Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • Please log in to reply
21 replies to this topic

#1 LilVix

LilVix

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 12 August 2006 - 06:45 PM

well, as i quickly overviewed my log, i saw that Surf sidekick 3, is BACK on my computer. i was able to ge trid of it, but now its back.

Logfile of HijackThis v1.99.1
Scan saved at 6:23:11 PM, on 8/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\sys01397626428-.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\Duce6.exe
C:\Program Files\Common Files\{E84CB3C4-09E4-1033-0517-040520040001}\Update.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\IA\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\sawaq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dueebim.exe
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [sys01397626428-] C:\WINDOWS\sys01397626428-.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\clbcatix.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\clbcatix.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs303169590.dll,logonui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\gckavis.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 PM

Posted 13 August 2006 - 06:16 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Windows Overlay Components
Network Monitor
Command Service
SurfSideKick 3


Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Please download, install, and update Ewido anti-spyware
Load Ewido and then click the Update tab at the top.
Under Manual Update click Start update.

After the update finishes (the status bar at the bottom will display "Update successful")
Then click on the Scanner tab at the top.
Click the "Settings" tab and then change the recommended action to Quarantine.
Click Automatically generate report after every scan.
Click back to the "Scan" tab and then click on Complete System Scan.
This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side.

When the scan has finished, it will automatically set the recommended action.
Click the Apply all actions button.
Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As".
This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close Ewido and reboot!! I need the log later.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Also post the ewido log.

David

#3 LilVix

LilVix
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 13 August 2006 - 05:26 PM

Hello D-Trojanator, here is my ewido log, combo fix log, and HJT log. i also have the log from BFU if you need that at all(not posted in this reply). ENJOY!!

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:43:32 PM 8/13/2006

+ Scan result:



C:\Program Files\Altnet -> Adware.Altnet : Cleaned with backup (quarantined).
C:\Program Files\Altnet\Download Manager -> Adware.Altnet : Cleaned with backup (quarantined).
C:\Program Files\Altnet\My Altnet Shares -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\IA\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\IA\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1192063452-1668106079-1908103557-1003\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1192063452-1668106079-1908103557-1003\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1192063452-1668106079-1908103557-1003\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
C:\Program Files\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-1192063452-1668106079-1908103557-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bnc42d.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dMnim.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dVnim.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmrawex.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hr4s05h7e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iFlmdev5.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ijrop.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\j04olah31d4.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lvn2095oe.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mjdtclog.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\r8r6li9s18.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sDfrslv.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sjrio600.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wad_ci.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
[1224] C:\WINDOWS\system32\icfxress.dll -> Adware.Look2Me : Error during cleaning.
C:\WINDOWS\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinDmy.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__l_o_g_o_n_u_i_._d_l_l_ -> Adware.PurityScan : Cleaned with backup (quarantined).
[1856] C:\WINDOWS\system32\logonui.dll -> Adware.PurityScan : Error during cleaning.
[1968] C:\WINDOWS\system32\logonui.dll -> Adware.PurityScan : Error during cleaning.
[2804] C:\WINDOWS\system32\logonui.dll -> Adware.PurityScan : Error during cleaning.
[2956] C:\WINDOWS\system32\logonui.dll -> Adware.PurityScan : Error during cleaning.
C:\WINDOWS\system32\rk.exe -> Adware.RK : Cleaned with backup (quarantined).
C:\WINDOWS\system32\70tovmto.ini -> Adware.Sahat : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-1192063452-1668106079-1908103557-1003\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-21-1192063452-1668106079-1908103557-1003\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cbxwxur.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__d_m_o_n_w_v_._d_l_l_ -> Downloader.Agent.agw : Cleaned with backup (quarantined).
[2480] C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Error during cleaning.
C:\bintheredunthat\w4ece444.dll -> Downloader.Agent.ahv : Cleaned with backup (quarantined).
C:\WINDOWS\compstuig.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\g167703.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
C:\WINDOWS\g3517718.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
C:\WINDOWS\g3642093.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
C:\WINDOWS\g82155875.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
[3096] C:\WINDOWS\g82155875.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
C:\WINDOWS\nem220.dll -> Downloader.Dyfuca : Cleaned with backup (quarantined).
C:\WINDOWS\pf79.exe -> Downloader.Dyfuca.ei : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Application Data\a905349c.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\WINDOWS\system32\a905349c.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\WINDOWS\pss\uxsww.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__c_p_g_v_q_d_._e_x_e_ -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__i_x_g_v_h_l_w_._d_l_l_ -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__s_a_w_a_q_._e_x_e_ -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hnuyc.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\w038783c.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\w4ec4342.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\lt.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\WINDOWS\idlemg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Program Files\ComPlus Applications\hotepyhox.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\WINDOWS\ac3_0002.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup (quarantined).
C:\WINDOWS\pms111x.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\WINDOWS\win32098-39762642.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\WINDOWS\comscore.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\WINDOWS\ss1205.exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\clbcatix.dll -> Hijacker.Agent.ct : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{D4DFC1D8-2D2E-4962-B0D0-389FBA0F76B5} -> Hijacker.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1192063452-1668106079-1908103557-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4DFC1D8-2D2E-4962-B0D0-389FBA0F76B5} -> Hijacker.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\v1201.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Program Files\Messenger\kycecoz.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\Windows NT\hozyzewos.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\bintheredunthat\gckavisA.exe -> Hijacker.VB.ij : Cleaned with backup (quarantined).
[1864] C:\WINDOWS\gckavisA.exe -> Hijacker.VB.ij : Error during cleaning.
C:\Documents and Settings\Owner\Application Data\winantiviruspro2006freeinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\adewight@earthlink.net\Cookies\owner@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\adewight@earthlink.net\Cookies\owner@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\adewight@earthlink.net\Cookies\owner@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\adewight@earthlink.net\Cookies\owner@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\adewight@earthlink.net\Cookies\owner@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ehg-theviptour.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\adewight@earthlink.net\Cookies\owner@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\adewight@earthlink.net\Cookies\owner@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\adewight@earthlink.net\Cookies\owner@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\adewight@earthlink.net\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cool.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\__delete_on_reboot__w_i_n_3_9_7_._t_m_p_._e_x_e_ -> Trojan.Dialer.qy : Cleaned with backup (quarantined).
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end

Start Time= Sun 08/13/2006 16:57:15.26
Running from: C:\Documents and Settings\Owner\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cfgmngr32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaba
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon\Settings
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{6779262E-DBDD-49BE-9907-48D0529CDD66}]
@=""

[HKEY_CLASSES_ROOT\clsid\{6779262E-DBDD-49BE-9907-48D0529CDD66}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{6779262E-DBDD-49BE-9907-48D0529CDD66}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{6779262E-DBDD-49BE-9907-48D0529CDD66}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\guard.tmp
C:\WINDOWS\SYSTEM32\icfxress.dll
C:\WINDOWS\SYSTEM32\kvdit142.dll
C:\WINDOWS\SYSTEM32\l4l60e3seh.dll
C:\WINDOWS\SYSTEM32\lv4m09h1e.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

