Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ibm00001.exe Infection


  • This topic is locked This topic is locked
72 replies to this topic

#1 NovaPulse

NovaPulse

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 27 September 2006 - 08:41 PM

ok here is my hijackthis log, i think i'm infected with the ibm00001.exe because everytime i boot up on my desktop...that error saying it can't detect ibm00001.exe comes up and then it gives me the blue screen of death. The only way to get on my pc basically is to do safe mode now. I'm new to this hjt program and i wanted to find out which programs i need to delete or fix... HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:20:08 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Documents and Settings\Administrator.D9Q6VT31\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ycalheo.exe
O1 - Hosts: 207.68.176.250 auto.search.msn.com
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127948426\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [wpguww] C:\WINDOWS\system32\xxcdwy.exe reg_run
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [loaddr] C:\yomhbmm.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e16.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e16.exe
O4 - HKLM\..\Run: [win_drivr32] C:\WINDOWS\system32\spibohst.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe"
O4 - Global Startup: pfned.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/downlo...cab?id=12898562
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {349AE9FE-0C1E-3DB0-050B-4DB85EC8E8BB} - http://66.230.175.129/1/gdnUS2089.exe
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - https://www.pbo.jp/bobrun/PuzzleBobbleLauncher.ocx
O16 - DPF: {690F6E87-3134-4D3B-10B6-07081AFE87E7} - http://66.230.175.129/1/gdnUS2089.exe
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...ler/install.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O18 - Protocol: bw+0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\irpul5791.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ati3duag.exe - Unknown owner - C:\WINDOWS\system32\ati3duag.exe (file missing)
O23 - Service: fxsmon.exe - Unknown owner - C:\WINDOWS\system32\fxsmon.exe (file missing)
O23 - Service: icmui.exe - Unknown owner - C:\WINDOWS\system32\icmui.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: licmgr10.exe - Unknown owner - C:\WINDOWS\system32\licmgr10.exe (file missing)
O23 - Service: lprmonui.exe - Unknown owner - C:\WINDOWS\system32\lprmonui.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: msdtcprx.exe - Unknown owner - C:\WINDOWS\system32\msdtcprx.exe
O23 - Service: Network Monitor - Unknown owner - C:\WINDOWS\.exe (file missing)
O23 - Service: oddbse32.exe - Unknown owner - C:\WINDOWS\system32\oddbse32.exe (file missing)
O23 - Service: oleprn.exe - Unknown owner - C:\WINDOWS\system32\oleprn.exe (file missing)
O23 - Service: usrcntra.exe - Unknown owner - C:\WINDOWS\system32\usrcntra.exe (file missing)
O23 - Service: version.exe - Unknown owner - C:\WINDOWS\system32\version.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: wmpcd.exe - Unknown owner - C:\WINDOWS\system32\wmpcd.exe (file missing)


please help me thanks.

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:55 PM

Posted 28 September 2006 - 12:03 PM

Hello lets get started :thumbsup:

First can you please run a scan with HijackThis and check the following O18 entries for removal to make the log clearer.....

This one: O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)

Then ALL the "Logitech Desktop messenger" O18 entries EXCEPT leave ONE.

This for example, all the others like this except leave just ONE:

O18 - Protocol: bwv0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Then close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

-------

Then lets get on with the actual cleaning....

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 NovaPulse

NovaPulse
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 28 September 2006 - 06:05 PM

ok i did everything you said and here is my combofix log.

dministrator - 06-09-28 18:26:32.37 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Administrator.D9Q6VT31\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{59D69F1D-2901-4196-BC51-F694D0F82D55}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{59D69F1D-2901-4196-BC51-F694D0F82D55}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{59D69F1D-2901-4196-BC51-F694D0F82D55}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{59D69F1D-2901-4196-BC51-F694D0F82D55}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{DE111817-FD3F-4934-86B6-D1B063A2C4F7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE111817-FD3F-4934-86B6-D1B063A2C4F7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE111817-FD3F-4934-86B6-D1B063A2C4F7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DE111817-FD3F-4934-86B6-D1B063A2C4F7}\InprocServer32]
@="C:\\WINDOWS\\system32\\cnrpol.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{589B2B8F-9A49-4ED6-91EC-203EBA1BD20B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{589B2B8F-9A49-4ED6-91EC-203EBA1BD20B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{589B2B8F-9A49-4ED6-91EC-203EBA1BD20B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{589B2B8F-9A49-4ED6-91EC-203EBA1BD20B}\InprocServer32]
@="C:\\WINDOWS\\system32\\czdial32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{7CF84EF5-C66E-471C-9D3B-D21379B4794F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7CF84EF5-C66E-471C-9D3B-D21379B4794F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7CF84EF5-C66E-471C-9D3B-D21379B4794F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7CF84EF5-C66E-471C-9D3B-D21379B4794F}\InprocServer32]
@="C:\\WINDOWS\\system32\\NMTH.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{D42DB04F-3E9E-4DE5-90B1-FE2D5CA0FEAB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D42DB04F-3E9E-4DE5-90B1-FE2D5CA0FEAB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D42DB04F-3E9E-4DE5-90B1-FE2D5CA0FEAB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D42DB04F-3E9E-4DE5-90B1-FE2D5CA0FEAB}\InprocServer32]
@="C:\\WINDOWS\\system32\\WKV8DMOD.DLL"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\CedLineExt.dll
C:\WINDOWS\SYSTEM32\czdial32.dll
C:\WINDOWS\SYSTEM32\ir24l5fq1.dll
C:\WINDOWS\SYSTEM32\irj0l51m1.dll
C:\WINDOWS\SYSTEM32\NMTH.DLL
C:\WINDOWS\SYSTEM32\wkauserv.dll
C:\WINDOWS\SYSTEM32\WKV8DMOD.DLL
C:\WINDOWS\SYSTEM32\wqps2.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKLM\...\Run C:\WINDOWS\system32\xxcdwy.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-09-03 01:38 127488 pfned.exe.qoo
06-09-03 01:36 127488 xxcdwy.exe.qoo
06-09-03 01:38 28672 ohshw.exe.qoo
06-09-01 20:40 53 bclveo.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Administrator.D9Q6VT31\Application Data\Dxccwrd.dll
C:\Documents and Settings\Administrator.D9Q6VT31\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Deric Pujo\Application Data\Dxcknwrd.dll
C:\WINDOWS\system32\bkd.exe
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drsmartload815a.exe
C:\dfndrff_e16.exe
C:\dfndrff_e17.exe
C:\drsmartload.exe
C:\drsmartload45a45a45k.exe
C:\drsmartload45a45a45m.exe
C:\deskbar.exe
C:\deskbar_e13.exe
C:\deskbar_e15.exe
C:\kybrdff_e16.exe
C:\kybrdff_e5.exe
C:\MTE3NDI6ODoxNg.exe
C:\nwnmff_e16.exe
C:\nwnmff_e17.exe
C:\nwnmff_e4.exe
C:\nwnmff_e5.exe
C:\warebundlenewer.exe
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\wtscc.exe
C:\mte3ndi6odoxng.exe
C:\ucmoreiex.exe
C:\WINDOWS\Eim03.exe
C:\WINDOWS\uni_ehhhh.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Common Files\misc002
C:\Program Files\batty2
C:\Program Files\cmfibula
C:\Program Files\Deskbar
C:\Program Files\network monitor
C:\Program Files\ToolBar888
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\{0C3B0EAB-0959-1033-0919-030512200001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\SYSTEM32\CURITY~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\MBOLS~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\SSEMBL~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\STEM~1


