Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Getting My Butt Kicked :(


  • Please log in to reply
11 replies to this topic

#1 geoffre

geoffre

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 25 April 2007 - 12:32 PM

well first of all i'm new here so hello everyone.
anyway i REALLY need help with this infection i have
for 5 years now i have been running virus/spyware free...
all it took was one zone alarm update with a downloaded keygen and poof!
with all restore points having been zapped into oblivion, i was out of luck and options.
Bit-defender and AVG antivirus only seemed to make things worse so they were terminated.
kaspersky and spybot seemed to work for a little while but that all went down the drain also. and i just simply could not take a hundred warning message popping up every 5 minutes. that coupled with the fact that now my sytem runs like total ass, and i am near going insane. so here i am humbly asking you guys to help me fix all this. i appreciate it guys~


i have my combofix log here:

"G30FF" - 07-04-25 12:27:15 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\G30FF\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\lprMSG.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\m.exe
C:\WINDOWS\764.exe
C:\Program Files\outerinfo\Terms.rtf
C:\windows\system32\explorer.exe
C:\WINDOWS\csvhost.exe
C:\WINDOWS\svchost.exe
C:\Program Files\outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\G30FF
C:\qoobox\purity\C\DOCUME~1\G30FF\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\G30FF\APPLIC~1\STEM~1
C:\qoobox\purity\C\WINDOWS\SMBOLS~1
C:\qoobox\purity\C\WINDOWS\SMBOLS~1\s?mbols
C:\qoobox\purity\C\WINDOWS\SMBOLS~1\userinit.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\EXAMPLE
-------\General Socket Service
-------\nm
-------\Runtime
-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CMDSERVICE
-------\LEGACY_EXAMPLE
-------\LEGACY_GENERAL_SOCKET_SERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NM
-------\LEGACY_RUNTIME


((((((((((((((((((((((((((((((( Files Created from 2007-03-25 to 2007-04-25 ))))))))))))))))))))))))))))))))))


