Trend Micro Anti-Spyware"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Marisa Diver^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
"path"="C:\\Documents and Settings\\Marisa Diver\\Start Menu\\Programs\\Startup\\BHODemon 2.0.lnk"
"backup"="C:\\WINDOWS\\pss\\BHODemon 2.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\BHODEM~1\\BHODemon.exe "
"item"="BHODemon 2.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Apoint"
"hkey"="HKLM"
"command"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DCOM Server]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="explorer"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\MARISA~1\\LOCALS~1\\Temp\\24837\\explorer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1139464748\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kbdhco]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kbdhco"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\kbdhco.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ltmoh"
"hkey"="HKLM"
"command"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mrcfb8af]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w19146b2.dll,n 001fb8ae0000000319146b2"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Cfgwiz"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\Cfgwiz.exe /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfotoNow USB Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OFUSBS"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\RunDLL32.exe C:\\PROGRA~1\\Ofoto\\OfotoNow\\OFUSBS.DLL,WatchForConnection OfotoNow"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PicasaMediaDetector"
"hkey"="HKLM"
"command"="C:\\Program Files\\Picasa2\\PicasaMediaDetector"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pinger"
"hkey"="HKLM"
"command"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PmProxy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PmProxy"
"hkey"="HKLM"
"command"="C:\\Program Files\\Analog Devices\\SoundMAX\\PmProxy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="REGSHAVE"
"hkey"="HKLM"
"command"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="spoolsvv"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spoolsvv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyFalcon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyFalcon"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpyFalcon\\SpyFalcon.exe /h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kernels8"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\kernels8.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TPWRTRAY"
"hkey"="HKLM"
"command"="TPWRTRAY.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xpupdate"
"hkey"="HKCU"
"command"="C:\\Windows\\xpupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ybrwicon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMusicEngine"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe\" -preload"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yop"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"ymetray"="\"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe\" -preload"
"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"Drag'n Drop CD+DVD"="C:\\Program Files\\Drag'n Drop CD+DVD\\BinFiles\\DragDrop.exe /StartUp"


Contents of the 'Scheduled Tasks' folder

Completion time: Wed 08/09/2006 15:09:54.55
ComboFix ver 06.06.22.2 - This logfile is located at C:\ComboFix.txt

------------------------------------


HJT Log...

Logfile of HijackThis v1.99.1
Scan saved at 3:11:10 PM, on 8/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\dfndrff_8.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\cplmcm.exe
C:\Program Files\Common Files\AOL\1139464748\ee\aolsoftware.exe
c:\program files\common files\aol\1139464748\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1139464748\ee\aolsoftware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [SystemTools]
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151215330384
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WKSSVC (Windows Kernel System Service) - Unknown owner - C:\WINDOWS\cplmcm.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:21 AM

Posted 09 August 2006 - 04:36 PM

Hello there MamaRamona,

I was halfway through writing the fix, but the amount of files and folders I wanted you to delete was so huge, I've decided to make it easier for us and run some scanners first which should get rid of most of these files. After running the scanners we can go through with a toothpick and fix all the remaining leftovers.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) I see you have Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
2) Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

3) Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

4) Clean your Cache and Cookies in IE

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Clean your Cache and Cookies in Firefox

° Open the firefox browser.
° Click on the "tools" button and click on "options".
° Click "privacy" in the menu on the left side window.
° Open the History, Cookies and Cache tabs individually.
° Choose the "clear" button on each.
° Click OK to close the Options window

Clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

5) I see you have Ewido installed.
Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine.
Click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan.
This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close Ewido and reboot!!

Please post back with the ewido log and a new Hijackthis log.
David

#5 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 09 August 2006 - 09:48 PM

hi David,

I did all the suggested steps which resulted in the following logs...

Ewido...

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:34:33 PM, 8/9/2006
+ Report-Checksum: E05F1B89

+ Scan result:

C:\Documents and Settings\LocalService\Cookies\system@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Marisa Diver\Cookies\marisa diver@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup


::Report End


--------------------------


HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 10:43:47 PM, on 8/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1139464748\ee\aolsoftware.exe
c:\program files\common files\aol\1139464748\ee\aexplore.exe
c:\program files\common files\aol\1139464748\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1139464748\ee\aolsoftware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151215330384
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WKSSVC (Windows Kernel System Service) - Unknown owner - C:\WINDOWS\cplmcm.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:21 AM

Posted 10 August 2006 - 03:56 AM

Ok, good. I need a brand new Combofix log please.
David

#7 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 August 2006 - 02:18 PM

I seem to still be having somewhat of a problem with popups, although not quite so severe. Here is the combofix log ...