((((((((((((((((((((((((((((((( Files Created from 2006-08-28 to 2006-09-28 ))))))))))))))))))))))))))))))))))


2006-09-28 18:08 24,296 --a------ C:\WINDOWS\icont.exe
2006-09-28 17:41 25,000 --a------ C:\WINDOWS\SYSTEM32\svchostx.exe
2006-09-28 17:41 25,000 --a------ C:\WINDOWS\SYSTEM32\svchostp.exe
2006-09-28 17:41 20,000 --a------ C:\WINDOWS\SYSTEM32\svchosts.exe
2006-09-28 17:41 10,000 --a------ C:\WINDOWS\SYSTEM32\suchost.exe
2006-09-28 17:40 6,176 --a------ C:\WINDOWS\SYSTEM32\z12.exe
2006-09-28 17:40 15,000 --a------ C:\WINDOWS\SYSTEM32\spibohst.exe
2006-09-28 17:40 10,000 --a------ C:\WINDOWS\SYSTEM32\37E39.dll
2006-09-28 17:40 1,689 --a------ C:\WINDOWS\SYSTEM32\z14.exe
2006-09-28 17:39 578,560 --a------ C:\Installer4.exe
2006-09-28 17:39 328,272 --a------ C:\921_135.exe
2006-09-28 17:39 290,816 --a------ C:\installerwnusnewer.exe
2006-09-28 17:39 167,936 --ah----- C:\WINDOWS\SYSTEM32\gtool.dll
2006-09-28 17:38 367,616 --a------ C:\919_133.exe
2006-09-28 17:31 5,120 --a------ C:\ipww.exe
2006-09-28 17:31 35,084 --a------ C:\WINDOWS\SYSTEM32\scrrun.exe
2006-09-28 17:30 76,288 --a------ C:\fhayhktt.exe
2006-09-28 17:30 75,264 --a------ C:\lcqh.exe
2006-09-27 16:56 27,929 --a------ C:\WINDOWS\SYSTEM32\z15.exe
2006-09-27 16:56 10,000 --a------ C:\WINDOWS\SYSTEM32\474E74.dll
2006-09-27 15:42 8,637 --a------ C:\WINDOWS\SYSTEM32\cmd32.exe
2006-09-27 15:42 75,264 --a------ C:\crnab.exe
2006-09-27 15:42 14,336 --a------ C:\WINDOWS\SYSTEM32\z16.exe
2006-09-27 15:42 1,024 --a------ C:\hbtf.exe
2006-09-27 15:42 1,024 --a------ C:\cqxix.exe
2006-09-27 15:41 35,084 --a------ C:\WINDOWS\SYSTEM32\msrd2x35.exe
2006-09-27 15:41 1,024 --a------ C:\pyqjdt.exe
2006-09-27 15:41 1,024 --a------ C:\pvmbmww.exe
2006-09-27 15:40 8,192 --a------ C:\sbenlb.exe
2006-09-26 15:57 15,872 --a------ C:\WINDOWS\SYSTEM32\atmlib.exe
2006-09-16 14:45 353,280 --a------ C:\803_104.exe
2006-09-03 01:54 72,461 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MpFirewall.sys
2006-09-03 01:54 20,480 --a------ C:\WINDOWS\SYSTEM32\MpfApi.dll
2006-09-03 01:48 90,112 --a------ C:\WINDOWS\SYSTEM32\mcrtl32.dll
2006-09-02 22:58 65,536 --a------ C:\WINDOWS\wanmpsvc.exe
2006-09-02 22:57 33,588 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wanatw4.sys
2006-09-01 20:41 991,232 --a------ C:\WINDOWS\SYSTEM32\rk.exe
2006-09-01 20:41 126,976 --a------ C:\WINDOWS\SYSTEM32\ieserv.exe
2006-09-01 20:38 931 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys
2006-09-01 20:38 419 --a------ C:\WINDOWS\vsijo.dll
2006-09-01 20:38 1,233 --a------ C:\WINDOWS\SYSTEM32\tphe472a.sys
2006-09-01 20:36 157,728 --a------ C:\WINDOWS\SYSTEM32\Fastmp3_Setup1.exe
2006-09-01 20:36 137,760 --a------ C:\WINDOWS\SYSTEM32\lame_enc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-09-28 18:29 -------- d-------- C:\Program Files\Common Files
2006-09-28 17:37 -------- d-------- C:\Program Files\Internet Explorer
2006-09-27 22:59 -------- d-------- C:\Program Files\TallStick
2006-09-27 21:28 -------- d-------- C:\Program Files\Security Stronghold
2006-09-27 20:54 -------- d-------- C:\Documents and Settings\Administrator.D9Q6VT31\Application Data\Aim
2006-09-27 19:41 -------- d-------- C:\Documents and Settings\Administrator.D9Q6VT31\Application Data\Registry Booster
2006-09-27 19:38 -------- d-------- C:\Program Files\Uniblue
2006-09-27 19:13 -------- d-------- C:\Documents and Settings\Administrator.D9Q6VT31\Application Data\Macromedia
2006-09-27 19:01 -------- d-------- C:\Program Files\America Online 9.0
2006-09-24 22:44 -------- d-------- C:\Program Files\WordPerfect Office 11
2006-09-24 22:44 -------- d-------- C:\Program Files\Common Files\Borland Shared
2006-09-24 22:43 -------- d-------- C:\Program Files\Common Files\Corel
2006-09-23 16:40 -------- d-------- C:\Program Files\AIM
2006-09-23 16:39 -------- d-------- C:\Program Files\AOD
2006-09-16 14:51 -------- d--h----- C:\Program Files\Common Files\cloader
2006-09-06 23:15 -------- d-------- C:\Program Files\Sega Saturn
2006-09-03 01:54 -------- d-------- C:\Program Files\McAfee.com
2006-09-03 01:05 -------- d-------- C:\Program Files\Common Files\uimw
2006-09-03 01:03 -------- d-------- C:\Program Files\NetMeeting
2006-09-02 22:51 -------- d-------- C:\Program Files\Common Files\aolshare
2006-09-02 22:51 -------- d-------- C:\Program Files\Common Files\AOL
2006-09-02 22:42 -------- d-------- C:\Program Files\AOL
2006-09-02 09:07 -------- d-------- C:\Program Files\Common Files\Stardock
2006-09-01 22:06 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-01 22:02 -------- d-------- C:\Program Files\MUSICMATCH
2006-09-01 21:58 -------- d-------- C:\Program Files\Yahoo!
2006-09-01 21:52 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-01 20:54 843886 --a------ C:\PPCleanDeleteAtReboot.bat
2006-08-28 22:06 -------- d-------- C:\Program Files\Rhapsody
2006-08-28 21:41 -------- d-------- C:\Program Files\Windows Media Player
2006-08-28 21:40 8413 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mcstrm.sys
2006-08-26 16:54 720896 --a------ C:\WINDOWS\iun6002.exe
2006-08-23 14:59 -------- d-------- C:\Program Files\Microsoft Games
2006-08-22 00:19 -------- d-------- C:\Program Files\Project64 1.6
2006-08-21 13:40 -------- d-------- C:\Program Files\mp3 meal
2006-08-21 08:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-20 12:14 -------- d-------- C:\Program Files\Common Files\SystemRequirementsLab
2006-08-20 11:55 98304 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2006-08-19 22:33 -------- d-------- C:\Program Files\DAP
2006-08-19 10:34 -------- d-------- C:\Program Files\Stormregion
2006-08-16 15:05 -------- d-------- C:\Program Files\BitComet
2006-08-15 00:01 -------- d-------- C:\Program Files\D-Tools
2006-08-14 20:52 78848 --a------ C:\WINDOWS\SYSTEM32\nsk149.dll
2006-08-14 20:52 78848 --a------ C:\WINDOWS\SYSTEM32\nsg14D.dll
2006-08-13 21:02 35596 --a------ C:\WINDOWS\SYSTEM32\nsk149.exe
2006-08-05 22:26 -------- d-------- C:\Program Files\Adobe
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"=""
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"Uniblue Registry Booster"="C:\\Program Files\\Uniblue\\Registry Booster\\RegistryBooster.exe /S"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"NeroHomeFirstStart"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMFirstStart.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"loaddr"="C:\\sbenlb.exe"
"win_drivr32"="C:\\WINDOWS\\system32\\spibohst.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"Pofovery Service"="C:\\WINDOWS\\system32\\suchost.exe"
"ControlPanel"="C:\\WINDOWS\\system32\\cmd32.exe internat.dll,LoadKeyboardProfile"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:20,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:20,00,00,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pfned.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pfned.exe"
"backup"="C:\\WINDOWS\\pss\\pfned.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pfned.exe"
"item"="pfned"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Melissa Pujo^Start Menu^Programs^Startup^Popup Eliminator.lnk]