17:05:18.82

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\sawaq.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-08-11 17:59:46 32,784 "C:\WINDOWS\system32\ishost.exe"
2006-08-13 16:55:44 4,608 "C:\WINDOWS\system32\ismon.exe"
2006-08-13 16:55:30 28,672 "C:\WINDOWS\system32\sawaq.exe"
2006-08-12 14:59:34 48,187 "C:\WINDOWS\system32\VSL03.exe"
2006-08-11 18:07:38 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-06-26 12:37:10 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
2006-08-13 16:55:30 51,712 "C:\WINDOWS\system32\ixgvhlw.dll"
2006-06-01 13:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 13:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-14 03:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-07-13 08:33:28 8,453,632 "C:\WINDOWS\system32\shell32.dll"
2006-08-11 18:06:04 573,492 "C:\WINDOWS\system32\ddaba.dll"
2006-07-21 03:24:44 72,704 "C:\WINDOWS\system32\hlink.dll"
2006-08-13 16:47:06 127,488 "C:\WINDOWS\system32\hnuyc.dat"
2006-08-13 16:34:18 386 "C:\WINDOWS\blnch.dll"
2006-08-13 16:55:30 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\uxsww.exe"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


08/13/2006 04:47 PM 127,488 hnuyc.dat.vir
08/13/2006 04:55 PM 127,488 uxsww.exe.vir
08/13/2006 04:55 PM 51,712 ixgvhlw.dll.vir
08/13/2006 04:55 PM 28,672 sawaq.exe.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
2006-08-11 17:59:46 32,784 "C:\WINDOWS\system32\ishost.exe"
2006-08-13 16:55:44 4,608 "C:\WINDOWS\system32\ismon.exe"
2006-08-12 14:59:34 48,187 "C:\WINDOWS\system32\VSL03.exe"
2006-08-11 18:07:38 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-06-01 13:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 13:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-14 03:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-07-13 08:33:28 8,453,632 "C:\WINDOWS\system32\shell32.dll"
2006-06-26 12:37:10 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-08-11 18:06:04 573,492 "C:\WINDOWS\system32\ddaba.dll"
2006-07-21 03:24:44 72,704 "C:\WINDOWS\system32\hlink.dll"
2006-08-13 16:34:18 386 "C:\WINDOWS\blnch.dll"