Start Time= Thu 08/10/2006 15:08:55.02
Running from: C:\DOCUME~1\MARISA~1\DESKTOP\UNUSED~1\COMBOFIX.EXE

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-09 16:28:54 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\AVG7"
2006-08-09 16:28:12 ( .D... ) "C:\Program Files\Grisoft"
2006-08-07 18:03:20 178279 ( A.... ) "C:\AimFix.exe"
2006-08-05 22:33:10 ( .D... ) "C:\Program Files\America Online 9.0b"
2006-08-04 17:12:54 1167 ( A.... ) "C:\WINDOWS\system32\mrcfb8af.sys"
2006-08-04 17:12:54 1167 ( A.... ) "C:\WINDOWS\system32\mrcfb8af.sys"
2006-08-04 13:12:58 61952 ( A.... ) "C:\WINDOWS\system32\mrcfb8af.dll"
2006-07-28 17:50:04 4182 ( A.SH. ) "C:\WINDOWS\system32\KGyGaAvL.sys"
2006-07-28 17:50:04 4182 ( A.SH. ) "C:\WINDOWS\system32\KGyGaAvL.sys"
2006-07-25 22:08:54 29696 ( A.... ) "C:\WINDOWS\system32\w19146b2.dll"
2006-07-15 01:44:12 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\Skype"
2006-07-15 01:43:54 ( .D... ) "C:\Program Files\Skype"
2006-07-14 11:53:28 307200 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-09 05:58:04 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\Jasc"
2006-06-24 18:38:32 ( .D... ) "C:\Program Files\ToniArts"
2006-06-24 02:58:14 ( .D... ) "C:\Program Files\Webroot"
2006-06-24 02:58:14 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\Webroot"
2006-06-22 08:05:02 ( .D... ) "C:\Program Files\PIXELA"
2006-06-22 08:02:34 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\FUJIFILM"
2006-06-22 08:01:04 ( .D... ) "C:\Program Files\FinePixViewer"
2006-06-22 07:57:54 ( .D... ) "C:\Program Files\REGSHAVE"
2006-06-21 21:01:54 0 ( A.... ) "C:\Documents and Settings\Marisa Diver\Application Data\internaldb41.dat"
2006-06-21 01:00:40 32976 ( A.... ) "C:\WINDOWS\system32\uninstIcn.exe"
2006-06-19 04:29:56 ( .D... ) "C:\Program Files\elticons"
2006-06-19 04:24:36 ( .D... ) "C:\Program Files\Cowabanga"
2006-06-16 10:46:40 5 ( A.... ) "C:\WINDOWS\dkmv.dll"
2006-06-16 10:13:56 40 ( A.... ) "C:\WINDOWS\system32\winitn.dll"
2006-06-16 10:13:56 40 ( A.... ) "C:\WINDOWS\system32\kakle.dll"
2006-06-16 10:13:50 2535424 ( A.... ) "C:\WINDOWS\system32\agsaamj.dll"
2006-06-16 10:13:50 1986560 ( A.... ) "C:\WINDOWS\system32\akll.dll"
2006-06-16 10:13:50 1245184 ( A.... ) "C:\WINDOWS\system32\bkll.dll"
2006-06-16 10:13:50 1212416 ( A.... ) "C:\WINDOWS\system32\ckll.dll"
2006-06-16 10:13:50 987136 ( A.... ) "C:\WINDOWS\system32\agsaamh.dll"
2006-06-16 10:13:50 610304 ( A.... ) "C:\WINDOWS\system32\agsaamg.dll"
2006-06-16 10:13:50 331776 ( A.... ) "C:\WINDOWS\system32\agsaama.dll"
2006-06-16 10:13:50 237568 ( A.... ) "C:\WINDOWS\system32\lame_enc.dll"
2006-06-16 10:13:50 196608 ( A.... ) "C:\WINDOWS\system32\maag.dll"
2006-06-16 10:13:50 90112 ( A.... ) "C:\WINDOWS\system32\agsaami.dll"
2006-06-16 10:13:48 372736 ( A.... ) "C:\WINDOWS\system32\agsaamc.dll"
2006-06-13 13:48:32 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\Mozilla"
2006-06-13 13:48:30 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-06-13 00:09:40 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\acccore"
2006-06-13 00:07:46 ( .D... ) "C:\Program Files\AOD"
2006-06-12 07:44:02 16 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq8.exe"
2006-06-08 18:19:52 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-02 13:39:54 579888 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-06-02 13:39:46 402736 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-02 13:39:46 286000 ( ..... ) "C:\WINDOWS\system32\WgaTray.exe"
2006-05-29 20:13:56 5619 ( A.... ) "C:\WINDOWS\system32\sachostm.exe"
2006-05-26 23:11:56 157696 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-05-26 22:19:50 163840 ( A.... ) "C:\WINDOWS\system32\JGDW400.DLL"
2006-05-26 15:40:58 1339904 ( A.... ) "C:\WINDOWS\system32\SHDOCVW.DLL"
2006-05-25 00:48:30 93 ( A.... ) "C:\WINDOWS\system32\d.bat"
2006-05-23 00:00:52 488144 ( A.... ) "C:\Program Files\HJTsetup.exe"
2006-05-22 17:21:28 49140 ( A.... ) "C:\pasmew.dll"
