Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Look2me - Virus Or Spyware?


  • Please log in to reply
17 replies to this topic

#1 jexgar

jexgar

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 16 April 2007 - 02:10 AM

I am using XP on a Toshiba Satellite Laptop 2405

Here are the HijackTHis and PandaScan Logs. Any help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 11:55:59 PM, on 04/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PG_DB2\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Suteebuh\Application Data\Mozilla\Profiles\default\kxb264np.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Get Gutcheck - file://C:\Program Files\Gutcheck/ebay.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.ChicagoTitle.Com
O15 - Trusted Zone: *.SitexData.Com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APBackUp (ApBackUp_Starter) - Unknown owner - C:\Program Files\ApBackUp\srvany.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Incident Status Location

Adware:adware/igetnet Not disinfected C:\WINDOWS\system32\NLNP!3.exe
Adware:adware/azesearch Not disinfected c:\windows\system32\azebar.xml
Adware:adware/ezula Not disinfected c:\windows\system32\ezPopStub.exe
Adware:adware/sbsoft Not disinfected c:\windows\downloaded program files\webdlg32.dll
Adware:adware/clickalchemy Not disinfected c:\windows\inf\alchem.inf
Adware:adware/gator Not disinfected c:\windows\FT1_02_0_402_GEPFAH.EXE
Adware:adware/enhancemsearch Not disinfected c:\windows\Helper101.dll
Adware:adware/spywarenuker Not disinfected c:\windows\icont.exe
Adware:adware/ieplugin Not disinfected c:\windows\kwv2.dat
Adware:adware/ncase Not disinfected c:\windows\system32\FLEOK
Adware:adware/opensite Not disinfected c:\program files\Open Site
Adware:adware/cws Not disinfected C:\Documents and Settings\Suteebuh\Favorites\Health
Adware:adware/wintools Not disinfected Windows Registry
Adware:adware/portalscan Not disinfected Windows Registry
Adware:adware/adlogix Not disinfected Windows Registry
Spyware:spyware/omi Not disinfected Windows Registry
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:adware/searchforit Not disinfected Windows Registry
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Adware:adware/topconvert Not disinfected Windows Registry
Adware:adware/superspider Not disinfected Windows Registry
Adware:adware/zango Not disinfected Windows Registry
Adware:adware/elitebar Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/twain-tech Not disinfected Windows Registry
Adware:adware/localnrd Not disinfected Windows Registry
Spyware:spyware/apropos Not disinfected Windows Registry
Spyware:spyware/betterinet Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/downloadware Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
Adware:adware/savenow Not disinfected Windows Registry
Spyware:spyware/commonname Not disinfected Windows Registry
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll
Adware:Adware/WinAD Not disinfected C:\Program Files\Netscape\Netscape\plugins\npzango.dll
Possible Virus. Not disinfected C:\Te1mp\Hijackthis\backup-20030720-225416-296.dll
Adware:Adware/IST.ISTBar Not disinfected C:\Te1mp\Hijackthis\backups\backup-20041207-010330-832.inf
Adware:Adware/IST.ISTBar Not disinfected C:\Te1mp\Hijackthis\backups\backup-20041207-010331-326.inf
Adware:Adware/AzeSearch Not disinfected C:\WINDOWS\Downloaded Program Files\azesearch.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/SBSoft Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\webdlg32.dll
Adware:Adware/SBSoft Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\webdlg32.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Adware:Adware/SBSoft Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\webdlg32.dll
Adware:Adware/SBSoft Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\webdlg32.inf
Adware:Adware/SBSoft Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\webdlg32.dll
Adware:Adware/SBSoft Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\webdlg32.inf
Adware:Adware/Exact.Funcade Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[funcade.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][msbe.dll]
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][nvms.dll]
Adware:Adware/eZula Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][mscb.dll]
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][exdl.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][exul.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][trkgif.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][autoheal.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][autoheal.exe][angelex.exe]