(((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Ssk.log


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



17:10:00.39
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-13 16:55:44 4608 ( A.... ) "C:\WINDOWS\system32\ismon.exe"
2006-08-13 16:34:18 386 ( A.... ) "C:\WINDOWS\blnch.dll"
2006-08-13 15:59:46 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-08-12 23:49:40 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-08-12 23:24:24 ( .D... ) "C:\Program Files\a-squared Anti-Malware"
2006-08-12 15:01:22 106496 ( A.... ) "C:\WINDOWS\Duce6.exe"
2006-08-12 15:00:00 61952 ( A.... ) "C:\WINDOWS\system32\aaa00000.dll"
2006-08-12 15:00:00 38412 ( A.... ) "C:\WINDOWS\ssqbn.exe"
2006-08-12 15:00:00 1167 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-08-12 15:00:00 1167 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-08-12 14:59:52 214748 ( A.... ) "C:\WINDOWS\Setup90.exe"
2006-08-12 14:59:34 48187 ( A.... ) "C:\WINDOWS\system32\VSL03.exe"
2006-08-11 18:08:12 61952 ( A.... ) "C:\WINDOWS\system32\ohce5aba.dll"
2006-08-11 18:08:12 1167 ( A.... ) "C:\WINDOWS\system32\ohce5aba.sys"
2006-08-11 18:08:12 1167 ( A.... ) "C:\WINDOWS\system32\ohce5aba.sys"
2006-08-11 18:07:38 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-08-11 18:07:10 155648 ( A.... ) "C:\WINDOWS\ms0526428-3976.exe"
2006-08-11 18:07:10 155648 ( A.... ) "C:\WINDOWS\ms04626428-3972006.exe"
2006-08-11 18:06:26 232749 ( A.... ) "C:\WINDOWS\pf78.exe"
2006-08-11 18:06:04 573492 ( ..SH. ) "C:\WINDOWS\system32\ddaba.dll"
2006-08-11 18:02:32 ( .D... ) "C:\Program Files\WinRAR"
2006-08-11 18:00:20 2 ( A.... ) "C:\WINDOWS\system32\wnsintsv.exe"
2006-08-11 18:00:18 ( .D... ) "C:\Documents and Settings\Owner\Application Data\?racle"
2006-08-11 18:00:00 70656 ( A.... ) "C:\WINDOWS\system32\btpanuib.dll"
2006-08-11 17:59:46 32784 ( A.... ) "C:\WINDOWS\system32\ishost.exe"
2006-08-11 17:59:44 ( .D... ) "C:\Program Files\Common Files\{E84CB3C4-09E4-1033-0517-040520040001}"
2006-08-11 17:59:38 15872 ( A.... ) "C:\WINDOWS\system32\winrkp32.dll"
2006-08-11 11:05:48 155648 ( A.... ) "C:\WINDOWS\sys01397626428-.exe"
2006-08-09 01:01:08 ( .D... ) "C:\Program Files\MindArk"
2006-08-08 13:07:58 ( .D... ) "C:\Program Files\Google"
2006-08-08 13:06:34 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Xfire"
2006-08-08 13:06:32 ( .DS.. ) "C:\Program Files\Xfire"
2006-08-08 12:58:20 ( .D... ) "C:\Program Files\America's Army"
2006-07-28 09:30:32 236824 ( A.... ) "C:\WINDOWS\system32\xactengine2_3.dll"
2006-07-28 09:30:14 62744 ( A.... ) "C:\WINDOWS\system32\xinput1_2.dll"
2006-07-27 08:24:46 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-07-21 03:24:44 72704 ( A.... ) "C:\WINDOWS\system32\hlink.dll"
2006-07-17 23:31:48 ( .D... ) "C:\Program Files\LimeWire"
2006-07-14 10:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-13 08:33:28 8453632 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-07-05 11:07:18 ( .D... ) "C:\Program Files\Microsoft IntelliPoint"
2006-07-05 05:55:02 984064 ( A.... ) "C:\WINDOWS\system32\kernel32.dll"
2006-06-26 12:37:10 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-06-26 12:37:10 8192 ( A.... ) "C:\WINDOWS\system32\rasadhlp.dll"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-19 13:38:58 53248 ( A.... ) "C:\WINDOWS\uni_ehhhh.exe"
2006-06-19 13:38:08 49152 ( A.... ) "C:\WINDOWS\uninst104.exe"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2005-06-29 17:15:20 774144 ( A.... ) "C:\Program Files\RngInterstitial.dll"
2004-12-29 02:12:44 0 ( A.... ) "C:\Program Files\EarthLink TotalAccessactions.met"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-13 15:54 66,048 C:\BFU.exe
2006-08-12 15:01 106,496 C:\WINDOWS\Duce6.exe
2006-08-12 14:59 61,952 C:\WINDOWS\system32\aaa00000.dll
2006-08-12 14:59 48,187 C:\WINDOWS\system32\VSL03.exe
2006-08-12 14:59 214,748 C:\WINDOWS\Setup90.exe
2006-08-12 14:59 1,167 C:\WINDOWS\system32\aaa00000.sys
2006-08-12 03:21 218,112 C:\HijackThis.exe
2006-08-11 20:20 390,070,272 C:\pagefile.sys
2006-08-11 18:08 61,952 C:\WINDOWS\system32\ohce5aba.dll
2006-08-11 18:08 38,412 C:\WINDOWS\ssqbn.exe
2006-08-11 18:08 1,167 C:\WINDOWS\system32\ohce5aba.sys
2006-08-11 18:07 48,167 C:\WINDOWS\system32\VSL05.exe
2006-08-11 18:07 386 C:\WINDOWS\blnch.dll
2006-08-11 18:06 573,492 C:\WINDOWS\system32\ddaba.dll
2006-08-11 18:06 232,749 C:\WINDOWS\pf78.exe
2006-08-11 18:06 155,648 C:\WINDOWS\ms0526428-3976.exe
2006-08-11 18:06 155,648 C:\WINDOWS\ms04626428-3972006.exe
2006-08-11 18:06 127,574 C:\WINDOWS\system32\tsuninst.exe
2006-08-11 18:00 2 C:\WINDOWS\system32\wnsintsv.exe
2006-08-11 17:59 70,656 C:\WINDOWS\system32\btpanuib.dll
2006-08-11 17:59 4,608 C:\WINDOWS\system32\ismon.exe
2006-08-11 17:59 32,784 C:\WINDOWS\system32\ishost.exe
2006-08-11 17:59 15,872 C:\WINDOWS\system32\winrkp32.dll
2006-08-11 11:05 155,648 C:\WINDOWS\sys01397626428-.exe
2006-08-09 12:05 62,744 C:\WINDOWS\system32\xinput1_2.dll
2006-08-09 12:05 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-08-09 12:05 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-08-09 12:05 236,824 C:\WINDOWS\system32\xactengine2_3.dll
2006-08-09 12:05 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-08-09 12:05 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-08-09 12:05 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-08-09 12:05 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-08-09 12:05 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-08-09 12:05 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-08-09 12:05 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-08-09 12:05 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-08-09 12:05 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-08-09 12:05 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-08-09 12:04 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-07-17 23:32 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-17 23:32 49,248 C:\WINDOWS\system32\java.exe
2006-07-17 23:32 127,078 C:\WINDOWS\system32\javaws.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"gckavisA"="C:\\WINDOWS\\gckavisA.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ishost.exe"="ishost.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{E84CB3C4-09E4-1033-0517-040520040001}"="\"C:\\Program Files\\Common Files\\{E84CB3C4-09E4-1033-0517-040520040001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://www.mudvayne.com/LostAndFound/photos/current/image1.jpg"
"SubscribedURL"="http://www.mudvayne.com/LostAndFound/photos/current/image1.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,12,03,00,00,19,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,12,03,00,00,19,01,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,40
"RestoredStateInfo"=hex:14,6d,4f,0c,41,c0,b4,74,30,4a,22,08,68,de,4f,0c,20,6d,\
4f,0c,fe,fe,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Compaq Connections.lnk"
"backup"="C:\\WINDOWS\\pss\\Compaq Connections.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMPAQ~1\\1940576\\Program\\BACKWE~1.EXE -startup"
"item"="Compaq Connections"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PopSubtract.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\PopSubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\PopSubtract.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\POPSUB~1\\PopSub.exe "
"item"="PopSubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Scheduled Updates.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Scheduled Updates.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\bagent.exe "
"item"="Quicken Scheduled Updates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SpySubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\SpySubtract.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPYSUB~1\\spysub.exe -autostart"
"item"="SpySubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^uxsww.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\uxsww.exe"
"backup"="C:\\WINDOWS\\pss\\uxsww.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\uxsww.exe"
"item"="uxsww"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\IMStart.lnk"
"backup"="C:\\WINDOWS\\pss\\IMStart.lnkStartup"
"location"="Startup"
"command"="C:\\Program Files\\InterMute\\IMStart.exe "
"item"="IMStart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Morpheus.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Morpheus.lnk"
"backup"="C:\\WINDOWS\\pss\\Morpheus.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Morpheus\\Morpheus.exe -min"
"item"="Morpheus"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SpamSubtract.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\SpamSubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\SpamSubtract.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPAMSU~1\\SpamSub.exe "
"item"="SpamSubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Xfire.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Xfire.lnk"
"backup"="C:\\WINDOWS\\pss\\Xfire.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Xfire\\Xfire.exe "
"item"="Xfire"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a905349c.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="a905349c"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\a905349c.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCXMNTR"
"hkey"="HKLM"
"command"="ALCXMNTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bhknqb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cpgvqd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\cpgvqd.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_9"
"hkey"="HKLM"
"command"="c:\\\\dfndrff_9.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TaskPanl"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EarthLink Installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="\" /C"
"hkey"="HKLM"
"command"="\" /C"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gckavisA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gckavisA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\gckavisA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpsysdrv"
"hkey"="HKLM"
"command"="c:\\windows\\system\\hpsysdrv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="point32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KBD"
"hkey"="HKLM"
"command"="C:\\HP\\KBD\\KBD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdff_9"
"hkey"="HKLM"
"command"="c:\\\\kybrdff_9.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ManifestEngine"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LVCOMSX"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms0526428-3976]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms0526428-3976"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms0526428-3976.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MULTIMEDIA KEYBOARD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MMKeybd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_9"
"hkey"="HKLM"
"command"="c:\\\\nwnmff_9.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 PM

Posted 14 August 2006 - 02:41 AM

Hey there. Unfortunately a bit of the Combofix log and the Hijackthis log was cut off.
Please re-post them in separate replies.
David

#5 LilVix

LilVix
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 14 August 2006 - 03:25 AM

combo fix log__

Start Time= Sun 08/13/2006 16:57:15.26
Running from: C:\Documents and Settings\Owner\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cfgmngr32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaba
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon\Settings
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{6779262E-DBDD-49BE-9907-48D0529CDD66}]
@=""

[HKEY_CLASSES_ROOT\clsid\{6779262E-DBDD-49BE-9907-48D0529CDD66}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{6779262E-DBDD-49BE-9907-48D0529CDD66}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{6779262E-DBDD-49BE-9907-48D0529CDD66}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\guard.tmp
C:\WINDOWS\SYSTEM32\icfxress.dll
C:\WINDOWS\SYSTEM32\kvdit142.dll
C:\WINDOWS\SYSTEM32\l4l60e3seh.dll
C:\WINDOWS\SYSTEM32\lv4m09h1e.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