2006-05-21 21:21:36 7621 ( A.... ) "C:\WINDOWS\system32\1820.exe"
2006-05-20 02:15:20 25491129 ( A.... ) "C:\Program Files\photopospro_setup.exe"
2006-05-20 02:10:36 12716752 ( A.... ) "C:\Program Files\acdsee.exe"
2006-05-20 01:20:52 55808 ( A.... ) "C:\Program Files\wpmsetup1.exe"
2006-05-19 15:52:28 2702848 ( A.... ) "C:\WINDOWS\system32\MSHTML.DLL"
2006-05-19 13:57:46 5352752 ( A.... ) "C:\Program Files\Setup_FreeConverter.exe"
2006-05-19 08:15:34 140288 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:15:34 83456 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-19 08:15:34 70656 ( A.... ) "C:\WINDOWS\system32\ws2_32.dll"
2006-05-19 08:15:34 54272 ( A.... ) "C:\WINDOWS\system32\ipv6mon.dll"
2006-05-19 08:15:34 31232 ( A.... ) "C:\WINDOWS\system32\inetmib1.dll"
2006-05-19 08:15:34 13312 ( A.... ) "C:\WINDOWS\system32\wship6.dll"
2006-05-19 08:15:32 103936 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:15:32 95232 ( A.... ) "C:\WINDOWS\system32\6to4svc.dll"
2006-05-19 04:51:02 159232 ( A.... ) "C:\WINDOWS\system32\xpob2res.dll"
2006-05-19 04:46:02 48640 ( A.... ) "C:\WINDOWS\system32\ipv6.exe"
2006-05-19 04:44:56 83456 ( A.... ) "C:\WINDOWS\system32\netsh.exe"
2006-05-18 01:58:56 458752 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-14 05:13:42 364544 ( A.... ) "C:\WINDOWS\system32\ipsmsnap.dll"
2006-05-14 05:13:42 334848 ( A.... ) "C:\WINDOWS\system32\ipsecsnp.dll"
2006-05-14 05:13:42 257536 ( A.... ) "C:\WINDOWS\system32\oakley.dll"
2006-05-14 05:13:42 169984 ( A.... ) "C:\WINDOWS\system32\rasmans.dll"
2006-05-14 05:13:42 159744 ( A.... ) "C:\WINDOWS\system32\ipsecsvc.dll"
2006-05-14 05:13:42 98304 ( A.... ) "C:\WINDOWS\system32\polstore.dll"
2006-05-14 05:13:42 29184 ( A.... ) "C:\WINDOWS\system32\winipsec.dll"
2006-02-10 02:04:54 69632 ( A.... ) "C:\Program Files\VundoFix.exe"
2006-02-09 06:33:30 2262376 ( A.... ) "C:\Program Files\tmasv30-us.exe"
2006-02-08 20:56:54 1691344 ( A.... ) "C:\Program Files\BHODemon20Setup_2022.exe"
2006-02-08 04:38:10 212849 ( A.... ) "C:\Program Files\hijackthis.zip"
2006-02-07 04:40:14 5037072 ( A.... ) "C:\Program Files\spybotsd14.exe"
2006-02-07 04:23:20 532480 ( A.... ) "C:\Program Files\cwshredder.exe"
2006-02-07 03:53:18 41900 ( A.... ) "C:\Program Files\WarezP2P_TDL.exe"
2006-02-07 03:51:16 49464 ( A.... ) "C:\Program Files\XoftSpy[1].v4.21.142.WinALL.Incl.Keygen-ViRiLiTY.ZIP"
2006-02-07 03:02:42 1940160 ( A.... ) "C:\Program Files\XoftSpy421_147.exe"
2006-02-06 19:14:34 7446 ( A.... ) "C:\Program Files\aswclnr.log"
2006-02-06 18:01:50 361504 ( A.... ) "C:\Program Files\aswclnr.exe"
2005-10-26 04:12:28 9728 ( ..... ) "C:\Program Files\Thumbs.db"
2005-10-11 01:55:56 5317848 ( A.... ) "C:\Program Files\CostcoOrganizer.exe"
2005-09-21 17:16:54 109710304 ( A.... ) "C:\Program Files\Corel_PaintShopPro1000_EN_TBYB_TrialESD.exe"
2005-09-20 06:42:06 5398453 ( A.... ) "C:\Program Files\PRC-Demo.zip"
2005-09-20 06:35:10 38674 ( A.... ) "C:\Program Files\mdr.exe"
2005-09-20 06:32:38 940536 ( A.... ) "C:\Program Files\badcopy3d.exe"
2005-09-20 05:38:52 2598509 ( A.... ) "C:\Program Files\FlashBk.exe"
2005-09-20 05:34:04 4337050 ( A.... ) "C:\Program Files\RecoverMyFiles-Setup.exe"
2005-09-20 04:49:40 592335 ( A.... ) "C:\Program Files\dir.zip"
2005-09-19 15:23:38 859729 ( A.... ) "C:\Program Files\dprdemo.exe"
2005-09-19 14:27:24 1089590 ( A.... ) "C:\Program Files\omedina.zip"
2005-08-01 05:57:50 464368 ( A.... ) "C:\Program Files\actionis.sit"
2005-07-30 23:08:54 10769800 ( A.... ) "C:\Program Files\WSFTP_ProT128_Install.exe"
2005-07-17 23:07:12 565880 ( A.... ) "C:\Program Files\fotofinish_trial.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"kbdhco"="C:\\WINDOWS\\System32\\kbdhco.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe\" -quiet"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\YORKPH~1\\YORKPH~1\\data\\Xtras\\mssysmgr.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN\\qumymu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\ComPlus Applications\\nikokiju.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0B\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\dlbcserv.lnk"