Hacktool:HackTool/SRunner.B Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][autoheal.exe][instsrv.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][autoheal.exe][msexreg.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][adp8033_EMARKETMKR.exe][bargains.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][adp8033_EMARKETMKR.exe][adv.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][adp8033_EMARKETMKR.exe][adx.exe]
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][nls8033_EMARKETMKR.exe][nls.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][cb8033_EMARKETMKR.exe][cashback.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][cb8033_EMARKETMKR.exe][cb.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][cb8033_EMARKETMKR.exe][flash.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][cb8033_EMARKETMKR.exe][bb_welcome.html]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][cb8033_EMARKETMKR.exe][bb_welcome1.swf]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][cb8033_EMARKETMKR.exe][icon.gif]
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\Downloaded Program Files\funcade_EMARKETMKR_install.exe[package8033_EMARKETMKR.exe][exclean.exe]
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.inf
Adware:Adware/SBSoft Not disinfected C:\WINDOWS\Downloaded Program Files\webdlg32.inf
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\arsldpc(2).dll
Spyware:Spyware/CouponAge Not disinfected C:\WINDOWS\system32\carules.dll
Spyware:Spyware/CouponAge Not disinfected C:\WINDOWS\system32\casync.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\ccnfmsp.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\ciypt32(2).dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\cyrsrv.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\desynth.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\dFnim.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\dpiman32.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\drsynth.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\dunaddr.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\dvvacm.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\dYd9.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\dyrgui.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\epentprf.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\fhsapi.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\fnsmon.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\h8j40i1qe8.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\hxfcisp2.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\igagehlp.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\igakui.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\ilwphbk.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\iwakeng.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\iysecsvc(2).dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\jHvaee.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\lG6olaj31do.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\lglst11n.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\lhkrn12n.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\llimg12n.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\lmkodak.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\lYngwrbk.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\mfwmdmsp.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\MKC42ENU.DLL
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\mo43dmod.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\mvfutil.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\myc71u.dll
Adware:Adware/IGetNet Not disinfected C:\WINDOWS\system32\NLNP13.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\nodll.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\nssdexts.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\ofcache.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\oxe2nls.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\Rigobj.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\skhannel.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\symsg.dll
Adware:Adware/XPlugin Not disinfected C:\WINDOWS\system32\t239478.exe
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\tlkwks.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\TTEVDETECT.DLL
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\UJLMON(4).DLL
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\wewfaxui.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\wlaueng1.dll
Adware:Adware/AdLogix Not disinfected C:\WINDOWS\system32\wloiz.dll
Adware:Adware/AdLogix Not disinfected C:\WINDOWS\system32\wloizf.exe
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\wP2time(2).dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\wyssvc.dll
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\xmltok.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\xrob2res.dll