17:05:18.82

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\sawaq.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-08-11 17:59:46 32,784 "C:\WINDOWS\system32\ishost.exe"
2006-08-13 16:55:44 4,608 "C:\WINDOWS\system32\ismon.exe"
2006-08-13 16:55:30 28,672 "C:\WINDOWS\system32\sawaq.exe"
2006-08-12 14:59:34 48,187 "C:\WINDOWS\system32\VSL03.exe"
2006-08-11 18:07:38 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-06-26 12:37:10 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
2006-08-13 16:55:30 51,712 "C:\WINDOWS\system32\ixgvhlw.dll"
2006-06-01 13:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 13:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-14 03:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-07-13 08:33:28 8,453,632 "C:\WINDOWS\system32\shell32.dll"
2006-08-11 18:06:04 573,492 "C:\WINDOWS\system32\ddaba.dll"
2006-07-21 03:24:44 72,704 "C:\WINDOWS\system32\hlink.dll"
2006-08-13 16:47:06 127,488 "C:\WINDOWS\system32\hnuyc.dat"
2006-08-13 16:34:18 386 "C:\WINDOWS\blnch.dll"
2006-08-13 16:55:30 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\uxsww.exe"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


08/13/2006 04:47 PM 127,488 hnuyc.dat.vir
08/13/2006 04:55 PM 127,488 uxsww.exe.vir
08/13/2006 04:55 PM 51,712 ixgvhlw.dll.vir
08/13/2006 04:55 PM 28,672 sawaq.exe.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
2006-08-11 17:59:46 32,784 "C:\WINDOWS\system32\ishost.exe"
2006-08-13 16:55:44 4,608 "C:\WINDOWS\system32\ismon.exe"
2006-08-12 14:59:34 48,187 "C:\WINDOWS\system32\VSL03.exe"
2006-08-11 18:07:38 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-06-01 13:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 13:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-14 03:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-07-13 08:33:28 8,453,632 "C:\WINDOWS\system32\shell32.dll"
2006-06-26 12:37:10 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-08-11 18:06:04 573,492 "C:\WINDOWS\system32\ddaba.dll"
2006-07-21 03:24:44 72,704 "C:\WINDOWS\system32\hlink.dll"
2006-08-13 16:34:18 386 "C:\WINDOWS\blnch.dll"