"backup"="C:\\WINDOWS\\pss\\dlbcserv.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DELLPH~1\\dlbcserv.exe "
"item"="dlbcserv"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Exif Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Exif Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\FINEPI~1\\QuickDCF.exe "
"item"="Exif Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Trend Micro Anti-Spyware.lnk"
"backup"="C:\\WINDOWS\\pss\\Trend Micro Anti-Spyware.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\TRENDM~1\\Tmas\\Tmas.exe -autostart"
"item"="Trend Micro Anti-Spyware"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Marisa Diver^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
"path"="C:\\Documents and Settings\\Marisa Diver\\Start Menu\\Programs\\Startup\\BHODemon 2.0.lnk"
"backup"="C:\\WINDOWS\\pss\\BHODemon 2.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\BHODEM~1\\BHODemon.exe "
"item"="BHODemon 2.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Apoint"
"hkey"="HKLM"
"command"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DCOM Server]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="explorer"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\MARISA~1\\LOCALS~1\\Temp\\24837\\explorer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1139464748\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kbdhco]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kbdhco"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\kbdhco.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ltmoh"
"hkey"="HKLM"
"command"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mrcfb8af]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w19146b2.dll,n 001fb8ae0000000319146b2"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Cfgwiz"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\Cfgwiz.exe /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfotoNow USB Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OFUSBS"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\RunDLL32.exe C:\\PROGRA~1\\Ofoto\\OfotoNow\\OFUSBS.DLL,WatchForConnection OfotoNow"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PicasaMediaDetector"
"hkey"="HKLM"
"command"="C:\\Program Files\\Picasa2\\PicasaMediaDetector"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pinger"
"hkey"="HKLM"
"command"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PmProxy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PmProxy"
"hkey"="HKLM"
"command"="C:\\Program Files\\Analog Devices\\SoundMAX\\PmProxy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="REGSHAVE"
"hkey"="HKLM"
"command"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="spoolsvv"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spoolsvv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyFalcon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyFalcon"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpyFalcon\\SpyFalcon.exe /h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kernels8"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\kernels8.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TPWRTRAY"
"hkey"="HKLM"
"command"="TPWRTRAY.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xpupdate"
"hkey"="HKCU"
"command"="C:\\Windows\\xpupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ybrwicon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMusicEngine"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe\" -preload"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yop"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"ymetray"="\"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe\" -preload"
"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"Drag'n Drop CD+DVD"="C:\\Program Files\\Drag'n Drop CD+DVD\\BinFiles\\DragDrop.exe /StartUp"