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 16 April 2007 - 06:34 AM

Welcome to the BleepingComputer HijackThis forum jexgar :thumbsup:

Please download Look2Me-Destroyer.exe.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to "Run this program as a task".
You will receive a message saying 'Look2Me-Destroyer will close and re-open in approximately 1 minute'. Click OK
When Look2Me-Destroyer re-opens, click the 'Scan for L2M' button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the 'Remove L2M' button.
You will receive a 'Done Scanning' message, click OK.
When completed, you will receive this message: 'Done removing infected files! L2Me-Destroyer will now shutdown your computer', click OK.
Your computer will then shutdown.
Turn your computer back on.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

Please post the contents of C:\Look2Me-Destroyer.txt into your next reply,along with a new Hijackthis log please.
Posted Image
Posted Image

#3 jexgar

jexgar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 16 April 2007 - 10:40 AM

Thanks for thehelp.


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/16/2007 7:03:07 AM


Attempting to delete infected files...

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BB218A9F-362F-47A8-8BFC-D389D6B056B4}"
HKCR\Clsid\{BB218A9F-362F-47A8-8BFC-D389D6B056B4}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E974115A-73E5-4DA0-AA6F-CBA763BF4405}"
HKCR\Clsid\{E974115A-73E5-4DA0-AA6F-CBA763BF4405}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{29D8D4B3-ED33-4C10-AD2C-6CB79A2D0817}"
HKCR\Clsid\{29D8D4B3-ED33-4C10-AD2C-6CB79A2D0817}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 8:36:21 AM, on 04/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PG_DB2\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Suteebuh\Application Data\Mozilla\Profiles\default\kxb264np.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Get Gutcheck - file://C:\Program Files\Gutcheck/ebay.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.ChicagoTitle.Com
O15 - Trusted Zone: *.SitexData.Com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APBackUp (ApBackUp_Starter) - Unknown owner - C:\Program Files\ApBackUp\srvany.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 16 April 2007 - 11:40 AM

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

*************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the AVG Anti-Spyware report,the C:\ComboFix.txt,and a new Hijackthis log into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Let me know how your pc is running now please.
Posted Image
Posted Image

#5 jexgar

jexgar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 16 April 2007 - 07:37 PM

The computer is a bit better, but still runnung slow.


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:58:15 PM 04/16/2007

+ Scan result:



HKLM\SOFTWARE\SecureWin -> Adware.Adlogix : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wloiz.dll -> Adware.Adstart : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wloizf.exe -> Adware.Adstart : Cleaned with backup (quarantined).
HKLM\SOFTWARE\AzEntretienCo -> Adware.Azesearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\AzEntretienCo\AzEntretien -> Adware.Azesearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AzEntretien.Loader -> Adware.Azesearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AzEntretien.Loader.1 -> Adware.Azesearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AzEntretien.Loader\CLSID -> Adware.Azesearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AzEntretien.Loader\CurVer -> Adware.Azesearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\carules.dll -> Adware.Couponage : Cleaned with backup (quarantined).
C:\WINDOWS\system32\casync.dll -> Adware.Couponage : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cacore.dll -> Adware.Coupons : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Web Offer -> Adware.Ezula : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup (quarantined).
C:\WINDOWS\system32\NLNP!3.exe -> Adware.IGetNet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\NLNP13.dll -> Adware.IGetNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\IST -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} -> Adware.MWSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-2355909145-4036164967-2400528619-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F65B197F-8260-4D52-909A-F70118E646EB} -> Adware.MWSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\webdlg32.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\webdlg32.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\webdlg32.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\webdlg32.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
HKU\S-1-5-21-2355909145-4036164967-2400528619-1005\Software\Bundles -> Adware.SecondThought : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ieatgpc.dll -> Adware.WebEx : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Netscape\Netscape\plugins\npzango.dll -> Adware.WinAD : Cleaned with backup (quarantined).
C:\WINDOWS\system32\t239478.exe -> Dropper.Esepor.b : Cleaned with backup (quarantined).
C:\WINDOWS\Helper101.dll -> Hijacker.Delf.r : Cleaned with backup (quarantined).


::Report end

"Suteebuh" - 07-04-16 15:38:22 Service Pack 2
ComboFix 07-04-16.3.V - Running from: C:\Documents and Settings\Suteebuh\Desktop\


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\DOWNLO~1.\rave\avirexe.vdm
C:\WINDOWS\DOWNLO~1.\rave\avirscr.vdm
C:\WINDOWS\DOWNLO~1.\rave\base.vdm
C:\WINDOWS\DOWNLO~1.\rave\daily.vdm
C:\WINDOWS\DOWNLO~1.\rave\daily.vdt
C:\WINDOWS\DOWNLO~1.\rave\filters.vdm
C:\WINDOWS\DOWNLO~1.\rave\kernel.vdk
C:\WINDOWS\DOWNLO~1.\rave\keyring.vdk
C:\WINDOWS\DOWNLO~1.\rave\mapi_vdm.vdm
C:\WINDOWS\DOWNLO~1.\rave\modules.vdk
C:\WINDOWS\DOWNLO~1.\rave\rav8def.vdm
C:\WINDOWS\DOWNLO~1.\rave\rufs.vdm
C:\WINDOWS\DOWNLO~1.\rave\rufsplg.vdm
C:\WINDOWS\DOWNLO~1.\rave\unarch.vdm
C:\WINDOWS\DOWNLO~1.\rave\unmail.vdm
C:\WINDOWS\DOWNLO~1.\rave\unpack.vdm
C:\Program Files\install.log
C:\WINDOWS\DOWNLO~1.\rave