(((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Ssk.log


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



17:10:00.39
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-13 16:55:44 4608 ( A.... ) "C:\WINDOWS\system32\ismon.exe"
2006-08-13 16:34:18 386 ( A.... ) "C:\WINDOWS\blnch.dll"
2006-08-13 15:59:46 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-08-12 23:49:40 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-08-12 23:24:24 ( .D... ) "C:\Program Files\a-squared Anti-Malware"
2006-08-12 15:01:22 106496 ( A.... ) "C:\WINDOWS\Duce6.exe"
2006-08-12 15:00:00 61952 ( A.... ) "C:\WINDOWS\system32\aaa00000.dll"
2006-08-12 15:00:00 38412 ( A.... ) "C:\WINDOWS\ssqbn.exe"
2006-08-12 15:00:00 1167 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-08-12 15:00:00 1167 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-08-12 14:59:52 214748 ( A.... ) "C:\WINDOWS\Setup90.exe"
2006-08-12 14:59:34 48187 ( A.... ) "C:\WINDOWS\system32\VSL03.exe"
2006-08-11 18:08:12 61952 ( A.... ) "C:\WINDOWS\system32\ohce5aba.dll"
2006-08-11 18:08:12 1167 ( A.... ) "C:\WINDOWS\system32\ohce5aba.sys"
2006-08-11 18:08:12 1167 ( A.... ) "C:\WINDOWS\system32\ohce5aba.sys"
2006-08-11 18:07:38 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-08-11 18:07:10 155648 ( A.... ) "C:\WINDOWS\ms0526428-3976.exe"
2006-08-11 18:07:10 155648 ( A.... ) "C:\WINDOWS\ms04626428-3972006.exe"
2006-08-11 18:06:26 232749 ( A.... ) "C:\WINDOWS\pf78.exe"
2006-08-11 18:06:04 573492 ( ..SH. ) "C:\WINDOWS\system32\ddaba.dll"
2006-08-11 18:02:32 ( .D... ) "C:\Program Files\WinRAR"
2006-08-11 18:00:20 2 ( A.... ) "C:\WINDOWS\system32\wnsintsv.exe"
2006-08-11 18:00:18 ( .D... ) "C:\Documents and Settings\Owner\Application Data\?racle"
2006-08-11 18:00:00 70656 ( A.... ) "C:\WINDOWS\system32\btpanuib.dll"
2006-08-11 17:59:46 32784 ( A.... ) "C:\WINDOWS\system32\ishost.exe"
2006-08-11 17:59:44 ( .D... ) "C:\Program Files\Common Files\{E84CB3C4-09E4-1033-0517-040520040001}"
2006-08-11 17:59:38 15872 ( A.... ) "C:\WINDOWS\system32\winrkp32.dll"
2006-08-11 11:05:48 155648 ( A.... ) "C:\WINDOWS\sys01397626428-.exe"
2006-08-09 01:01:08 ( .D... ) "C:\Program Files\MindArk"
2006-08-08 13:07:58 ( .D... ) "C:\Program Files\Google"
2006-08-08 13:06:34 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Xfire"
2006-08-08 13:06:32 ( .DS.. ) "C:\Program Files\Xfire"
2006-08-08 12:58:20 ( .D... ) "C:\Program Files\America's Army"
2006-07-28 09:30:32 236824 ( A.... ) "C:\WINDOWS\system32\xactengine2_3.dll"
2006-07-28 09:30:14 62744 ( A.... ) "C:\WINDOWS\system32\xinput1_2.dll"
2006-07-27 08:24:46 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-07-21 03:24:44 72704 ( A.... ) "C:\WINDOWS\system32\hlink.dll"
2006-07-17 23:31:48 ( .D... ) "C:\Program Files\LimeWire"
2006-07-14 10:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-13 08:33:28 8453632 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-07-05 11:07:18 ( .D... ) "C:\Program Files\Microsoft IntelliPoint"
2006-07-05 05:55:02 984064 ( A.... ) "C:\WINDOWS\system32\kernel32.dll"
2006-06-26 12:37:10 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-06-26 12:37:10 8192 ( A.... ) "C:\WINDOWS\system32\rasadhlp.dll"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-19 13:38:58 53248 ( A.... ) "C:\WINDOWS\uni_ehhhh.exe"
2006-06-19 13:38:08 49152 ( A.... ) "C:\WINDOWS\uninst104.exe"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2005-06-29 17:15:20 774144 ( A.... ) "C:\Program Files\RngInterstitial.dll"
2004-12-29 02:12:44 0 ( A.... ) "C:\Program Files\EarthLink TotalAccessactions.met"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-13 15:54 66,048 C:\BFU.exe
2006-08-12 15:01 106,496 C:\WINDOWS\Duce6.exe
2006-08-12 14:59 61,952 C:\WINDOWS\system32\aaa00000.dll
2006-08-12 14:59 48,187 C:\WINDOWS\system32\VSL03.exe
2006-08-12 14:59 214,748 C:\WINDOWS\Setup90.exe
2006-08-12 14:59 1,167 C:\WINDOWS\system32\aaa00000.sys
2006-08-12 03:21 218,112 C:\HijackThis.exe
2006-08-11 20:20 390,070,272 C:\pagefile.sys
2006-08-11 18:08 61,952 C:\WINDOWS\system32\ohce5aba.dll
2006-08-11 18:08 38,412 C:\WINDOWS\ssqbn.exe
2006-08-11 18:08 1,167 C:\WINDOWS\system32\ohce5aba.sys
2006-08-11 18:07 48,167 C:\WINDOWS\system32\VSL05.exe
2006-08-11 18:07 386 C:\WINDOWS\blnch.dll
2006-08-11 18:06 573,492 C:\WINDOWS\system32\ddaba.dll
2006-08-11 18:06 232,749 C:\WINDOWS\pf78.exe
2006-08-11 18:06 155,648 C:\WINDOWS\ms0526428-3976.exe
2006-08-11 18:06 155,648 C:\WINDOWS\ms04626428-3972006.exe
2006-08-11 18:06 127,574 C:\WINDOWS\system32\tsuninst.exe
2006-08-11 18:00 2 C:\WINDOWS\system32\wnsintsv.exe
2006-08-11 17:59 70,656 C:\WINDOWS\system32\btpanuib.dll
2006-08-11 17:59 4,608 C:\WINDOWS\system32\ismon.exe
2006-08-11 17:59 32,784 C:\WINDOWS\system32\ishost.exe
2006-08-11 17:59 15,872 C:\WINDOWS\system32\winrkp32.dll
2006-08-11 11:05 155,648 C:\WINDOWS\sys01397626428-.exe
2006-08-09 12:05 62,744 C:\WINDOWS\system32\xinput1_2.dll
2006-08-09 12:05 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-08-09 12:05 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-08-09 12:05 236,824 C:\WINDOWS\system32\xactengine2_3.dll
2006-08-09 12:05 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-08-09 12:05 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-08-09 12:05 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-08-09 12:05 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-08-09 12:05 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-08-09 12:05 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-08-09 12:05 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-08-09 12:05 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-08-09 12:05 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-08-09 12:05 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-08-09 12:04 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-07-17 23:32 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-17 23:32 49,248 C:\WINDOWS\system32\java.exe
2006-07-17 23:32 127,078 C:\WINDOWS\system32\javaws.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"gckavisA"="C:\\WINDOWS\\gckavisA.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ishost.exe"="ishost.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{E84CB3C4-09E4-1033-0517-040520040001}"="\"C:\\Program Files\\Common Files\\{E84CB3C4-09E4-1033-0517-040520040001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://www.mudvayne.com/LostAndFound/photos/current/image1.jpg"
"SubscribedURL"="http://www.mudvayne.com/LostAndFound/photos/current/image1.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,12,03,00,00,19,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,12,03,00,00,19,01,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,40
"RestoredStateInfo"=hex:14,6d,4f,0c,41,c0,b4,74,30,4a,22,08,68,de,4f,0c,20,6d,\
4f,0c,fe,fe,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Compaq Connections.lnk"
"backup"="C:\\WINDOWS\\pss\\Compaq Connections.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMPAQ~1\\1940576\\Program\\BACKWE~1.EXE -startup"
"item"="Compaq Connections"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PopSubtract.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\PopSubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\PopSubtract.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\POPSUB~1\\PopSub.exe "
"item"="PopSubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Scheduled Updates.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Scheduled Updates.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\bagent.exe "
"item"="Quicken Scheduled Updates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SpySubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\SpySubtract.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPYSUB~1\\spysub.exe -autostart"
"item"="SpySubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^uxsww.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\uxsww.exe"
"backup"="C:\\WINDOWS\\pss\\uxsww.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\uxsww.exe"
"item"="uxsww"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\IMStart.lnk"
"backup"="C:\\WINDOWS\\pss\\IMStart.lnkStartup"
"location"="Startup"
"command"="C:\\Program Files\\InterMute\\IMStart.exe "
"item"="IMStart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Morpheus.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Morpheus.lnk"
"backup"="C:\\WINDOWS\\pss\\Morpheus.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Morpheus\\Morpheus.exe -min"
"item"="Morpheus"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SpamSubtract.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\SpamSubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\SpamSubtract.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPAMSU~1\\SpamSub.exe "
"item"="SpamSubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Xfire.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Xfire.lnk"
"backup"="C:\\WINDOWS\\pss\\Xfire.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Xfire\\Xfire.exe "
"item"="Xfire"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a905349c.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="a905349c"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\a905349c.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCXMNTR"
"hkey"="HKLM"
"command"="ALCXMNTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bhknqb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cpgvqd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\cpgvqd.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_9"
"hkey"="HKLM"
"command"="c:\\\\dfndrff_9.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TaskPanl"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EarthLink Installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="\" /C"
"hkey"="HKLM"
"command"="\" /C"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gckavisA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gckavisA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\gckavisA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpsysdrv"
"hkey"="HKLM"
"command"="c:\\windows\\system\\hpsysdrv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="point32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KBD"
"hkey"="HKLM"
"command"="C:\\HP\\KBD\\KBD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdff_9"
"hkey"="HKLM"
"command"="c:\\\\kybrdff_9.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ManifestEngine"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LVCOMSX"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms0526428-3976]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms0526428-3976"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms0526428-3976.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MULTIMEDIA KEYBOARD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MMKeybd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_9"
"hkey"="HKLM"
"command"="c:\\\\nwnmff_9.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA6P_0001_N91M1807]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winantiviruspro2006freeinstall[1]"
"hkey"="HKLM"
"command"="\"c:\\documents and settings\\owner\\application data\\winantiviruspro2006freeinstall[1].exe\" -nag "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ohce5aba]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w4ec4342.dll,n 002e5ab8000000034ec4342"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ps2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SYSC00"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SYSC00.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VTTimer"
"hkey"="HKLM"
"command"="VTTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w4ece444.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w4ece444.dll,I2 002e5ab804ece444"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WebRebates0"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Web_Rebates\\WebRebates0.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win32098-39762642]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win32098-39762642"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win32098-39762642.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xeror]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cpgvqd"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\cpgvqd.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder

Completion time: Sun 08/13/2006 17:10:31.03
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-13.165715.txt


hijackthis log__

Logfile of HijackThis v1.99.1
Scan saved at 5:14:14 PM, on 8/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [gckavisA] C:\WINDOWS\gckavisA.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\gckavis.exe (file missing)

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 PM

Posted 14 August 2006 - 03:41 AM

It is strange that there are no 02's or 020's in the log.
A new infection is hiding these entries from a Hijackthis scan.
This means certain infections cannot be seen and are therefore hidden to the helper.
Go to this folder where Hijackthis is kept and rename the hijackthis application to "analyse".
This can be done by right clicking on the program and clicking "rename".
Press enter, then open "analyse.exe" by double clicking.
Post a new Hijackthis log from the newly named application

#7 LilVix

LilVix
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 14 August 2006 - 12:03 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:00:46 PM, on 8/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\4eea0453.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {46B3DB8C-B2B4-4FE8-837A-B032170FEB17} - C:\WINDOWS\system32\ddaba.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [gckavisA] C:\WINDOWS\gckavisA.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [4eea0453.exe] C:\WINDOWS\system32\4eea0453.exe
O4 - HKCU\..\Run: [4eea0453.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\4eea0453.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g82155875.dll (file missing)
O20 - Winlogon Notify: ddaba - C:\WINDOWS\system32\ddaba.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\gckavis.exe (file missing)

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 PM

Posted 14 August 2006 - 12:42 PM

Hey there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\SYSTEM32\winrkp32.dll

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say yes.

Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less - Click OK
When VundoFix re-opens, click "Scan for Vundo" button.
Once the scan is complete, right Click inside the listbox (white box) and click "add more files"
Copy and paste the 2 entries below into the top 2 boxes (no arrows):

--> C:\WINDOWS\system32\ddaba.dll
--> C:\WINDOWS\system32\abadd.*

Click "Add Files" and click "Close Window".
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo - this is normal.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

David

#9 LilVix

LilVix
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 14 August 2006 - 01:41 PM

Ad-Aware SE Personal
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
Agere Systems PCI Soft Modem
a-squared Anti-Malware 2.0
Call of Duty
Call of Duty - United Offensive
Command & Conquer Generals
Command and ConquerTM Generals Zero Hour
Compaq Connections
Compaq Instant Support
Compaq Organize
Entropia Universe
ewido anti-spyware 4.0
HijackThis 1.99.1
HP PSC & OfficeJet 3.5
HP Software Update
IGN Download Manager 2.1.2
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
Internet Explorer 7 Beta 2 Preview
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
KalOnlineEng
KBD
LimeWire 4.12.3
LiveUpdate 3.0 (Symantec Corporation)
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Flash Player 8
Macromedia Shockwave Player
Medal of Honor Allied Assault
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Standard Edition 2003
Microsoft Works 7.0
MSN Messenger 7.5
MSN Music Assistant
MSN Toolbar
NVIDIA Drivers
Quicken 2004
QuickTime
RealPlayer
RecordNow!
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Sonic Update Manager
SPBBC
Spybot - Search & Destroy 1.4
TeamSpeak 2 RC2
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Web Office Pro Keyboard
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885626
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
Xfire (remove only)
Yahoo! Messenger

VundoFix V5.1.11

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Scan started at 1:27:00 PM 8/14/2006

Listing files found while scanning....


VundoFix V5.1.11

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Scan started at 1:30:09 PM 8/14/2006

Listing files found while scanning....

C:\windows\system32\ddaba.dll
C:\windows\system32\abadd.ini
C:\windows\system32\abadd.bak1
C:\windows\system32\abadd.bak2
C:\windows\system32\abadd.ini2
C:\windows\system32\abadd.tmp

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\ddaba.dll
C:\windows\system32\ddaba.dll Has been deleted!

Attempting to delete C:\windows\system32\abadd.ini
C:\windows\system32\abadd.ini Has been deleted!

Attempting to delete C:\windows\system32\abadd.bak1
C:\windows\system32\abadd.bak1 Has been deleted!

Attempting to delete C:\windows\system32\abadd.bak2
C:\windows\system32\abadd.bak2 Has been deleted!

Attempting to delete C:\windows\system32\abadd.ini2
C:\windows\system32\abadd.ini2 Has been deleted!

Attempting to delete C:\windows\system32\abadd.tmp
C:\windows\system32\abadd.tmp Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 1:37:01 PM, on 8/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ishost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\4eea0453.exe
C:\WINDOWS\system32\ismon.exe
C:\analyse.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [gckavisA] C:\WINDOWS\gckavisA.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [4eea0453.exe] C:\WINDOWS\system32\4eea0453.exe
O4 - HKCU\..\Run: [4eea0453.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\4eea0453.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g82155875.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\gckavis.exe (file missing)

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 PM

Posted 14 August 2006 - 01:52 PM

Hey there,
Good work, we're removing another infection each time.

You are using the LimeWire p2p file sharing program.
This is not technically malware by itself, but it installs malware in order to run properly.
It also opens the door for every other nasty program you can think of.
I strongly recommend that you remove it from your computer.
Read this article for alternatives that will provide some of the same function without the garbage:
http://www.spywareinfo.com/articles/p2p/

I suggest you remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:
LimeWire

This is another article you can read:
http://www.cexx.org/adware.htm

Open notepad and copy and paste next in it:

sc delete "Windows Overlay Components"

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.

Please reboot and post a new Hijackthis log and a new Combofix log,
David

#11 LilVix

LilVix
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 15 August 2006 - 03:05 AM

Hey D, I'm sorry about the delayed posts all the time. But lately Iv'e been puting in alot of hours at work(working very odd hours as well). Couple of things real quick b4 my scans are done. I don't know if I should or shouldn't have had my inet connected this whole time, but i have NOT had my inet connected due to the pop ups I was getting (only had it connected for updating the programs you had me run). Also, is it normal to have SO many svchost.exe programs running?