2007-04-24 19:39 0 --a------ C:\WINDOWS\SYSTEM32\sl.bin
2007-04-24 19:35 36,352 --a------ C:\WINDOWS\SYSTEM32\__c0049F0D.dat
2007-04-24 19:34 9,728 --a------ C:\WINDOWS\cdsm32.dll
2007-04-24 19:34 8,448 --a------ C:\WINDOWS\SYSTEM32\vxddsk.exe
2007-04-24 19:34 8,192 --a------ C:\WINDOWS\salm.exe
2007-04-24 19:34 78 --a------ C:\WINDOWS\file.bat
2007-04-24 19:34 36,352 --a------ C:\WINDOWS\SYSTEM32\__c0071205.dat
2007-04-24 19:34 36,352 --a------ C:\WINDOWS\SYSTEM32\__c006D6BE.dat
2007-04-24 19:34 32,256 --a------ C:\WINDOWS\mspphe.dll
2007-04-24 19:34 30,720 --a------ C:\WINDOWS\7search.dll
2007-04-24 19:34 30,208 --a------ C:\WINDOWS\bi.dll
2007-04-24 19:34 28,160 --a------ C:\WINDOWS\stcloader.exe
2007-04-24 19:34 25,088 --a------ C:\WINDOWS\updatetc.exe
2007-04-24 19:34 21,504 --a------ C:\WINDOWS\pbar.dll
2007-04-24 19:34 21,248 --a------ C:\WINDOWS\swin32.dll
2007-04-24 19:34 19,200 --a------ C:\WINDOWS\saiemod.dll
2007-04-24 19:34 18,944 --a------ C:\WINDOWS\SYSTEM32\wml.exe
2007-04-24 19:34 17,408 --a------ C:\WINDOWS\wml.exe
2007-04-24 19:34 16,896 --a------ C:\WINDOWS\SYSTEM32\MSIXU.DLL
2007-04-24 19:34 16,640 --a------ C:\WINDOWS\SUSP.exe
2007-04-24 19:34 15,616 --a------ C:\WINDOWS\mssvr.exe
2007-04-24 19:34 15,360 --a------ C:\WINDOWS\SYSTEM32\WER8274.DLL
2007-04-24 19:34 15,104 --a------ C:\WINDOWS\voiceip.dll
2007-04-24 19:34 14,080 --a------ C:\WINDOWS\bokja.exe
2007-04-24 19:34 12,800 --a------ C:\WINDOWS\bjam.dll
2007-04-24 19:34 12,800 --a------ C:\WINDOWS\Biprep.exe
2007-04-24 19:34 12,800 --a------ C:\WINDOWS\180ax.exe
2007-04-24 19:34 12,544 --a------ C:\WINDOWS\vxddsk.exe
2007-04-24 19:34 12 --a------ C:\WINDOWS\SYSTEM32\gtv_sd.bin
2007-04-24 19:34 11,520 --a------ C:\WINDOWS\flt.dll
2007-04-24 19:34 10,496 --a------ C:\WINDOWS\satmat.exe
2007-04-24 19:26 <DIR> d-------- C:\Program Files\LimeWire
2007-04-20 13:19 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\ImgBurn
2007-04-19 20:02 <DIR> d-------- C:\Program Files\Common Files\ODBC
2007-04-19 00:53 <DIR> d-------- C:\DOCUME~1\G30FF\Incomplete
2007-04-19 00:52 <DIR> d-------- C:\DOCUME~1\G30FF\.limewire
2007-04-18 11:56 <DIR> d--hs---- C:\found.001
2007-04-17 21:25 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-04-10 01:22 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\vlc
2007-04-09 23:44 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\acccore
2007-04-09 23:43 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-04-09 23:43 <DIR> d-------- C:\Program Files\AIM6
2007-04-09 14:45 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\Viewpoint
2007-04-09 12:38 7,864,320 --a------ C:\DOCUME~1\G30FF\ntuser.dat
2007-04-09 12:38 262,144 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-04-09 12:18 <DIR> d-------- C:\Program Files\Common Files\mssoap
2007-04-09 08:42 75,932 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2007-04-09 08:42 74,396 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2007-04-09 08:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-04-09 08:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-04-08 14:59 <DIR> d-------- C:\kav
2007-04-08 13:52 <DIR> d--hs---- C:\WINDOWS\Z2VvZmYgdGhvbWE
2007-04-08 13:52 <DIR> d-------- C:\WINDOWS\Ódobe
2007-04-08 13:52 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\Help