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm
-------\NwSapAgent
-------\LEGACY_NWSAPAGENT


((((((((((((((((((((((((((((((( Files Created from 2007-03-16 to 2007-04-16 ))))))))))))))))))))))))))))))))))


2007-04-16 12:43 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-04-16 11:14 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-16 08:42 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-16 08:43 4212 ---h-c--- C:\WINDOWS\system32\zllictbl.dat
2007-03-17 06:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 13:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Tpwrtray"="TPWRTRAY.EXE"
"WG511WLU"="C:\\Program Files\\NETGEAR\\WG511\\Utility\\WG511WLU.exe -hide"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"location"="Common Startup"
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Check Messnger.lnk]
"backup"="C:\\WINDOWS\\pss\\Check Messnger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\G7PS\\SHARED~1\\Qchex\\Qchex.exe "
"item"="Check Messnger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eBay Toolbar.LNK]
"backup"="C:\\WINDOWS\\pss\\eBay Toolbar.LNKCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\DOWNLO~1\\eBayTBar.exe "
"item"="eBay Toolbar"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
"location"="Common Startup"
"item"="GStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ngkffg.exe]
"location"="Common Startup"
"item"="ngkffg"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SysTray.lnk]
"backup"="C:\\WINDOWS\\pss\\SysTray.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{8F156C85-23F2-4F13-89A6-B0B286D1B4CD}\\NewShortcut1_5221CCAB553E4E63B6FD56674A376D04_1.exe /startup"
"item"="SysTray"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZoneAlarm Pro.lnk]
"location"="Common Startup"
"item"="ZoneAlarm Pro"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Suteebuh^Start Menu^Programs^Startup^Corel Custom Photo Registration.lnk]
"backup"="C:\\WINDOWS\\pss\\Corel Custom Photo Registration.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Corel\\CUSTOM~1\\Register\\Remind32.exe "
"item"="Corel Custom Photo Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Suteebuh^Start Menu^Programs^Startup^iMesh.lnk]
"location"="Startup"
"item"="iMesh"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="00THotkey"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\00THotkey.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\77ti39W]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lsais11n"
"hkey"="HKLM"
"command"="lsais11n.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADVCHK"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Apoint"
"hkey"="HKLM"
"command"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoaderAproposClient]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cxtpls_loader"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bargains"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpqcmon"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="brctrcen"
"hkey"="HKLM"
"command"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CSV7P70]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CSV7P070"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DragDrop"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DR_S]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DR_S"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EanthologyApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EANTHO~1"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ezSP_Px"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wo"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fknzqpfrcko]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fykanjo"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="point32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kalvsys]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kalvgfv32"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kazaa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KaZaA Media Desktop]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kazaa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"inimapping"="0"
"command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MPTBox"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msbb"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmc"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mw2sRVa5g]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="loont97"
"hkey"="HKCU"
"command"="loont97.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Narrator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kavqqa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CfgWiz"
"hkey"="HKLM"
"inimapping"="0"
"command"="C:\\WINDOWS\\ServicePackFiles\\i386\\cfgwiz.exe /GUID NAV /CMDLINE \"REBOOT\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nntw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="demu"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OmniPage]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="opware32"
"hkey"="HKLM"
"command"="C:\\Program Files\\Caere\\OmniPagePro90\\opware32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pinger"
"hkey"="HKLM"
"command"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QAGENT]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QAGENT"
"hkey"="HKLM"
"command"="C:\\quickenw\\QAGENT.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RegMech"
"hkey"="HKLM"
"command"="C:\\Program Files\\Registry Mechanic\\RegMech.exe /S"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rqhqtwl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rqhqtwl"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\run_pbnext]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PBNext"
"hkey"="HKCU"
"command"="C:\\Program Files\\DelTel\\PBNext\\PBNext.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Hotkey]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="s3hotkey"
"hkey"="HKLM"
"command"="s3hotkey.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="S3Tray2"
"hkey"="HKLM"
"command"="S3Tray2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\saie]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="saie"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureClean4RegManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="scregmanager4"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WhiteCanyon\\SecureClean 4\\scregmanager4.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureClean4Tray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sctray4"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WhiteCanyon\\SecureClean 4\\sctray4.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"inimapping"="0"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SYSfit]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SYSfit"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\T-Mobile RoamingClient]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TMobileCM"
"hkey"="HKCU"
"command"="C:\\Program Files\\T-Mobile\\Connection Manager\\TMobileCM.exe -d"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFncKy"
"hkey"="HKLM"
"command"="TFncKy.exe /Type 20"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TouchED"
"hkey"="HKLM"
"command"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -u"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -u"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBundleOuterDL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BundleOuter"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Weather"
"hkey"="HKCU"
"command"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebScan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DEFSCA~1"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows AdService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WinAdServ"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winnet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winnet"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WToolsA"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdtl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winupdtl"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wloizc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wloizc"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SCWatch 4.0"=dword:00000002
"Retrospect Helper"=dword:00000002
"RetroLauncher"=dword:00000002
"MpService"=dword:00000002
"awhost32"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-16 16:06:53
C:\ComboFix-quarantined-files.txt ... 07-04-16 16:06