"path"="C:\\Documents and Settings\\Melissa Pujo\\Start Menu\\Programs\\Startup\\Popup Eliminator.lnk"
"backup"="C:\\WINDOWS\\pss\\Popup Eliminator.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\PALSOL~1\\POPUPE~1.EXE "
"item"="Popup Eliminator"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Melissa Pujo^Start Menu^Programs^Startup^TA_Start.lnk]
"path"="C:\\Documents and Settings\\Melissa Pujo\\Start Menu\\Programs\\Startup\\TA_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\TA_Start.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\SYSTEM32\\dwdsregt.exe GEN001"
"item"="TA_Start"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Melissa Pujo^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\Melissa Pujo\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\SYSTEM32\\mwinspex.exe GEN001"
"item"="Think-Adz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BCMSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BCMSMMSG"
"hkey"="HKLM"
"command"="BCMSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BellSouthAlertManager.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BellSouthAlertManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\BellSouth\\Alert Manager\\BellSouthAlertManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BootSkin Startup Jobs]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BootSkin"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Stardock\\WinCustomize\\BootSkin\\BootSkin.exe\" /StartupJobs"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Dell AIO Printer A920]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dlbkbmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DownloadAccelerator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DAP"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DVDSentry]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSentry"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\DSentry.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Emurayden PSX Emulator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BellSouthAlertManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\BellSouth\\Alert Manager\\BellSouthAlertManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ExploreUpdSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mwinspex"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\mwinspex.exe GEN001"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1127948426\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSPM Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISUSPM"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\JQ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="JQ"
"hkey"="HKLM"
"command"="C:\\documents and settings\\melissa pujo\\local settings\\temp\\JQ.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechDesktopMessenger"
"hkey"="HKCU"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\loaddr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sntnwdi"
"hkey"="HKLM"
"command"="C:\\sntnwdi.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogonStudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="logonstudio"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LVCOMSX]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LVCOMSX"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\OASClnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oasclnt"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ps9j37h]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="camoader"
"hkey"="HKLM"
"command"="camoader.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\qhcflosrt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ofxttbif"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\ofxttbif.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Qpl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Qpl"
"hkey"="HKLM"
"command"="C:\\documents and settings\\melissa pujo\\local settings\\temp\\Qpl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Qwldifob]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="?hkntfs"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\?hkntfs.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Scr Flap Test Idol]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Glue beep"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\All Users\\Application Data\\jugsmeowscrflap\\Glue beep.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SemanticInsight]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SemanticInsight"
"hkey"="HKLM"
"command"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Sonic RecordNow!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\sys01051969712]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys01051969712"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys01051969712.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\sys09205196971]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys09205196971"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys09205196971.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\tgcmd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hcenter"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Support.com\\BellSouth\\hcenter.exe\" /starthidden /tgcmdwrapper"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Duce6"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Duce6.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\tlnvx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xxcdwy"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\xxcdwy.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\tphe472a]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w109c097.dll,n 003e472700000003109c097"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UserFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -u"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -u"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\win3207712051969]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win3207712051969"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win3207712051969.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\win3208120519697]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win3208120519697"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win3208120519697.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\wpguww]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xxcdwy"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\xxcdwy.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\xxluqzfA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xxluqzfA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\xxluqzfA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\{B0-0E-EA-AB-ZN}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ordsregp"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\ordsregp.exe GEN001"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AEC0633391281793.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (D9Q6VT31-Melissa Pujo).job