2007-04-07 18:10 2 --a------ C:\WINDOWS\SYSTEM32\wtsicom.exe
2007-04-07 12:28 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\Real
2007-04-07 02:00 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-04-07 02:00 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-04-02 23:11 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\Skype
2007-03-25 12:37 <DIR> d-------- C:\DOCUME~1\G30FF\Contacts
2007-03-25 12:35 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-24 19:34 36352 --a------ C:\WINDOWS\SYSTEM32\__c006d6be.dat
2007-04-09 12:32 502272 --a------ C:\WINDOWS\SYSTEM32\winlogon.exe
2007-04-09 09:21 82944 --a------ C:\WINDOWS\SYSTEM32\ws2_32.dll
2007-04-09 09:16 -------- d-------- C:\Program Files\creative
2007-04-09 09:03 -------- d--h----- C:\Program Files\installshield installation information
2007-04-08 15:05 -------- d-------- C:\Program Files\winavivideoconverter
2007-04-07 23:13 -------- d-------- C:\Program Files\starcraft
2007-04-06 16:33 4212 --ah----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-03-30 21:57 -------- d-------- C:\Program Files\quicktime
2007-03-30 20:57 512 --a------ C:\ScanSectorLog.dat
2007-03-25 12:37 -------- d-------- C:\Program Files\real
2007-03-25 12:36 -------- d-------- C:\Program Files\msn messenger
2007-03-22 21:58 32768 --a------ C:\WINDOWS\SYSTEM32\mp43.exe
2007-03-22 21:50 -------- d-------- C:\DOCUME~1\G30FF\APPLIC~1\mailfrontier
2007-03-19 16:37 -------- d-------- C:\Program Files\windows nt
2007-03-19 16:37 -------- d-------- C:\Program Files\messenger
2007-03-19 15:26 32768 --a------ C:\WINDOWS\SYSTEM32\svchtoost.exe
2007-03-17 03:06 -------- d-------- C:\Program Files\google
2007-03-16 19:48 27188 --a------ C:\WINDOWS\SYSTEM32\mljgd.exe
2007-03-13 01:56 -------- d-------- C:\Program Files\skype
2007-03-13 01:56 -------- d-------- C:\Program Files\Common Files\skype
2007-03-12 01:06 -------- d-------- C:\Program Files\microsoft works
2007-03-09 19:52 200768 --a------ C:\WINDOWS\SYSTEM32\klogon.dll
2007-03-03 20:39 110360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kl1.sys
2007-02-08 11:49 668672 --a------ C:\WINDOWS\SYSTEM32\adjmmseng.dll
2007-01-25 09:46 1077248 --a------ C:\WINDOWS\SYSTEM32\nmsdvdx.dll
2007-01-25 09:45 1101824 --a------ C:\WINDOWS\SYSTEM32\nmsdvdxu.dll
2007-01-25 04:52 65536 --a------ C:\WINDOWS\SYSTEM32\nmsaccess.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{2B82A0EA-11B8-4DC2-92BF-F9523D3921BA} C:\WINDOWS\system32\hggfcdb.dll [x]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TraySantaCruz"="C:\\WINDOWS\\System32\\tbctray.exe"
"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Bruo"="\"C:\\WINDOWS\\SMBOLS~1\\userinit.exe\" -vt yazb"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\0]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\SYSTEM32\\SYSCF32.DLL"
"Source"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\1]
"Operation"=dword:00000001
"Target"="C:\\WINDOWS\\SYSTEM32\\SYSCF32.DLL"
"Source"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2B82A0EA-11B8-4DC2-92BF-F9523D3921BA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfcdb
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c006D6BE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0071205