C:\WINDOWS\$NtServicePackUninstall$\user32.dll - 32173306185F603E75C477E117F3BB8D
C:\WINDOWS\$NtUninstallKB824141$\user32.dll - 68E1F4EF02DF52CA9C5E157045D23582

02-10-30 09:35	  265	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\keyring.vdk.vir
02-10-30 09:35	  265	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\modules.vdk.vir
03-02-25 08:54	  19135	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\filters.vdm.vir
03-02-25 08:54	  1956	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\mapi_vdm.vdm.vir
03-05-06 05:01	  112783	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\unarch.vdm.vir
03-05-06 09:51	  98350	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\base.vdm.vir
03-06-04 09:24	  64967	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\rufsplg.vdm.vir
03-06-17 10:31	  119120	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\avirscr.vdm.vir
03-06-24 01:34	  45209	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\unmail.vdm.vir
03-06-24 01:34	  49628	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\kernel.vdk.vir
04-04-08 12:54	  1179	--a--c---	C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
04-05-07 04:50	  158229	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\unpack.vdm.vir
04-12-06 12:18	  22482	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\rufs.vdm.vir
05-02-21 08:14	  1466329	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\rav8def.vdm.vir
05-02-23 00:11	  305163	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\avirexe.vdm.vir
05-03-09 23:04	  180541	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\daily.vdt.vir
05-03-09 23:04	  440925	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\daily.vdm.vir
07-04-16 15:59	  1068	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NWSAPAGENT.reg.cf
07-04-16 15:59	  3636	--a------	C:\Qoobox\Quarantine\Registry_backups\services_NwSapAgent.reg.cf
07-04-16 15:59	  6652	--a------	C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf


Folder PATH listing
Volume serial number is F0CC-206D
C:\QOOBOX
\---Quarantine
	+---C
	|   +---Program Files
	|   |	   INSTALL.LOG.vir
	|   |	   
	|   \---WINDOWS
	|	   \---DOWNLO~1
	|		   \---rave
	|				   avirexe.vdm.vir
	|				   avirscr.vdm.vir
	|				   base.vdm.vir
	|				   daily.vdm.vir
	|				   daily.vdt.vir
	|				   filters.vdm.vir
	|				   kernel.vdk.vir
	|				   keyring.vdk.vir
	|				   mapi_vdm.vdm.vir
	|				   modules.vdk.vir
	|				   rav8def.vdm.vir
	|				   rufs.vdm.vir
	|				   rufsplg.vdm.vir
	|				   unarch.vdm.vir
	|				   unmail.vdm.vir
	|				   unpack.vdm.vir
	|				   
	\---Registry_backups
			LEGACY_NWSAPAGENT.reg.cf
			services_nm.reg.cf
			services_NwSapAgent.reg.cf
Logfile of HijackThis v1.99.1
Scan saved at 5:35:06 PM, on 04/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PG_DB2\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\abc.bat
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Suteebuh\Application Data\Mozilla\Profiles\default\kxb264np.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Get Gutcheck - file://C:\Program Files\Gutcheck/ebay.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.ChicagoTitle.Com
O15 - Trusted Zone: *.SitexData.Com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APBackUp (ApBackUp_Starter) - Unknown owner - C:\Program Files\ApBackUp\srvany.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 16 April 2007 - 08:11 PM