Start Time= Tue 08/15/2006 2:55:12.96
Running from: C:\Documents and Settings\Owner\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-15 02:54:50 4608 ( A.... ) "C:\WINDOWS\system32\ismon.exe"
2006-08-14 12:54:30 ( .D... ) "C:\Program Files\Lavasoft"
2006-08-13 17:23:46 0 ( A.... ) "C:\WINDOWS\system32\loaded.exe"
2006-08-13 17:23:44 21504 ( A.... ) "C:\WINDOWS\system32\4eea0453.exe"
2006-08-13 16:34:18 386 ( A.... ) "C:\WINDOWS\blnch.dll"
2006-08-13 15:59:46 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-08-12 23:49:40 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-08-12 23:24:24 ( .D... ) "C:\Program Files\a-squared Anti-Malware"
2006-08-12 15:01:22 106496 ( A.... ) "C:\WINDOWS\Duce6.exe"
2006-08-12 15:00:00 61952 ( A.... ) "C:\WINDOWS\system32\aaa00000.dll"
2006-08-12 15:00:00 38412 ( A.... ) "C:\WINDOWS\ssqbn.exe"
2006-08-12 15:00:00 1167 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-08-12 15:00:00 1167 ( A.... ) "C:\WINDOWS\system32\aaa00000.sys"
2006-08-12 14:59:52 214748 ( A.... ) "C:\WINDOWS\Setup90.exe"
2006-08-12 14:59:34 48187 ( A.... ) "C:\WINDOWS\system32\VSL03.exe"
2006-08-11 18:08:12 61952 ( A.... ) "C:\WINDOWS\system32\ohce5aba.dll"
2006-08-11 18:08:12 1167 ( A.... ) "C:\WINDOWS\system32\ohce5aba.sys"
2006-08-11 18:08:12 1167 ( A.... ) "C:\WINDOWS\system32\ohce5aba.sys"
2006-08-11 18:07:38 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-08-11 18:07:10 155648 ( A.... ) "C:\WINDOWS\ms0526428-3976.exe"
2006-08-11 18:07:10 155648 ( A.... ) "C:\WINDOWS\ms04626428-3972006.exe"
2006-08-11 18:06:26 232749 ( A.... ) "C:\WINDOWS\pf78.exe"
2006-08-11 18:02:32 ( .D... ) "C:\Program Files\WinRAR"
2006-08-11 18:00:20 2 ( A.... ) "C:\WINDOWS\system32\wnsintsv.exe"
2006-08-11 18:00:18 ( .D... ) "C:\Documents and Settings\Owner\Application Data\?racle"
2006-08-11 18:00:00 70656 ( A.... ) "C:\WINDOWS\system32\btpanuib.dll"
2006-08-11 17:59:46 32784 ( A.... ) "C:\WINDOWS\system32\ishost.exe"
2006-08-11 17:59:44 ( .D... ) "C:\Program Files\Common Files\{E84CB3C4-09E4-1033-0517-040520040001}"
2006-08-11 11:05:48 155648 ( A.... ) "C:\WINDOWS\sys01397626428-.exe"
2006-08-09 01:01:08 ( .D... ) "C:\Program Files\MindArk"
2006-08-08 13:07:58 ( .D... ) "C:\Program Files\Google"
2006-08-08 13:06:34 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Xfire"
2006-08-08 13:06:32 ( .DS.. ) "C:\Program Files\Xfire"
2006-08-08 12:58:20 ( .D... ) "C:\Program Files\America's Army"
2006-07-28 09:30:32 236824 ( A.... ) "C:\WINDOWS\system32\xactengine2_3.dll"
2006-07-28 09:30:14 62744 ( A.... ) "C:\WINDOWS\system32\xinput1_2.dll"
2006-07-27 08:24:46 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-07-21 03:24:44 72704 ( A.... ) "C:\WINDOWS\system32\hlink.dll"
2006-07-17 23:31:48 ( .D... ) "C:\Program Files\LimeWire"
2006-07-14 10:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-13 08:33:28 8453632 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-07-05 11:07:18 ( .D... ) "C:\Program Files\Microsoft IntelliPoint"
2006-07-05 05:55:02 984064 ( A.... ) "C:\WINDOWS\system32\kernel32.dll"
2006-06-26 12:37:10 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-06-26 12:37:10 8192 ( A.... ) "C:\WINDOWS\system32\rasadhlp.dll"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-19 13:38:58 53248 ( A.... ) "C:\WINDOWS\uni_ehhhh.exe"
2006-06-19 13:38:08 49152 ( A.... ) "C:\WINDOWS\uninst104.exe"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2005-06-29 17:15:20 774144 ( A.... ) "C:\Program Files\RngInterstitial.dll"
2004-12-29 02:12:44 0 ( A.... ) "C:\Program Files\EarthLink TotalAccessactions.met"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-13 17:23 21,504 C:\WINDOWS\system32\4eea0453.exe
2006-08-13 17:23 0 C:\WINDOWS\system32\loaded.exe
2006-08-13 15:54 66,048 C:\BFU.exe
2006-08-12 15:01 106,496 C:\WINDOWS\Duce6.exe
2006-08-12 14:59 61,952 C:\WINDOWS\system32\aaa00000.dll
2006-08-12 14:59 48,187 C:\WINDOWS\system32\VSL03.exe
2006-08-12 14:59 214,748 C:\WINDOWS\Setup90.exe
2006-08-12 14:59 1,167 C:\WINDOWS\system32\aaa00000.sys
2006-08-12 03:21 218,112 C:\analyse.exe
2006-08-11 20:20 390,070,272 C:\pagefile.sys
2006-08-11 18:08 61,952 C:\WINDOWS\system32\ohce5aba.dll
2006-08-11 18:08 38,412 C:\WINDOWS\ssqbn.exe
2006-08-11 18:08 1,167 C:\WINDOWS\system32\ohce5aba.sys
2006-08-11 18:07 48,167 C:\WINDOWS\system32\VSL05.exe
2006-08-11 18:07 386 C:\WINDOWS\blnch.dll
2006-08-11 18:06 232,749 C:\WINDOWS\pf78.exe
2006-08-11 18:06 155,648 C:\WINDOWS\ms0526428-3976.exe
2006-08-11 18:06 155,648 C:\WINDOWS\ms04626428-3972006.exe
2006-08-11 18:00 2 C:\WINDOWS\system32\wnsintsv.exe
2006-08-11 17:59 70,656 C:\WINDOWS\system32\btpanuib.dll
2006-08-11 17:59 4,608 C:\WINDOWS\system32\ismon.exe
2006-08-11 17:59 32,784 C:\WINDOWS\system32\ishost.exe
2006-08-11 11:05 155,648 C:\WINDOWS\sys01397626428-.exe
2006-08-09 12:05 62,744 C:\WINDOWS\system32\xinput1_2.dll
2006-08-09 12:05 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-08-09 12:05 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-08-09 12:05 236,824 C:\WINDOWS\system32\xactengine2_3.dll
2006-08-09 12:05 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-08-09 12:05 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-08-09 12:05 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-08-09 12:05 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-08-09 12:05 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-08-09 12:05 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-08-09 12:05 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-08-09 12:05 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-08-09 12:05 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-08-09 12:05 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-08-09 12:04 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-07-17 23:32 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-17 23:32 49,248 C:\WINDOWS\system32\java.exe
2006-07-17 23:32 127,078 C:\WINDOWS\system32\javaws.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"gckavisA"="C:\\WINDOWS\\gckavisA.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"4eea0453.exe"="C:\\WINDOWS\\system32\\4eea0453.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"4eea0453.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\4eea0453.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ishost.exe"="ishost.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{E84CB3C4-09E4-1033-0517-040520040001}"="\"C:\\Program Files\\Common Files\\{E84CB3C4-09E4-1033-0517-040520040001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://www.mudvayne.com/LostAndFound/photos/current/image1.jpg"
"SubscribedURL"="http://www.mudvayne.com/LostAndFound/photos/current/image1.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,12,03,00,00,19,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,12,03,00,00,19,01,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,40
"RestoredStateInfo"=hex:14,6d,4f,0c,41,c0,b4,74,30,4a,22,08,68,de,4f,0c,20,6d,\
4f,0c,fe,fe,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Compaq Connections.lnk"
"backup"="C:\\WINDOWS\\pss\\Compaq Connections.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMPAQ~1\\1940576\\Program\\BACKWE~1.EXE -startup"
"item"="Compaq Connections"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PopSubtract.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\PopSubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\PopSubtract.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\POPSUB~1\\PopSub.exe "
"item"="PopSubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Scheduled Updates.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Scheduled Updates.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\bagent.exe "
"item"="Quicken Scheduled Updates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SpySubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\SpySubtract.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPYSUB~1\\spysub.exe -autostart"
"item"="SpySubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^uxsww.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\uxsww.exe"
"backup"="C:\\WINDOWS\\pss\\uxsww.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\uxsww.exe"
"item"="uxsww"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\IMStart.lnk"
"backup"="C:\\WINDOWS\\pss\\IMStart.lnkStartup"
"location"="Startup"
"command"="C:\\Program Files\\InterMute\\IMStart.exe "
"item"="IMStart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Morpheus.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Morpheus.lnk"
"backup"="C:\\WINDOWS\\pss\\Morpheus.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Morpheus\\Morpheus.exe -min"
"item"="Morpheus"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SpamSubtract.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\SpamSubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\SpamSubtract.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPAMSU~1\\SpamSub.exe "
"item"="SpamSubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Xfire.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Xfire.lnk"
"backup"="C:\\WINDOWS\\pss\\Xfire.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Xfire\\Xfire.exe "
"item"="Xfire"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a905349c.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="a905349c"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\a905349c.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCXMNTR"
"hkey"="HKLM"
"command"="ALCXMNTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bhknqb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cpgvqd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\cpgvqd.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_9"
"hkey"="HKLM"
"command"="c:\\\\dfndrff_9.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TaskPanl"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EarthLink Installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="\" /C"
"hkey"="HKLM"
"command"="\" /C"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gckavisA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gckavisA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\gckavisA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpsysdrv"
"hkey"="HKLM"
"command"="c:\\windows\\system\\hpsysdrv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="point32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KBD"
"hkey"="HKLM"
"command"="C:\\HP\\KBD\\KBD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdff_9"
"hkey"="HKLM"
"command"="c:\\\\kybrdff_9.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ManifestEngine"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LVCOMSX"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms0526428-3976]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms0526428-3976"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms0526428-3976.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MULTIMEDIA KEYBOARD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MMKeybd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_9"
"hkey"="HKLM"
"command"="c:\\\\nwnmff_9.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA6P_0001_N91M1807]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winantiviruspro2006freeinstall[1]"
"hkey"="HKLM"
"command"="\"c:\\documents and settings\\owner\\application data\\winantiviruspro2006freeinstall[1].exe\" -nag "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ohce5aba]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w4ec4342.dll,n 002e5ab8000000034ec4342"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ps2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SYSC00"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SYSC00.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VTTimer"
"hkey"="HKLM"
"command"="VTTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w4ece444.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w4ece444.dll,I2 002e5ab804ece444"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WebRebates0"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Web_Rebates\\WebRebates0.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win32098-39762642]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win32098-39762642"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win32098-39762642.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xeror]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cpgvqd"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\cpgvqd.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job