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="c:\windows\system32\ddccdbb.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"winyu.exe"="C:\\WINDOWS\\winyu.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DownloadAccelerator"="C:\\PROGRA~1\\DAP\\DAP.EXE /STARTUP"
"win32hlp"="C:\\WINDOWS\\System32\\win32hlp.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"ptrun32"="C:\\WINDOWS\\System32\\ptrun32\\ptrun32.exe -startup"
"wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"windows auto update"="msblast.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""
"stcloader"="C:\\WINDOWS\\System32\\stcloader.exe"
"slmss"="C:\\Program Files\\Common Files\\slmss\\slmss.exe"
"Rundll32_7"="rundll32.exe C:\\WINDOWS\\System32\\msiefr40.dll,DllRunServer"
"PAV.EXE"="C:\\WINDOWS"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,NewDotNetStartup"
"Mwsvm"="C:\\WINDOWS\\mwsvm.exe"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"DGNTAHNUE"="C:\\WINDOWS\\DGNTAHNUE.exe"
"iefeatures"="C:\\WINDOWS\\System32\\iefeatures.exe"
"CMESys"="\"C:\\Program Files\\Common Files\\CMEII\\CMESys.exe\""
"ClrSchLoader"="C:\\Program Files\\ClearSearch\\Loader.exe"
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AIMWDInstallFilename"="C:\\PROGRA~1\\AIM\\AIMWDI~1.EXE"
"Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~1\\zlclient.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AcBtnMgr_X63.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AcBtnMgr_X63.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\AcBtnMgr_X63.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\LEXMAR~1\\ACBTNM~1.EXE "
"item"="AcBtnMgr_X63.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ACMonitor_X63.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ACMonitor_X63.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\ACMonitor_X63.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\LEXMAR~1\\ACMONI~1.EXE "
"item"="ACMonitor_X63.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RealDownload.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\RealDownload.lnk"
"backup"="C:\\WINDOWS\\pss\\RealDownload.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Real\\REALDO~1\\REALDO~1.EXE -hidden"
"item"="RealDownload"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Geoff^Start Menu^Programs^Startup^Autostart ShipSearch.lnk]
"path"="C:\\Documents and Settings\\Geoff\\Start Menu\\Programs\\Startup\\Autostart ShipSearch.lnk"
"backup"="C:\\WINDOWS\\pss\\Autostart ShipSearch.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\SHIPSE~1.0-P\\SHIPSE~1.EXE "
"item"="Autostart ShipSearch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\131470]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="131470"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\131470.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\131516]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="131516"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\131516.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\180ax]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="180ax"
"hkey"="HKLM"
"command"="c:\\windows\\180ax.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\196992]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="196992"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\196992.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\197078]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="197078"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\197078.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\197270]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="197270"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\197270.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\262526]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="262526"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\262526.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\262758]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="262758"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\262758.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\263508]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="263508"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\263508.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\328290]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="328290"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\328290.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\328344]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="328344"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\328344.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4325808]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="4325808"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\4325808.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5833372]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="5833372"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\5833372.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\655996]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="655996"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\655996.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\65880]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="65880"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\65880.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\65886]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="65886"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\65886.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\66116]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="66116"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\66116.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\66152]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="66152"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\66152.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\66154]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="66154"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\66154.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\66162]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="66162"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\66162.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\917702]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="917702"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\917702.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADVCHK"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apinl.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apinl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\apinl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apitz.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apitz"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\apitz.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apply32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apply32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\apply32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bruo]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bsoe"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Geoff\\Application Data\\bsoe.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\crbu32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="crbu32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\crbu32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cscui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cscui"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\cscui.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTRegRun"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\CTRegRun.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dlbabmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell AIO Printer A940\\dlbabmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DIGServices"
"hkey"="HKLM"
"command"="C:\\Program Files\\ESPNRunTime\\DIGServices.exe /brand=ESPN /priority=0 /poll=24"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlbacinf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dlbacinf"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\dlbacinf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadWare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dw"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DownloadWare\\dw.exe\" /H"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fly]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fly"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\fly.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Heart Spam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mix proxy"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Barb loud does\\mix proxy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\htui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="htui"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\htui.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ielw32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ielw32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ielw32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iexplore.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iexplore"
"hkey"="HKLM"
"command"="C:\\Program Files\\Internet Explorer\\iexplore.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ieyu.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ieyu"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ieyu.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="imekrmig"
"hkey"="HKLM"
"command"="D:\\IME\\IMKR\\imekrmig.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\javadm32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="javadm32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\javadm32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kbdfi]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kbdfi"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\kbdfi.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kbdnec95]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kbdnec95"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\kbdnec95.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxamsp32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxamsp32"
"hkey"="HKLM"
"command"="lxamsp32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcregwiz"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcregwiz.exe /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcupdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLoads Installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dw"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DownloadWare\\dw.exe\" /H"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger Plus! 2\\MsgPlus.exe\" /WinStart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\motoin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm15201518"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\mm15201518.Stub.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnappau"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSVersion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="internetfeatures"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\internetfeatures.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="navapw32"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pg2"
"hkey"="HKCU"
"command"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\popuppers]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="newpop61"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\newpop61.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="printray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rasdlg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rasdlg"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\rasdlg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RFX_auto_upgrade]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunWindowsUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uptodate"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\uptodate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Smc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sygate\\SPF\\Smc.exe -startgui"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StormCodec_Helper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StormSet"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Ringz Studio\\Storm Codec\\StormSet.exe\" /S /opti"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syncui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="syncui"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\syncui.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tcmonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tcm"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\THECLE~1\\tcm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcmdmgrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cdaEngine0400"
"hkey"="HKLM"
"command"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winyu.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winyu"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\winyu.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wmpdxm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wmpdxm"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\wmpdxm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=dword:00000003
"ewido security suite control"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070324-165548-132
O23 - Service: ieupdater21 (Microsoft IEUpdater21) - Unknown owner - C:\Documents and Settings\Geoff\ie_updater.exe (file missing)
backup-20070324-165548-878
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
backup-20070324-165546-876
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
backup-20070324-165544-889
O20 - Winlogon Notify: lprMSG - C:\WINDOWS\SYSTEM32\lprMSG.dll
backup-20070324-165544-180
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
backup-20070324-165541-339
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
backup-20070324-165540-313
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
backup-20070324-165540-875
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
backup-20070324-165540-647
O15 - Trusted Zone: *.winantivirus.com (HKLM)
backup-20070324-165540-294
O15 - Trusted Zone: *.snipernet.us (HKLM)
backup-20070324-165540-840
O15 - Trusted Zone: *.snipernet.biz (HKLM)
backup-20070324-165540-472
O15 - Trusted Zone: *.mediatickets.net (HKLM)
backup-20070324-165540-510
O15 - Trusted Zone: *.media-motor.com (HKLM)
backup-20070324-165540-835
O15 - Trusted Zone: *.matcash.com (HKLM)
backup-20070324-165540-543
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20070324-165540-908
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
backup-20070324-165540-703
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
backup-20070324-165540-943
O15 - Trusted Zone: *.adgate.info (HKLM)
backup-20070324-165538-978
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
backup-20070324-165538-645
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll (file missing)
backup-20070324-165538-551
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\tmp158.tmp.dll (file missing)
backup-20070324-165538-758
O2 - BHO: (no name) - {228a932c-0dfb-4c84-b7fb-1e432fe885bd} - C:\WINDOWS\system32\lprMSG.dll
backup-20070317-015200-862
O2 - BHO: (no name) - {228a932c-0dfb-4c84-b7fb-1e432fe885bd} - C:\WINDOWS\system32\lprMSG.dll
backup-20070317-015200-889
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
backup-20070317-015105-554
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
backup-20070317-015105-641
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
backup-20070317-015105-371