Please download AproposFix Swandog46 from here:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.
Then please reboot your computer into Safe Mode.
Once in Safe Mode,please double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and double click on RunThis.bat. Follow the prompts.
When the tool is finished,please reboot back into normal mode.
Post a new HijackThis log,along with the entire contents of the log.txt file in the aproposfix folder.
Also let me know how your pc is running now please.
Posted Image
Posted Image

#7 jexgar

jexgar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 16 April 2007 - 09:49 PM

Still slow.

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Suteebuh\Desktop\aproposfix

************



Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!
Logfile of HijackThis v1.99.1
Scan saved at 7:47:17 PM, on 04/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\CachemanXP\CachemanXP.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PG_DB2\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\abc.bat
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Suteebuh\Application Data\Mozilla\Profiles\default\kxb264np.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Get Gutcheck - file://C:\Program Files\Gutcheck/ebay.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.ChicagoTitle.Com
O15 - Trusted Zone: *.SitexData.Com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APBackUp (ApBackUp_Starter) - Unknown owner - C:\Program Files\ApBackUp\srvany.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 17 April 2007 - 04:23 AM

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.

*Note*
Don't forget to re-enable your antivirus program.

***************************

DelDomains.zip and extract/unzip it to your desktop:
Now right click on Deldomains.inf then click on 'Install'.
After right clicking on Deldomains.inf 'Install' it will have appeared nothing happened,this is normal.

***************************

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

***************************

Download\install and run Wise Registry Cleaner:
http://www.wisecleaner.com/

Once you've finished restart your pc.
Post the BitDefender Online Scanner log,and a new Hijackthis log in your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#9 jexgar

jexgar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 17 April 2007 - 04:00 PM

Seems a bit better now.

Can't find theBitDefender Log.

Logfile of HijackThis v1.99.1
Scan saved at 1:58:19 PM, on 04/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PG_DB2\Binn\sqlservr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Suteebuh\Application Data\Mozilla\Profiles\default\kxb264np.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Get Gutcheck - file://C:\Program Files\Gutcheck/ebay.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APBackUp (ApBackUp_Starter) - Unknown owner - C:\Program Files\ApBackUp\srvany.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 17 April 2007 - 04:13 PM

Click on Start/Run,type msconfig then press Ok.
Under the Startup tab if there are any boxes unchecked,please check them all.
Press Apply/Ok,restart your pc when prompted.

Now rescan with Combofix and post the new Combofix.txt into your next reply please.
Posted Image
Posted Image

#11 jexgar

jexgar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 17 April 2007 - 06:18 PM

All those start ups have really slowed the computer down. I'm going to remove some unused programs.

"Suteebuh" - 07-04-17 14:36:41 Service Pack 2
ComboFix 07-04-16.3.V - Running from: C:\Documents and Settings\Suteebuh\Desktop\


((((((((((((((((((((((((((((((( Files Created from 2007-03-17 to 2007-04-17 ))))))))))))))))))))))))))))))))))