Completion time: Thu 09/28/2006 18:51:19.25
ComboFix.txt

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:55 PM

Posted 29 September 2006 - 07:43 AM

Well that got rid of some infections but you've still got a whole lot of stuff there..

Please run the F-Secure Online Scanner

Note: This scanner is for Internet Explorer only!
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy & paste the entire report in your next reply.
------

When you got that finished..

Download GMER:
  • Unzip it and double-click GMER.exe
  • Click the rootkit-tab and click scan.
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply. :thumbsup:

Hi there, stranger!

#5 NovaPulse

NovaPulse
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 30 September 2006 - 06:05 PM

Here is the F-secure online scanner log results:

Scanning Report
Saturday, September 30, 2006 17:40:16 - 19:01:12
Computer name: D9Q6VT31
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 44 malware found
Adware.AdMedia (spyware)
System (Disinfected)
Adware.SearchingAll (spyware)
System (Disinfected)
Alexa (spyware)
System (Disinfected)
AltnetBDE (spyware)
System (Disinfected)
BlazeFind (spyware)
System (Disinfected)
CoolWebSearch (spyware)
System (Disinfected)
CrackSpider (spyware)
System (Disinfected)
Dyfuca.HL.dropper (virus)
C:\919_133.EXE
Marketscore(Netsetter) (spyware)
System (Disinfected)
OverPro (spyware)
System (Disinfected)
Packed.Win32.PePatch.dw (virus)
C:\WINDOWS\SYSTEM32\Z16.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP376\A0199351.EXE
C:\DOCUMENTS AND SETTINGS\DERIC PUJO\WDCSADSAD
Packed.Win32.Tibs.g (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP372\A0191900.EXE
Possible Browser Hijack attempt (spyware)
System (Disinfected)
PromulGate (spyware)
System (Disinfected)
RXToolbar (spyware)
System (Disinfected)
Stealth_file (hidden item)
C:\WINDOWS\SYSTEM32\LZX32.SYS
VX2 (spyware)
System (Disinfected)
W32/Agent.YLZ (virus)
C:\DOCUMENTS AND SETTINGS\DERIC PUJO\LOCAL SETTINGS\TEMP\TMRWGEAN.EXE
W32/DLoader.AISD (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0183751.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0183752.EXE
W32/DLoader.AWRS.dropper (virus)
C:\DOCUMENTS AND SETTINGS\DERIC PUJO\LOCAL SETTINGS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\AXDAZML0\SI[1].EXE
W32/DLoader.AXIM (virus)
C:\SBENLB.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP376\A0199355.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP376\A0199370.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP376\A0202403.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP376\A0202436.EXE
C:\DOCUMENTS AND SETTINGS\DERIC PUJO\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8ZBZ2OTT\GATKXBG[1].HTM
W32/DLoader.AXWT.dropper (virus)
C:\DOCUMENTS AND SETTINGS\DERIC PUJO\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\I1TC4E6Y\SI[1].EXE
W32/Downloader (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP376\A0202400.EXE
W32/Malware (virus)
C:\DOCUMENTS AND SETTINGS\DERIC PUJO\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\NEC3V5O9\FILE[1].HTM
W32/Midadle.F.dropper (virus)
C:\DOCUMENTS AND SETTINGS\DERIC PUJO\LOCAL SETTINGS\TEMP\MIDADDLE_SILENT.EXE
W32/PurityScan.ADH.dropper (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP369\A0191699.EXE
W32/Tofger.CD (virus)
C:\CQXIX.EXE
C:\HBTF.EXE
C:\PVMBMWW.EXE
C:\PYQJDT.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP376\A0199347.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP376\A0199348.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP376\A0199356.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP376\A0199357.EXE
W32/Zapchast.PL (virus)
C:\DOCUMENTS AND SETTINGS\DERIC PUJO\LOCAL SETTINGS\TEMP\MIUNST_.EXE