Edited by geoffre, 25 April 2007 - 12:37 PM.


BC AdBot (Login to Remove)

 


#2 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 25 April 2007 - 12:38 PM

COMBO FIX LOG (CONTINUED):

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
backup-20070317-015105-980
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
backup-20070317-015105-933
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
backup-20070317-015105-997
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
backup-20070317-015105-480
O2 - BHO: (no name) - {228a932c-0dfb-4c84-b7fb-1e432fe885bd} - C:\WINDOWS\system32\lprMSG.dll
backup-20070317-015105-837
O2 - BHO: (no name) - {0B49DBF5-766B-A933-707E-C0D543F141BB} - C:\WINDOWS\crpq.dll (file missing)
backup-20051110-132941-162
O20 - Winlogon Notify: geebb - C:\WINDOWS\System32\geebb.dll
backup-20051110-132914-745
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\geebb.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-25 12:40:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-25 12:42:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-25 12:42



And here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:25:30 PM, on 4/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {2B82A0EA-11B8-4DC2-92BF-F9523D3921BA} - C:\WINDOWS\system32\hggfcdb.dll (file missing)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - (no file)
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Bruo] "C:\WINDOWS\SMBOLS~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163437834983
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ddccdbb.dll
O20 - Winlogon Notify: hggfcdb - C:\WINDOWS\
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: __c006D6BE - C:\WINDOWS\system32\__c006D6BE.dat
O20 - Winlogon Notify: __c0071205 - C:\WINDOWS\system32\__c0071205.dat
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ieupdater21 (Microsoft IEUpdater21) - Unknown owner - C:\Documents and Settings\Geoff\ie_updater.exe (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#3 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 01 May 2007 - 07:37 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum geoffre :thumbsup:

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer into Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

********************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Restart your pc.
Post the contents of the results file Report.txt from the SDFix scan,the C:\vundofix.txt,and a new Hijackthis log into your next reply please.

Posted Image
Posted Image

#4 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 01 May 2007 - 02:34 PM

hey richieUK thanks for all the help. i greatly appreciate it. unfortunately i have some bad news. i accidently deleted the Report.txt and am unable to reproduce it. should i run it again?

in the meantime, heres my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:18:52 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - (no file)
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Bruo] "C:\WINDOWS\SMBOLS~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163437834983
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ddccdbb.dll
O20 - Winlogon Notify: hggfcdb - C:\WINDOWS\
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: __c006D6BE - C:\WINDOWS\system32\__c006D6BE.dat
O20 - Winlogon Notify: __c0071205 - C:\WINDOWS\system32\__c0071205.dat
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



And here's my VundoFix:


VundoFix V6.3.20

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 4:40:43 PM 4/26/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 2:45:21 PM 5/1/2007

Listing files found while scanning....

C:\WINDOWS\system32\hggfcdb.dll

Beginning removal...

Performing Repairs to the registry.
Done!

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 01 May 2007 - 02:44 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
c:\windows\system32\ddccdbb.dll
C:\WINDOWS\system32\__c006D6BE.dat
C:\WINDOWS\system32\__c0071205.dat

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

*****************************

Please download Combofix again and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Post the Avenger output.txt,the C:\ComboFix.txt,and a new Hijackthis log into your next reply please.
Posted Image
Posted Image

#6 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 01 May 2007 - 08:43 PM

AVENGER LOG:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cgpiwxkf

*******************

Script file located at: \??\C:\ifbocdpp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File c:\windows\system32\ddccdbb.dll not found!
Deletion of file c:\windows\system32\ddccdbb.dll failed!