2007-04-17 13:21 <DIR> d-------- C:\Program Files\Wise Registry Cleaner
2007-04-17 07:07 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-16 12:43 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-04-16 11:14 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-16 08:42 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-16 08:43 4212 ---h-c--- C:\WINDOWS\system32\zllictbl.dat
2007-04-16 00:28 -------- d-------- C:\Program Files\google
2007-03-17 06:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 13:17 185344 --a--c--- C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Tpwrtray"="TPWRTRAY.EXE"
"WG511WLU"="C:\\Program Files\\NETGEAR\\WG511\\Utility\\WG511WLU.exe -hide"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"UserFaultCheck"="%systemroot%\\system32\\dumprep 0 -u"
"TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"TFncKy"="TFncKy.exe /Type 20"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"SecureClean4Tray"="\"C:\\Program Files\\WhiteCanyon\\SecureClean 4\\sctray4.exe\""
"SecureClean4RegManager"="\"C:\\Program Files\\WhiteCanyon\\SecureClean 4\\scregmanager4.exe\""
"S3TRAY2"="S3Tray2.exe"
"S3Hotkey"="s3hotkey.exe"
"RegistryMechanic"="C:\\Program Files\\Registry Mechanic\\RegMech.exe /S"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"QAGENT"="C:\\quickenw\\QAGENT.EXE"
"Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"OmniPage"="C:\\Program Files\\Caere\\OmniPagePro90\\opware32.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NAV CfgWiz"="C:\\WINDOWS\\ServicePackFiles\\i386\\cfgwiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"CamMonitor"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"77ti39W"="lsais11n.exe"
"00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"T-Mobile RoamingClient"="C:\\Program Files\\T-Mobile\\Connection Manager\\TMobileCM.exe -d"
"run_pbnext"="C:\\Program Files\\DelTel\\PBNext\\PBNext.exe"
"Mw2sRVa5g"="loont97.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"location"="Common Startup"
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Check Messnger.lnk]
"backup"="C:\\WINDOWS\\pss\\Check Messnger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\G7PS\\SHARED~1\\Qchex\\Qchex.exe "
"item"="Check Messnger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eBay Toolbar.LNK]
"backup"="C:\\WINDOWS\\pss\\eBay Toolbar.LNKCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\DOWNLO~1\\eBayTBar.exe "
"item"="eBay Toolbar"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
"location"="Common Startup"
"item"="GStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ngkffg.exe]
"location"="Common Startup"
"item"="ngkffg"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SysTray.lnk]
"backup"="C:\\WINDOWS\\pss\\SysTray.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{8F156C85-23F2-4F13-89A6-B0B286D1B4CD}\\NewShortcut1_5221CCAB553E4E63B6FD56674A376D04_1.exe /startup"
"item"="SysTray"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZoneAlarm Pro.lnk]
"location"="Common Startup"
"item"="ZoneAlarm Pro"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Suteebuh^Start Menu^Programs^Startup^Corel Custom Photo Registration.lnk]
"backup"="C:\\WINDOWS\\pss\\Corel Custom Photo Registration.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Corel\\CUSTOM~1\\Register\\Remind32.exe "
"item"="Corel Custom Photo Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Suteebuh^Start Menu^Programs^Startup^iMesh.lnk]
"location"="Startup"
"item"="iMesh"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADVCHK"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoaderAproposClient]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cxtpls_loader"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bargains"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CSV7P70]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CSV7P070"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DragDrop"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DR_S]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DR_S"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EanthologyApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EANTHO~1"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ezSP_Px"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wo"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fknzqpfrcko]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fykanjo"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kalvsys]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kalvgfv32"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kazaa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KaZaA Media Desktop]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kazaa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MPTBox"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msbb"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmc"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Narrator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kavqqa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nntw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="demu"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rqhqtwl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rqhqtwl"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\saie]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="saie"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SYSfit]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SYSfit"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBundleOuterDL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BundleOuter"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebScan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DEFSCA~1"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows AdService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WinAdServ"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winnet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winnet"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WToolsA"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdtl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winupdtl"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wloizc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wloizc"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SCWatch 4.0"=dword:00000002
"Retrospect Helper"=dword:00000002
"RetroLauncher"=dword:00000002
"MpService"=dword:00000002
"awhost32"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-17 15:34:30
C:\ComboFix-quarantined-files.txt ... 07-04-17 15:34
C:\ComboFix2.txt ... 07-04-16 16:19