Contents of the 'Scheduled Tasks' folder

Completion time: Thu 08/10/2006 15:11:53.92
ComboFix ver 06.06.22.2 - This logfile is located at C:\ComboFix.txt

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:21 AM

Posted 10 August 2006 - 02:41 PM

Hey there,
Let's continue..

1) It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

2) Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\mrcfb8af.sys
C:\WINDOWS\system32\mrcfb8af.dll
C:\WINDOWS\system32\w19146b2.dll
C:\WINDOWS\system32\uninstIcn.exe
C:\Program Files\elticons
C:\Program Files\Cowabanga
C:\WINDOWS\dkmv.dll
C:\WINDOWS\system32\dlh9jkdq8.exe
C:\WINDOWS\system32\sachostm.exe
C:\pasmew.dll
C:\WINDOWS\system32\1820.exe
C:\WINDOWS\System32\kbdhco.exe
C:\Program Files\MSN\qumymu.html
C:\Program Files\ComPlus Applications\nikokiju.html
C:\WINDOWS\System32\spoolsvv.exe
C:\WINDOWS\System32\kernels8.exe
C:\Windows\xpupdate.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

3) Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kbdhco]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mrcfb8af]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyFalcon]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

4) Open notepad and copy and paste next in it:

sc delete "Windows Kernel System Service"

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.

5) Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")
Hit ok below > apply in previous window.

Please reboot and post back with a new Hijackthis log and combofix log.
Let me know how the computer is running also.
David

Edited by D-Trojanator, 10 August 2006 - 02:41 PM.


#9 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 August 2006 - 03:40 PM

hi David,

when I copied and pasted the list into killbox, the following items did not show up...


C:\WINDOWS\System32\kbdhco.exe
C:\WINDOWS\System32\spoolsvv.exe
C:\WINDOWS\System32\kernels8.exe
C:\Windows\xpupdate.exe


I followed the rest of the steps with no problems. My computer seems to be working much better, no more signs of popups.



The logs....

Start Time= Thu 08/10/2006 16:21:09.54
Running from: C:\DOCUME~1\MARISA~1\DESKTOP\UNUSED~1\COMBOFIX.EXE