Could not process line:
c:\windows\system32\ddccdbb.dll
Status: 0xc0000034

File C:\WINDOWS\system32\__c006D6BE.dat deleted successfully.
File C:\WINDOWS\system32\__c0071205.dat deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




COMBO FIX:

"G30FF" - 07-05-01 21:20:40 Service Pack 2
ComboFix 07-05.01.V - Running from: "C:\Documents and Settings\G30FF\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\G30FF
C:\qoobox\purity\C\DOCUME~1\G30FF\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\G30FF\APPLIC~1\STEM~1
C:\qoobox\purity\C\WINDOWS\SMBOLS~1
C:\qoobox\purity\C\WINDOWS\SMBOLS~1\s?mbols
C:\qoobox\purity\C\WINDOWS\SMBOLS~1\userinit.exe


((((((((((((((((((((((((((((((( Files Created from 2007-04-01 to 2007-05-01 ))))))))))))))))))))))))))))))))))


2007-05-01 21:19 <DIR> d-------- C:\avenger
2007-04-26 16:40 <DIR> d-------- C:\VundoFix Backups
2007-04-25 22:10 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-04-25 12:42 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-24 19:39 0 --a------ C:\WINDOWS\SYSTEM32\sl.bin
2007-04-24 19:35 36,352 --a------ C:\WINDOWS\SYSTEM32\__c0049F0D.dat
2007-04-24 19:34 9,728 --a------ C:\WINDOWS\cdsm32.dll
2007-04-24 19:34 8,448 --a------ C:\WINDOWS\SYSTEM32\vxddsk.exe
2007-04-24 19:34 8,192 --a------ C:\WINDOWS\salm.exe
2007-04-24 19:34 78 --a------ C:\WINDOWS\file.bat
2007-04-24 19:34 32,256 --a------ C:\WINDOWS\mspphe.dll
2007-04-24 19:34 30,720 --a------ C:\WINDOWS\7search.dll
2007-04-24 19:34 30,208 --a------ C:\WINDOWS\bi.dll
2007-04-24 19:34 28,160 --a------ C:\WINDOWS\stcloader.exe
2007-04-24 19:34 25,088 --a------ C:\WINDOWS\updatetc.exe
2007-04-24 19:34 21,504 --a------ C:\WINDOWS\pbar.dll
2007-04-24 19:34 21,248 --a------ C:\WINDOWS\swin32.dll
2007-04-24 19:34 19,200 --a------ C:\WINDOWS\saiemod.dll
2007-04-24 19:34 18,944 --a------ C:\WINDOWS\SYSTEM32\wml.exe
2007-04-24 19:34 17,408 --a------ C:\WINDOWS\wml.exe
2007-04-24 19:34 16,896 --a------ C:\WINDOWS\SYSTEM32\MSIXU.DLL
2007-04-24 19:34 16,640 --a------ C:\WINDOWS\SUSP.exe
2007-04-24 19:34 15,616 --a------ C:\WINDOWS\mssvr.exe
2007-04-24 19:34 15,360 --a------ C:\WINDOWS\SYSTEM32\WER8274.DLL
2007-04-24 19:34 15,104 --a------ C:\WINDOWS\voiceip.dll
2007-04-24 19:34 14,080 --a------ C:\WINDOWS\bokja.exe
2007-04-24 19:34 12,800 --a------ C:\WINDOWS\bjam.dll
2007-04-24 19:34 12,800 --a------ C:\WINDOWS\Biprep.exe
2007-04-24 19:34 12,800 --a------ C:\WINDOWS\180ax.exe
2007-04-24 19:34 12,544 --a------ C:\WINDOWS\vxddsk.exe
2007-04-24 19:34 12 --a------ C:\WINDOWS\SYSTEM32\gtv_sd.bin
2007-04-24 19:34 11,520 --a------ C:\WINDOWS\flt.dll
2007-04-24 19:34 10,496 --a------ C:\WINDOWS\satmat.exe
2007-04-24 19:26 <DIR> d-------- C:\Program Files\LimeWire
2007-04-20 13:19 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\ImgBurn
2007-04-19 20:02 <DIR> d-------- C:\Program Files\Common Files\ODBC
2007-04-19 00:53 <DIR> d-------- C:\DOCUME~1\G30FF\Incomplete
2007-04-19 00:52 <DIR> d-------- C:\DOCUME~1\G30FF\.limewire
2007-04-18 11:56 <DIR> d--hs---- C:\found.001
2007-04-17 21:25 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-04-10 01:22 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\vlc
2007-04-09 23:44 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\acccore
2007-04-09 23:43 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-04-09 23:43 <DIR> d-------- C:\Program Files\AIM6
2007-04-09 14:45 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\Viewpoint
2007-04-09 12:38 7,864,320 --a------ C:\DOCUME~1\G30FF\ntuser.dat
2007-04-09 12:38 262,144 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-04-09 12:18 <DIR> d-------- C:\Program Files\Common Files\mssoap
2007-04-09 08:42 75,932 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2007-04-09 08:42 74,396 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2007-04-09 08:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-04-09 08:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-04-08 14:59 <DIR> d-------- C:\kav
2007-04-08 13:52 <DIR> d--hs---- C:\WINDOWS\Z2VvZmYgdGhvbWE
2007-04-08 13:52 <DIR> d-------- C:\WINDOWS\Ódobe
2007-04-08 13:52 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\Help
2007-04-07 18:10 2 --a------ C:\WINDOWS\SYSTEM32\wtsicom.exe
2007-04-07 12:28 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\Real
2007-04-07 02:00 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-04-07 02:00 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-04-02 23:11 <DIR> d-------- C:\DOCUME~1\G30FF\APPLIC~1\Skype