WindUpdates (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 39886
System: 22100
Not scanned: 15
Actions:
Disinfected: 14
Renamed: 0
Deleted: 0
None: 30
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\$NTUNINSTALLQ828026$\MSDXM.OCX
C:\WINDOWS\$NTUNINSTALLQ329115$\REG00003
C:\WINDOWS\$NTUNINSTALLKB839645$\FLDRCLNR.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
C:\WINDOWS\$NTUNINSTALLKB828028$\MSASN1.DLL
C:\WINDOWS\$NTUNINSTALLKB824141$\USER32.DLL
C:\PROGRAM FILES\DAP\UPDATES\CONDITION.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0A27945A96D9A9477AB98DD680B1AAE1_1DCE0E75-1303-433A-BFC1-6B582BD25551
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\42426D0A96C63973AC543DCECF3EA445_1DCE0E75-1303-433A-BFC1-6B582BD25551
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B483CB5C298A5A6994AFD6208CED564B_1DCE0E75-1303-433A-BFC1-6B582BD25551

#6 NovaPulse

NovaPulse
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 30 September 2006 - 07:22 PM

ok so i downloaded Gmer and did the scan...but i can't copy the results because once it finished the rootkit scan, it automatically restarts. Is there a setting that can let me copy it before it restarts? I did the Gmer scan 2 times but i couldn't get the results back. I know i'm getting somewhere since the ibm00001.exe error is gone and the 3 black screens that come out as soon as my desktop loads are gone. Does that mean that i got rid of everything? or is there another step i have to make after the Gmer scan is done?

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:55 PM

Posted 01 October 2006 - 05:29 AM

I know i'm getting somewhere since the ibm00001.exe error is gone and the 3 black screens that come out as soon as my desktop loads are gone. Does that mean that i got rid of everything? or is there another step i have to make after the Gmer scan is done?

No it does not, and yes there are ALOT of steps. You've got a whole load of malware there, including a rootkit infection. We'll need to work on this, so please be patient and don't disappear on me while fixing, just because there are no visible problems at the moment :thumbsup:

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract Avenger.exe to your desktop.
2. Copy all the text in bold contained in the quotebox below to the clipboard by clicking CTRL + C:

Drivers to unload:
LZX32

Files to delete:
C:\WINDOWS\icont.exe
C:\WINDOWS\SYSTEM32\svchostx.exe
C:\WINDOWS\SYSTEM32\svchostp.exe
C:\WINDOWS\SYSTEM32\svchosts.exe
C:\WINDOWS\SYSTEM32\suchost.exe
C:\WINDOWS\SYSTEM32\z12.exe
C:\WINDOWS\SYSTEM32\spibohst.exe
C:\WINDOWS\SYSTEM32\37E39.dll
C:\WINDOWS\SYSTEM32\z14.exe
C:\Installer4.exe
C:\921_135.exe
C:\installerwnusnewer.exe
C:\WINDOWS\SYSTEM32\gtool.dll
C:\919_133.exe
C:\ipww.exe
C:\WINDOWS\SYSTEM32\scrrun.exe
C:\fhayhktt.exe
C:\lcqh.exe
C:\WINDOWS\SYSTEM32\z15.exe
C:\WINDOWS\SYSTEM32\474E74.dll
C:\WINDOWS\SYSTEM32\cmd32.exe
C:\crnab.exe
C:\WINDOWS\SYSTEM32\z16.exe
C:\hbtf.exe
C:\cqxix.exe
C:\WINDOWS\SYSTEM32\msrd2x35.exe
C:\pyqjdt.exe
C:\pvmbmww.exe
C:\sbenlb.exe
C:\WINDOWS\SYSTEM32\atmlib.exe
C:\803_104.exe
C:\WINDOWS\SYSTEM32\rk.exe
C:\WINDOWS\SYSTEM32\ieserv.exe
C:\WINDOWS\SYSTEM32\winpfg32.sys
C:\WINDOWS\vsijo.dll
C:\WINDOWS\SYSTEM32\tphe472a.sys
C:\WINDOWS\SYSTEM32\Fastmp3_Setup1.exe
C:\WINDOWS\iun6002.exe
C:\WINDOWS\SYSTEM32\nsk149.dll
C:\WINDOWS\SYSTEM32\nsg14D.dll
C:\WINDOWS\SYSTEM32\nsk149.exe
C:\WINDOWS\SYSTEM32\LZX32.SYS

Folders to delete:
C:\Program Files\Common Files\uimw


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied into this window.
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • Restarts your computer twice.
  • On reboot, it briefly opens a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log. :flowers:
Hi there, stranger!