Completion time: Tue 08/15/2006 2:58:10.28
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-13.165715.txt
ComboFix.2006-08-15.025512.txt

Logfile of HijackThis v1.99.1
Scan saved at 3:02:57 AM, on 8/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\4eea0453.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [gckavisA] C:\WINDOWS\gckavisA.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [4eea0453.exe] C:\WINDOWS\system32\4eea0453.exe
O4 - HKCU\..\Run: [4eea0453.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\4eea0453.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g82155875.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 PM

Posted 15 August 2006 - 04:51 AM

Hello there,

It is perfectly normal for so many svchost's to be running.
I have about 8 open now. :thumbsup:

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKLM\..\Run: [gckavisA] C:\WINDOWS\gckavisA.exe
O4 - HKLM\..\Run: [4eea0453.exe] C:\WINDOWS\system32\4eea0453.exe
O4 - HKCU\..\Run: [4eea0453.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\4eea0453.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g82155875.dll (file missing)
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"gckavisA"=-
"4eea0453.exe"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"4eea0453.exe"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^uxsww.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a905349c.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bhknqb]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gckavisA]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms0526428-3976]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA6P_0001_N91M1807]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ohce5aba]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w4ece444.dll]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win32098-39762642]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xeror]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\loaded.exe
C:\WINDOWS\system32\4eea0453.exe
C:\WINDOWS\blnch.dll
C:\WINDOWS\Duce6.exe
C:\WINDOWS\system32\aaa00000.dll
C:\WINDOWS\ssqbn.exe
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\VSL03.exe
C:\WINDOWS\system32\ohce5aba.dll
C:\WINDOWS\system32\ohce5aba.sys
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\ms0526428-3976.exe
C:\WINDOWS\ms04626428-3972006.exe
C:\WINDOWS\pf78.exe
C:\WINDOWS\system32\wnsintsv.exe
C:\WINDOWS\system32\btpanuib.dll
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\sys01397626428-.exe
C:\Program Files\Common Files\{E84CB3C4-09E4-1033-0517-040520040001}\update.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\4eea0453.exe
C:\WINDOWS\gckavisA.exe
C:\WINDOWS\system32\a905349c.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\uxsww.exe
C:\WINDOWS\win32098-39762642.exe
C:\WINDOWS\system32\cpgvqd.exe
c:\dfndrff_9.exe
C:\WINDOWS\system32\cpgvqd.exe
c:\kybrdff_9.exe
C:\WINDOWS\ms0526428-3976.exe
c:\nwnmff_9.exe
C:\WINDOWS\SYSC00.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Then delete this folder:
C:\Program Files\Common Files\{E84CB3C4-09E4-1033-0517-040520040001}

Please post back with a new Hijackthis log.
David

#13 LilVix

LilVix
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 15 August 2006 - 05:35 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:33:39 PM, on 8/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 PM

Posted 16 August 2006 - 03:06 AM

Hey there,

I see a clean log now :thumbsup:
However I want to run one last scanner.
I also want to see a new combofix log.

Malware like this normally never comes alone and there are probably infected files left on your computer.
Please visit Panda Online to carry out a virus scan.
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your desktop.
Post the contents of the report in your next reply, along with a new Hijackthis log. Also post a new combofix log.
How is the computer running now?

David

#15 LilVix

LilVix
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 16 August 2006 - 03:52 AM

hey i got this error, i rebooted and same thing. just some settings need to be changed?

An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users