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-09 16:28:54 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\AVG7"
2006-08-09 16:28:12 ( .D... ) "C:\Program Files\Grisoft"
2006-08-07 18:03:20 178279 ( A.... ) "C:\AimFix.exe"
2006-08-05 22:33:10 ( .D... ) "C:\Program Files\America Online 9.0b"
2006-07-28 17:50:04 4182 ( A.SH. ) "C:\WINDOWS\system32\KGyGaAvL.sys"
2006-07-28 17:50:04 4182 ( A.SH. ) "C:\WINDOWS\system32\KGyGaAvL.sys"
2006-07-15 01:44:12 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\Skype"
2006-07-15 01:43:54 ( .D... ) "C:\Program Files\Skype"
2006-07-14 11:53:28 307200 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-09 05:58:04 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\Jasc"
2006-06-24 18:38:32 ( .D... ) "C:\Program Files\ToniArts"
2006-06-24 02:58:14 ( .D... ) "C:\Program Files\Webroot"
2006-06-24 02:58:14 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\Webroot"
2006-06-22 08:05:02 ( .D... ) "C:\Program Files\PIXELA"
2006-06-22 08:02:34 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\FUJIFILM"
2006-06-22 08:01:04 ( .D... ) "C:\Program Files\FinePixViewer"
2006-06-22 07:57:54 ( .D... ) "C:\Program Files\REGSHAVE"
2006-06-21 21:01:54 0 ( A.... ) "C:\Documents and Settings\Marisa Diver\Application Data\internaldb41.dat"
2006-06-19 04:29:56 ( .D... ) "C:\Program Files\elticons"
2006-06-19 04:24:36 ( .D... ) "C:\Program Files\Cowabanga"
2006-06-16 10:13:56 40 ( A.... ) "C:\WINDOWS\system32\winitn.dll"
2006-06-16 10:13:56 40 ( A.... ) "C:\WINDOWS\system32\kakle.dll"
2006-06-16 10:13:50 2535424 ( A.... ) "C:\WINDOWS\system32\agsaamj.dll"
2006-06-16 10:13:50 1986560 ( A.... ) "C:\WINDOWS\system32\akll.dll"
2006-06-16 10:13:50 1245184 ( A.... ) "C:\WINDOWS\system32\bkll.dll"
2006-06-16 10:13:50 1212416 ( A.... ) "C:\WINDOWS\system32\ckll.dll"
2006-06-16 10:13:50 987136 ( A.... ) "C:\WINDOWS\system32\agsaamh.dll"
2006-06-16 10:13:50 610304 ( A.... ) "C:\WINDOWS\system32\agsaamg.dll"
2006-06-16 10:13:50 331776 ( A.... ) "C:\WINDOWS\system32\agsaama.dll"
2006-06-16 10:13:50 237568 ( A.... ) "C:\WINDOWS\system32\lame_enc.dll"
2006-06-16 10:13:50 196608 ( A.... ) "C:\WINDOWS\system32\maag.dll"
2006-06-16 10:13:50 90112 ( A.... ) "C:\WINDOWS\system32\agsaami.dll"
2006-06-16 10:13:48 372736 ( A.... ) "C:\WINDOWS\system32\agsaamc.dll"
2006-06-13 13:48:32 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\Mozilla"
2006-06-13 13:48:30 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-06-13 00:09:40 ( .D... ) "C:\Documents and Settings\Marisa Diver\Application Data\acccore"
2006-06-13 00:07:46 ( .D... ) "C:\Program Files\AOD"
2006-06-08 18:19:52 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-02 13:39:54 579888 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-06-02 13:39:46 402736 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-02 13:39:46 286000 ( ..... ) "C:\WINDOWS\system32\WgaTray.exe"
2006-05-26 23:11:56 157696 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-05-26 22:19:50 163840 ( A.... ) "C:\WINDOWS\system32\JGDW400.DLL"
2006-05-26 15:40:58 1339904 ( A.... ) "C:\WINDOWS\system32\SHDOCVW.DLL"
2006-05-25 00:48:30 93 ( A.... ) "C:\WINDOWS\system32\d.bat"
2006-05-23 00:00:52 488144 ( A.... ) "C:\Program Files\HJTsetup.exe"
2006-05-20 02:15:20 25491129 ( A.... ) "C:\Program Files\photopospro_setup.exe"
2006-05-20 02:10:36 12716752 ( A.... ) "C:\Program Files\acdsee.exe"
2006-05-20 01:20:52 55808 ( A.... ) "C:\Program Files\wpmsetup1.exe"
2006-05-19 15:52:28 2702848 ( A.... ) "C:\WINDOWS\system32\MSHTML.DLL"
2006-05-19 13:57:46 5352752 ( A.... ) "C:\Program Files\Setup_FreeConverter.exe"
2006-05-19 08:15:34 140288 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 08:15:34 83456 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2006-05-19 08:15:34 70656 ( A.... ) "C:\WINDOWS\system32\ws2_32.dll"
2006-05-19 08:15:34 54272 ( A.... ) "C:\WINDOWS\system32\ipv6mon.dll"
2006-05-19 08:15:34 31232 ( A.... ) "C:\WINDOWS\system32\inetmib1.dll"
2006-05-19 08:15:34 13312 ( A.... ) "C:\WINDOWS\system32\wship6.dll"
2006-05-19 08:15:32 103936 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 08:15:32 95232 ( A.... ) "C:\WINDOWS\system32\6to4svc.dll"
2006-05-19 04:51:02 159232 ( A.... ) "C:\WINDOWS\system32\xpob2res.dll"
2006-05-19 04:46:02 48640 ( A.... ) "C:\WINDOWS\system32\ipv6.exe"
2006-05-19 04:44:56 83456 ( A.... ) "C:\WINDOWS\system32\netsh.exe"
2006-05-18 01:58:56 458752 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-14 05:13:42 364544 ( A.... ) "C:\WINDOWS\system32\ipsmsnap.dll"
2006-05-14 05:13:42 334848 ( A.... ) "C:\WINDOWS\system32\ipsecsnp.dll"
2006-05-14 05:13:42 257536 ( A.... ) "C:\WINDOWS\system32\oakley.dll"
2006-05-14 05:13:42 169984 ( A.... ) "C:\WINDOWS\system32\rasmans.dll"
2006-05-14 05:13:42 159744 ( A.... ) "C:\WINDOWS\system32\ipsecsvc.dll"
2006-05-14 05:13:42 98304 ( A.... ) "C:\WINDOWS\system32\polstore.dll"
2006-05-14 05:13:42 29184 ( A.... ) "C:\WINDOWS\system32\winipsec.dll"
2006-02-10 02:04:54 69632 ( A.... ) "C:\Program Files\VundoFix.exe"