#8 NovaPulse

NovaPulse
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 01 October 2006 - 11:10 AM

Here is my log from avenger: unfortunately, i don't know what happened during the process but once i log in any of my user names i get that black command box..but i know u said it was normal.....one problem, it won't go away, at all. The desktops don't load and the cmd command box is always there. I managed to get the log file from the command box though.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lfkyafhx

*******************

Script file located at: \??\C:\ftjkmxfn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key \Registry\Machine\System\CurrentControlSet\Services\LZX32 not found!
Unload of driver LZX32 failed!

Could not process line:
LZX32
Status: 0xc0000034

File C:\WINDOWS\icont.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\svchostx.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\svchostp.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\svchosts.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\suchost.exe deleted successfully.


File C:\WINDOWS\SYSTEM32\z12.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\z12.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\z12.exe
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\spibohst.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\spibohst.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\spibohst.exe
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\37E39.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\37E39.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\37E39.dll
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\z14.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\z14.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\z14.exe
Status: 0xc0000034



File C:\Installer4.exe not found!
Deletion of file C:\Installer4.exe failed!

Could not process line:
C:\Installer4.exe
Status: 0xc0000034

File C:\921_135.exe deleted successfully.
File C:\installerwnusnewer.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\gtool.dll deleted successfully.
File C:\919_133.exe deleted successfully.


File C:\ipww.exe not found!
Deletion of file C:\ipww.exe failed!

Could not process line:
C:\ipww.exe
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\scrrun.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\scrrun.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\scrrun.exe
Status: 0xc0000034



File C:\fhayhktt.exe not found!
Deletion of file C:\fhayhktt.exe failed!

Could not process line:
C:\fhayhktt.exe
Status: 0xc0000034



File C:\lcqh.exe not found!
Deletion of file C:\lcqh.exe failed!

Could not process line:
C:\lcqh.exe
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\z15.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\z15.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\z15.exe
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\474E74.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\474E74.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\474E74.dll
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\cmd32.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\cmd32.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\cmd32.exe
Status: 0xc0000034



File C:\crnab.exe not found!
Deletion of file C:\crnab.exe failed!

Could not process line:
C:\crnab.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\z16.exe deleted successfully.
File C:\hbtf.exe deleted successfully.
File C:\cqxix.exe deleted successfully.


File C:\WINDOWS\SYSTEM32\msrd2x35.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\msrd2x35.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\msrd2x35.exe
Status: 0xc0000034

File C:\pyqjdt.exe deleted successfully.
File C:\pvmbmww.exe deleted successfully.
File C:\sbenlb.exe deleted successfully.


File C:\WINDOWS\SYSTEM32\atmlib.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\atmlib.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\atmlib.exe
Status: 0xc0000034



File C:\803_104.exe not found!
Deletion of file C:\803_104.exe failed!

Could not process line:
C:\803_104.exe
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\rk.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\rk.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\rk.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\ieserv.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\winpfg32.sys deleted successfully.
File C:\WINDOWS\vsijo.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\tphe472a.sys deleted successfully.


File C:\WINDOWS\SYSTEM32\Fastmp3_Setup1.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\Fastmp3_Setup1.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\Fastmp3_Setup1.exe
Status: 0xc0000034

File C:\WINDOWS\iun6002.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\nsk149.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\nsg14D.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\nsk149.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\LZX32.SYS deleted successfully.
Folder C:\Program Files\Common Files\uimw deleted successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lfkyafhx

*******************

Script file located at: \??\C:\ftjkmxfn.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!

#9 NovaPulse

NovaPulse
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 01 October 2006 - 11:12 AM

Here is my new HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:09:36 PM, on 10/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.D9Q6VT31\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=cmd.exe
O1 - Hosts: 207.68.176.250 auto.search.msn.com
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\gtool.dll (file missing)
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\gtool.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/downlo...cab?id=12898562
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {349AE9FE-0C1E-3DB0-050B-4DB85EC8E8BB} - http://66.230.175.129/1/gdnUS2089.exe
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - https://www.pbo.jp/bobrun/PuzzleBobbleLauncher.ocx
O16 - DPF: {690F6E87-3134-4D3B-10B6-07081AFE87E7} - http://66.230.175.129/1/gdnUS2089.exe
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...ler/install.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O18 - Protocol: bwv0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ati3duag.exe - Unknown owner - C:\WINDOWS\system32\ati3duag.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWVsaXNzYSBQdWpv\command.exe
O23 - Service: fxsmon.exe - Unknown owner - C:\WINDOWS\system32\fxsmon.exe (file missing)
O23 - Service: icmui.exe - Unknown owner - C:\WINDOWS\system32\icmui.exe (file missing)
O23 - Service: kbdhu1.exe - Unknown owner - C:\WINDOWS\system32\kbdhu1.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: licmgr10.exe - Unknown owner - C:\WINDOWS\system32\licmgr10.exe (file missing)
O23 - Service: lprmonui.exe - Unknown owner - C:\WINDOWS\system32\lprmonui.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: msdtcprx.exe - Unknown owner - C:\WINDOWS\system32\msdtcprx.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: oddbse32.exe - Unknown owner - C:\WINDOWS\system32\oddbse32.exe (file missing)
O23 - Service: oleprn.exe - Unknown owner - C:\WINDOWS\system32\oleprn.exe (file missing)
O23 - Service: usrcntra.exe - Unknown owner - C:\WINDOWS\system32\usrcntra.exe (file missing)
O23 - Service: version.exe - Unknown owner - C:\WINDOWS\system32\version.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: wmpcd.exe - Unknown owner - C:\WINDOWS\system32\wmpcd.exe (file missing)

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:55 PM

Posted 02 October 2006 - 01:35 AM

Go ahead and delete Avenger.