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-01 01:38:36 -------- d-----w C:\DOCUME~1\G30FF\APPLIC~1.\Azureus
2007-04-26 03:10:18 -------- d-----w C:\DOCUME~1\G30FF\APPLIC~1.\Skype
2007-04-26 02:10:11 -------- d-----w C:\Program Files\Skype
2007-04-20 17:19:49 -------- d-----w C:\DOCUME~1\G30FF\APPLIC~1.\ImgBurn
2007-04-19 23:57:48 -------- d-----w C:\DOCUME~1\G30FF\APPLIC~1.\acccore
2007-04-18 01:26:16 -------- d-----w C:\DOCUME~1\G30FF\APPLIC~1.\Viewpoint
2007-04-10 05:22:53 -------- d-----w C:\DOCUME~1\G30FF\APPLIC~1.\vlc
2007-04-09 16:32:09 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-04-09 13:21:39 82,944 ----a-w C:\WINDOWS\system32\ws2_32.dll
2007-04-09 13:16:08 -------- d-----w C:\Program Files\Creative
2007-04-09 13:03:26 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-08 19:05:18 -------- d-----w C:\Program Files\WinAVIVideoConverter
2007-04-08 17:52:39 -------- d-----w C:\DOCUME~1\G30FF\APPLIC~1.\Help
2007-04-08 03:13:36 -------- d-----w C:\Program Files\Starcraft
2007-04-07 16:28:51 -------- d-----w C:\DOCUME~1\G30FF\APPLIC~1.\Real
2007-04-06 20:33:23 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
2007-03-31 01:57:40 -------- d-----w C:\Program Files\QuickTime
2007-03-31 00:57:37 512 ----a-w C:\ScanSectorLog.dat
2007-03-25 16:37:11 -------- d-----w C:\Program Files\Real
2007-03-25 16:36:22 -------- d-----w C:\Program Files\MSN Messenger
2007-03-25 02:32:19 -------- d-----w C:\Program Files\Azureus
2007-03-23 01:58:52 32,768 ----a-w C:\WINDOWS\system32\mp43.exe
2007-03-23 01:50:09 -------- d-----w C:\DOCUME~1\G30FF\APPLIC~1.\MailFrontier
2007-03-19 20:37:04 -------- d-----w C:\Program Files\Windows NT
2007-03-19 20:37:03 -------- d-----w C:\Program Files\Messenger
2007-03-19 19:26:39 32,768 ----a-w C:\WINDOWS\system32\svchtoost.exe
2007-03-17 07:06:23 -------- d-----w C:\Program Files\Google
2007-03-16 23:48:49 27,188 ----a-w C:\WINDOWS\system32\mljgd.exe
2007-03-12 05:06:54 -------- d-----w C:\Program Files\Microsoft Works
2007-03-09 23:52:52 200,768 ----a-w C:\WINDOWS\system32\klogon.dll
2007-03-04 00:39:06 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2007-02-08 15:49:44 668,672 ----a-w C:\WINDOWS\system32\AdjMmsEng.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"="C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TraySantaCruz"="C:\\WINDOWS\\System32\\tbctray.exe"
"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Bruo"="\"C:\\WINDOWS\\SMBOLS~1\\userinit.exe\" -vt yazb"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\0]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\SYSTEM32\\SYSCF32.DLL"
"Source"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\1]
"Operation"=dword:00000001
"Target"="C:\\WINDOWS\\SYSTEM32\\SYSCF32.DLL"
"Source"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfcdb
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c006D6BE
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0071205