2006-02-09 06:33:30 2262376 ( A.... ) "C:\Program Files\tmasv30-us.exe"
2006-02-08 20:56:54 1691344 ( A.... ) "C:\Program Files\BHODemon20Setup_2022.exe"
2006-02-08 04:38:10 212849 ( A.... ) "C:\Program Files\hijackthis.zip"
2006-02-07 04:40:14 5037072 ( A.... ) "C:\Program Files\spybotsd14.exe"
2006-02-07 04:23:20 532480 ( A.... ) "C:\Program Files\cwshredder.exe"
2006-02-07 03:53:18 41900 ( A.... ) "C:\Program Files\WarezP2P_TDL.exe"
2006-02-07 03:51:16 49464 ( A.... ) "C:\Program Files\XoftSpy[1].v4.21.142.WinALL.Incl.Keygen-ViRiLiTY.ZIP"
2006-02-07 03:02:42 1940160 ( A.... ) "C:\Program Files\XoftSpy421_147.exe"
2006-02-06 19:14:34 7446 ( A.... ) "C:\Program Files\aswclnr.log"
2006-02-06 18:01:50 361504 ( A.... ) "C:\Program Files\aswclnr.exe"
2005-10-26 04:12:28 9728 ( ..... ) "C:\Program Files\Thumbs.db"
2005-10-11 01:55:56 5317848 ( A.... ) "C:\Program Files\CostcoOrganizer.exe"
2005-09-21 17:16:54 109710304 ( A.... ) "C:\Program Files\Corel_PaintShopPro1000_EN_TBYB_TrialESD.exe"
2005-09-20 06:42:06 5398453 ( A.... ) "C:\Program Files\PRC-Demo.zip"
2005-09-20 06:35:10 38674 ( A.... ) "C:\Program Files\mdr.exe"
2005-09-20 06:32:38 940536 ( A.... ) "C:\Program Files\badcopy3d.exe"
2005-09-20 05:38:52 2598509 ( A.... ) "C:\Program Files\FlashBk.exe"
2005-09-20 05:34:04 4337050 ( A.... ) "C:\Program Files\RecoverMyFiles-Setup.exe"
2005-09-20 04:49:40 592335 ( A.... ) "C:\Program Files\dir.zip"
2005-09-19 15:23:38 859729 ( A.... ) "C:\Program Files\dprdemo.exe"
2005-09-19 14:27:24 1089590 ( A.... ) "C:\Program Files\omedina.zip"
2005-08-01 05:57:50 464368 ( A.... ) "C:\Program Files\actionis.sit"
2005-07-30 23:08:54 10769800 ( A.... ) "C:\Program Files\WSFTP_ProT128_Install.exe"
2005-07-17 23:07:12 565880 ( A.... ) "C:\Program Files\fotofinish_trial.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe\" -quiet"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\YORKPH~1\\YORKPH~1\\data\\Xtras\\mssysmgr.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0B\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\dlbcserv.lnk"
"backup"="C:\\WINDOWS\\pss\\dlbcserv.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DELLPH~1\\dlbcserv.exe "
"item"="dlbcserv"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Exif Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Exif Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\FINEPI~1\\QuickDCF.exe "
"item"="Exif Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Trend Micro Anti-Spyware.lnk"
"backup"="C:\\WINDOWS\\pss\\Trend Micro Anti-Spyware.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\TRENDM~1\\Tmas\\Tmas.exe -autostart"
"item"="Trend Micro Anti-Spyware"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Marisa Diver^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
"path"="C:\\Documents and Settings\\Marisa Diver\\Start Menu\\Programs\\Startup\\BHODemon 2.0.lnk"
"backup"="C:\\WINDOWS\\pss\\BHODemon 2.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\BHODEM~1\\BHODemon.exe "
"item"="BHODemon 2.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Apoint"
"hkey"="HKLM"
"command"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DCOM Server]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="explorer"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\MARISA~1\\LOCALS~1\\Temp\\24837\\explorer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1139464748\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Cfgwiz"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\Cfgwiz.exe /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfotoNow USB Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OFUSBS"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\RunDLL32.exe C:\\PROGRA~1\\Ofoto\\OfotoNow\\OFUSBS.DLL,WatchForConnection OfotoNow"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PicasaMediaDetector"
"hkey"="HKLM"
"command"="C:\\Program Files\\Picasa2\\PicasaMediaDetector"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pinger"
"hkey"="HKLM"
"command"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PmProxy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PmProxy"
"hkey"="HKLM"
"command"="C:\\Program Files\\Analog Devices\\SoundMAX\\PmProxy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="REGSHAVE"
"hkey"="HKLM"
"command"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tpwrtray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TPWRTRAY"
"hkey"="HKLM"
"command"="TPWRTRAY.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ybrwicon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMusicEngine"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe\" -preload"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yop"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"ymetray"="\"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe\" -preload"
"CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\""
"Drag'n Drop CD+DVD"="C:\\Program Files\\Drag'n Drop CD+DVD\\BinFiles\\DragDrop.exe /StartUp"