Please print these instructions out, or write them down, as you can't read them during the fix.

Please run a scan with HijackThis and check the following objects for removal:

F2 - REG:system.ini: Shell=cmd.exe
O1 - Hosts: 207.68.176.250 auto.search.msn.com
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\gtool.dll (file missing)
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\gtool.dll (file missing)
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/downlo...cab?id=12898562
O16 - DPF: {349AE9FE-0C1E-3DB0-050B-4DB85EC8E8BB} - http://66.230.175.129/1/gdnUS2089.exe
O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - https://www.pbo.jp/bobrun/PuzzleBobbleLauncher.ocx
O16 - DPF: {690F6E87-3134-4D3B-10B6-07081AFE87E7} - http://66.230.175.129/1/gdnUS2089.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...ler/install.cab


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

-----

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Removeservice.bat. to your desktop.

@echo off
sc stop ati3duag.exe
sc delete ati3duag.exe
sc stop "Command Service"
sc delete cmdService
sc stop fxsmon.exe
sc delete fxsmon.exe
sc stop icmui.exe
sc delete icmui.exe
sc stop kbdhu1.exe
sc delete kbdhu1.exe
sc stop licmgr10.exe
sc delete licmgr10.exe
sc stop lprmonui.exe
sc delete lprmonui.exe
sc stop msdtcprx.exe
sc delete msdtcprx.exe
sc stop "Network Monitor"
sc delete "Network Monitor"
sc stop oddbse32.exe
sc delete oddbse32.exe
sc stop oleprn.exe
sc delete oleprn.exe
sc stop usrcntra.exe
sc delete usrcntra.exe
sc stop version.exoleprn.exee
sc delete version.exoleprn.exee
sc stop wmpcd.exe
sc delete wmpcd.exe

Double-click on Removeservice.bat. A window will pop up and close. This is normal. Please reboot.

-------

Please download and save Blacklight to your desktop:
  • Double-click blbeta.exe.
  • Accept the agreement.
  • Click Scan.
  • Click Next.
You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there.

------

Also post the following log with it:
  • Open HiJackThis
  • Click on the tab "Misc Tools"
  • Click on "Open ADS Spy.."
  • Click on "Scan"
  • Click on "Save Log..."
  • Copy and past the list from the notebook onto your post along with the BlackLight results. :thumbsup:

Hi there, stranger!

#11 NovaPulse

NovaPulse
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 02 October 2006 - 11:56 AM

Here is my BlackLight log file:

10/02/06 12:16:25 [Info]: BlackLight Engine 1.0.47 initialized
10/02/06 12:16:25 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/02/06 12:16:25 [Note]: 7019 4
10/02/06 12:16:25 [Note]: 7005 0
10/02/06 12:16:31 [Note]: 7006 0
10/02/06 12:16:31 [Note]: 7011 2812
10/02/06 12:16:32 [Note]: 7026 0
10/02/06 12:16:32 [Note]: 7026 0
10/02/06 12:16:32 [Note]: 7024 3
10/02/06 12:16:32 [Info]: Hidden process: C:\WINDOWS\system32\xxcdwy.exe
10/02/06 12:16:32 [Note]: 7024 3
10/02/06 12:16:32 [Info]: Hidden process: C:\WINDOWS\system32\ohshw.exe
10/02/06 12:16:32 [Note]: 7024 3
10/02/06 12:16:32 [Info]: Hidden process: C:\WINDOWS\system32\ohshw.exe
10/02/06 12:16:32 [Note]: 7024 3
10/02/06 12:16:32 [Info]: Hidden process: C:\WINDOWS\system32\ohshw.exe
10/02/06 12:16:32 [Note]: FSRAW library version 1.7.1020
10/02/06 12:20:08 [Info]: Hidden file: c:\Documents and Settings\All Users\Start Menu\Programs\Startup\pfned.exe
10/02/06 12:20:08 [Note]: 10002 1
10/02/06 12:35:54 [Info]: Hidden file: c:\RECYCLER\S-1-5-21-54257737-856086549-2117787052-1007\Dc1\vsijo.dll
10/02/06 12:35:54 [Note]: 10002 1
10/02/06 12:39:46 [Info]: Hidden file: c:\WINDOWS\vsijo.dll
10/02/06 12:39:46 [Note]: 10002 1
10/02/06 12:41:11 [Info]: Hidden file: C:\WINDOWS\system32\ohshw.exe
10/02/06 12:41:11 [Note]: 10002 1
10/02/06 12:41:24 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\efcdoha.dll
10/02/06 12:41:24 [Note]: 10002 1
10/02/06 12:42:51 [Info]: Hidden file: C:\WINDOWS\system32\xxcdwy.exe
10/02/06 12:42:51 [Note]: 10002 1
10/02/06 12:42:55 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\ycalheo.exe
10/02/06 12:42:55 [Note]: 10002 1


*and here is my HJT log that u told me to put here along with the blacklight log:

.............didn't show anything after it said scan complete. I don't know if that is supposed to happen or not but there was nothing in the log.

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:55 PM

Posted 02 October 2006 - 12:06 PM

Please run another BlackLight scan with the earlier instructions. Now, this time, make sure you RENAME all the files found in the scan and then click Next.

Then, once that is finished, please reboot and post a fresh HijackThis log :thumbsup:

Edited by Rawe, 02 October 2006 - 12:07 PM.

Hi there, stranger!