C:\WINDOWS\$NtServicePackUninstall$\user32.dll - 32173306185F603E75C477E117F3BB8D
C:\WINDOWS\$NtUninstallKB824141$\user32.dll - 68E1F4EF02DF52CA9C5E157045D23582

#12 jexgar

jexgar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 17 April 2007 - 06:20 PM

02-10-30 09:35	  265	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\keyring.vdk.vir

02-10-30 09:35	  265	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\modules.vdk.vir

03-02-25 08:54	  19135	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\filters.vdm.vir

03-02-25 08:54	  1956	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\mapi_vdm.vdm.vir

03-05-06 05:01	  112783	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\unarch.vdm.vir

03-05-06 09:51	  98350	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\base.vdm.vir

03-06-04 09:24	  64967	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\rufsplg.vdm.vir

03-06-17 10:31	  119120	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\avirscr.vdm.vir

03-06-24 01:34	  45209	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\unmail.vdm.vir

03-06-24 01:34	  49628	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\kernel.vdk.vir

04-04-08 12:54	  1179	--a--c---	C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir

04-05-07 04:50	  158229	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\unpack.vdm.vir

04-12-06 12:18	  22482	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\rufs.vdm.vir

05-02-21 08:14	  1466329	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\rav8def.vdm.vir

05-02-23 00:11	  305163	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\avirexe.vdm.vir

05-03-09 23:04	  180541	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\daily.vdt.vir

05-03-09 23:04	  440925	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\rave\daily.vdm.vir

07-04-17 15:18	  216	--a------	C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf

07-04-17 15:18	  564	--a------	C:\Qoobox\Quarantine\Registry_backups\services_NwSapAgent.reg.cf

07-04-17 15:18	  828	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NWSAPAGENT.reg.cf





Folder PATH listing

Volume serial number is F0CC-206D

C:\QOOBOX

\---Quarantine

	+---C

	|   +---Program Files

	|   |	   INSTALL.LOG.vir

	|   |	   

	|   \---WINDOWS

	|	   \---DOWNLO~1

	|		   \---rave

	|				   avirexe.vdm.vir

	|				   avirscr.vdm.vir

	|				   base.vdm.vir

	|				   daily.vdm.vir

	|				   daily.vdt.vir

	|				   filters.vdm.vir

	|				   kernel.vdk.vir

	|				   keyring.vdk.vir

	|				   mapi_vdm.vdm.vir

	|				   modules.vdk.vir

	|				   rav8def.vdm.vir

	|				   rufs.vdm.vir

	|				   rufsplg.vdm.vir

	|				   unarch.vdm.vir

	|				   unmail.vdm.vir

	|				   unpack.vdm.vir

	|				   

	\---Registry_backups

			LEGACY_NWSAPAGENT.reg.cf

			services_nm.reg.cf

			services_NwSapAgent.reg.cf


#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 18 April 2007 - 03:43 AM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"77ti39W"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"=-
"Mw2sRVa5g"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ngkffg.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fknzqpfrcko]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rqhqtwl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\saie]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SYSfit]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBundleOuterDL]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows AdService]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winnet]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdtl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wloizc]

Restart your pc,post a new Hijackthis log in your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#14 jexgar

jexgar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 18 April 2007 - 04:21 AM

Many errors upon bootup.

Logfile of HijackThis v1.99.1
Scan saved at 2:17:28 AM, on 04/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PG_DB2\Binn\sqlservr.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\system32\s3hotkey.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\quickenw\QAGENT.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Program Files\Hijackthis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Suteebuh\Application Data\Mozilla\Profiles\default\kxb264np.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QAGENT] C:\quickenw\QAGENT.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\WINDOWS\ServicePackFiles\i386\cfgwiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [run_pbnext] C:\Program Files\DelTel\PBNext\PBNext.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APBackUp (ApBackUp_Starter) - Unknown owner - C:\Program Files\ApBackUp\srvany.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 18 April 2007 - 04:35 AM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

*******************************

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the SuperAntiSpyware Scan Log,and the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
* Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users