Contents of the 'Scheduled Tasks' folder

Completion time: Thu 08/10/2006 16:24:00.12
ComboFix ver 06.06.22.2 - This logfile is located at C:\ComboFix.txt


--------------------------


Logfile of HijackThis v1.99.1
Scan saved at 4:19:32 PM, on 8/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Common Files\AOL\1139464748\ee\aolsoftware.exe
c:\program files\common files\aol\1139464748\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1139464748\ee\aolsoftware.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151215330384
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9616C3A-8F19-4BCB-BFE6-BD2699BCD41D}: NameServer = 205.188.146.145
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:21 AM

Posted 10 August 2006 - 03:43 PM

That's fine...Don't worry about the Killbox incident.
Just two folders to manually delete now:

C:\Program Files\elticons
C:\Program Files\Cowabanga

Now reboot.
Let me know you are happy with the system and I can post my "all clean" spiel! :thumbsup:
David

#11 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 12 August 2006 - 03:59 AM

hi David,

I deleted those two folders and my computer seems to be working wonderfully now. I can't thank you enough for your help. I really appreciate it.

Thanks again,

~MR

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:21 AM

Posted 12 August 2006 - 04:08 AM

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David

#13 MamaRamona

MamaRamona
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 14 August 2006 - 03:28 PM

hi David,

thanks again for all your help. I have one additional question for you. I'm having trouble keeping my internet connected, either through AOL or explorer (using DSL), and wondered if you could check out my HJT log again and see if you spot any probs that would cause this.

Thanks in advance,
MR

----------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:24:00 PM, on 8/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1139464748\ee\aolsoftware.exe
c:\program files\common files\aol\1139464748\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1139464748\ee\aolsoftware.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151215330384
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:21 AM

Posted 14 August 2006 - 03:30 PM

The Hijackthis log is still clean, and I don't think this is a security issue.
I now see a clean log here, there are no signs of malware or anything that may cause the problems you are having. I recommend that you post your question in the following forum as you will recieve better help there. Let them know you have had your Hijackthis log checked, and it isn't a serious security issue.
Web Browsing/Email and Other Internet Applications
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users