#13 NovaPulse

NovaPulse
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 02 October 2006 - 05:27 PM

It's not letting me re-do the scan now...just states that the blacklight program can't continue because of the following choices:

-my computer's priveleges won't let me access the program
-a malicious program is stopping me from using it.

i've tried downloading it over and over but still the same error...so i don't know what to do now.

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:55 PM

Posted 03 October 2006 - 04:48 AM

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button. Also check the "Unregister .dll before deletion" just before deleting the files
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\WINDOWS\SYSTEM32\efcdoha.dll
    c:\WINDOWS\vsijo.dll
    c:\RECYCLER\S-1-5-21-54257737-856086549-2117787052-1007\Dc1\vsijo.dll
    c:\Documents and Settings\All Users\Start Menu\Programs\Startup\pfned.exe
    C:\WINDOWS\system32\ohshw.exe
    C:\WINDOWS\system32\xxcdwy.exe
    c:\WINDOWS\SYSTEM32\ycalheo.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

------

Please download Dr.Web CureIt to the desktop:
  • Double-click the drweb-cureit.exe file and allow to run the Express scan.
  • This will scan the files currently running in memory and when something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a fresh HijackThis log. :thumbsup:

Hi there, stranger!

#15 NovaPulse

NovaPulse
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:55 AM

Posted 04 October 2006 - 08:10 PM

Sorry for the delay, the Dr.web was acting up on me but anyways...here is my Dr.Web log:


axdzoncA.exe;C:\WINDOWS;Adware.Bagon;Incurable.Moved.;
iaircl.dll;C:\WINDOWS\system32;Adware.Look2me;Incurable.Moved.;
deskbar.dll;C:\Program Files\Deskbar;Adware.Softomate;Incurable.Moved.;
axdzonc.exe;C:\WINDOWS;Adware.Bagon;Incurable.Moved.;
setup.exe;C:\Program Files\AOL\Installers\ASP 2.0;Probably BACKDOOR.Trojan;Incurable.Moved.;
uninstall.exe;C:\Program Files\blstoolbar;Adware.VMN;Incurable.Moved.;
qufyz.html\Javascript.0;C:\Program Files\Common Files\qufyz.html;Trojan.Click.1237;;
qufyz.html;C:\Program Files\Common Files;Archive contains infected objects;Moved.;
ibm00002.dll;C:\Program Files\Common Files\Microsoft Shared\Web Folders;Probably DLOADER.PWS.Trojan;Incurable.Moved.;
ibm00004.dll;C:\Program Files\Common Files\Microsoft Shared\Web Folders;Probably DLOADER.PWS.Trojan;Incurable.Moved.;
ibm00004.exe;C:\Program Files\Common Files\Microsoft Shared\Web Folders;Trojan.PWS.Snap;Deleted.;
deskbar.dll;C:\Program Files\Deskbar;Adware.Softomate;;
optimize.exe;C:\Program Files\Internet Optimizer;Trojan.Dyfuca;Deleted.;
niwymaw.dll;C:\Program Files\Messenger;Adware.Dh;Incurable.Moved.;
nicowim.html\Javascript.0;C:\Program Files\Online Services\nicowim.html;Trojan.Click.1237;;
nicowim.html;C:\Program Files\Online Services;Archive contains infected objects;Moved.;
PSDream.exe;C:\Program Files\PSDream;Adware.SearchAid;Incurable.Moved.;
bkf.exe;C:\Program Files\softnyx\GunBound;Probably DLOADER.Trojan;Incurable.Moved.;
sdcmon.dll;C:\Program Files\Support.com\bin;Probably DLOADER.Trojan;Incurable.Moved.;
tgcmd.exe;C:\Program Files\Support.com\bin;Probably DLOADER.Trojan;Incurable.Moved.;
IUCmore.dll;C:\Program Files\TheSearchAccelerator;Adware.Ucmore;Incurable.Moved.;
UCMTSAIE.dll;C:\Program Files\TheSearchAccelerator;Adware.Ucmore;Incurable.Moved.;
919_133.exe\data001;C:\RECYCLER\S-1-5-21-54257737-856086549-2117787052-1007\Dc1\919_133.exe;Trojan.Dyfuca;;
919_133.exe;C:\RECYCLER\S-1-5-21-54257737-856086549-2117787052-1007\Dc1;Archive contains infected objects;Moved.;
icont.exe;C:\RECYCLER\S-1-5-21-54257737-856086549-2117787052-1007\Dc1;Adware.AddUrl;Incurable.Moved.;
LZX32.SYS;C:\RECYCLER\S-1-5-21-54257737-856086549-2117787052-1007\Dc1;Trojan.Spambot;Deleted.;
nsk149.exe;C:\RECYCLER\S-1-5-21-54257737-856086549-2117787052-1007\Dc1;Probably DLOADER.Trojan;Incurable.Moved.;
sbenlb.exe;C:\RECYCLER\S-1-5-21-54257737-856086549-2117787052-1007\Dc1;Probably DLOADER.Trojan;Incurable.Moved.;
suchost.exe;C:\RECYCLER\S-1-5-21-54257737-856086549-2117787052-1007\Dc1;Probably DLOADER.Trojan;Incurable.Moved.;


Also, here is my Fress HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:02:19 PM, on 10/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator.D9Q6VT31\Desktop\New Folder\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ohshw.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,ycalheo.exe
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab
O18 - Protocol: bwv0s - {861FD453-0C8A-4594-8B7D-06E0C21654A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWVsaXNzYSBQdWpv\command.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: pautoenr.exe - Unknown owner - C:\WINDOWS\system32\pautoenr.exe
O23 - Service: version.exe - Unknown owner - C:\WINDOWS\system32\version.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\axdzonc.exe (file missing)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users