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="c:\windows\system32\ddccdbb.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"winyu.exe"="C:\\WINDOWS\\winyu.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DownloadAccelerator"="C:\\PROGRA~1\\DAP\\DAP.EXE /STARTUP"
"win32hlp"="C:\\WINDOWS\\System32\\win32hlp.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"ptrun32"="C:\\WINDOWS\\System32\\ptrun32\\ptrun32.exe -startup"
"wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"windows auto update"="msblast.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""
"stcloader"="C:\\WINDOWS\\System32\\stcloader.exe"
"slmss"="C:\\Program Files\\Common Files\\slmss\\slmss.exe"
"Rundll32_7"="rundll32.exe C:\\WINDOWS\\System32\\msiefr40.dll,DllRunServer"
"PAV.EXE"="C:\\WINDOWS"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,NewDotNetStartup"
"Mwsvm"="C:\\WINDOWS\\mwsvm.exe"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"DGNTAHNUE"="C:\\WINDOWS\\DGNTAHNUE.exe"
"iefeatures"="C:\\WINDOWS\\System32\\iefeatures.exe"
"CMESys"="\"C:\\Program Files\\Common Files\\CMEII\\CMESys.exe\""
"ClrSchLoader"="C:\\Program Files\\ClearSearch\\Loader.exe"
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AIMWDInstallFilename"="C:\\PROGRA~1\\AIM\\AIMWDI~1.EXE"
"Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~1\\zlclient.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AcBtnMgr_X63.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AcBtnMgr_X63.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\AcBtnMgr_X63.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\LEXMAR~1\\ACBTNM~1.EXE "
"item"="AcBtnMgr_X63.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ACMonitor_X63.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ACMonitor_X63.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\ACMonitor_X63.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\LEXMAR~1\\ACMONI~1.EXE "
"item"="ACMonitor_X63.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RealDownload.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\RealDownload.lnk"
"backup"="C:\\WINDOWS\\pss\\RealDownload.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Real\\REALDO~1\\REALDO~1.EXE -hidden"
"item"="RealDownload"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Geoff^Start Menu^Programs^Startup^Autostart ShipSearch.lnk]
"path"="C:\\Documents and Settings\\Geoff\\Start Menu\\Programs\\Startup\\Autostart ShipSearch.lnk"
"backup"="C:\\WINDOWS\\pss\\Autostart ShipSearch.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\SHIPSE~1.0-P\\SHIPSE~1.EXE "
"item"="Autostart ShipSearch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\131470]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="131470"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\131470.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\131516]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="131516"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\131516.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\180ax]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="180ax"
"hkey"="HKLM"
"command"="c:\\windows\\180ax.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\196992]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="196992"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\196992.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\197078]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="197078"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\197078.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\197270]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="197270"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\197270.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\262526]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="262526"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\262526.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\262758]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="262758"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\262758.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\263508]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="263508"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\263508.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\328290]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="328290"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\328290.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\328344]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="328344"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\328344.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4325808]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="4325808"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\4325808.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5833372]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="5833372"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\5833372.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\655996]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="655996"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\655996.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\65880]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="65880"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\65880.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\65886]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="65886"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\65886.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\66116]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="66116"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\66116.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\66152]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="66152"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\66152.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\66154]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="66154"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\66154.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\66162]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="66162"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\66162.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\917702]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="917702"
"hkey"="HKCU"
"command"="rundll32.exe shell32.dll,Control_RunDLL C:\\WINDOWS\\917702.cpl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADVCHK"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apinl.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apinl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\apinl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apitz.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apitz"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\apitz.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apply32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apply32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\apply32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bruo]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bsoe"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Geoff\\Application Data\\bsoe.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\crbu32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="crbu32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\crbu32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cscui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cscui"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\cscui.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTRegRun"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\CTRegRun.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dlbabmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell AIO Printer A940\\dlbabmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DIGServices"
"hkey"="HKLM"
"command"="C:\\Program Files\\ESPNRunTime\\DIGServices.exe /brand=ESPN /priority=0 /poll=24"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlbacinf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dlbacinf"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\dlbacinf.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadWare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dw"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DownloadWare\\dw.exe\" /H"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fly]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fly"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\fly.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Heart Spam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mix proxy"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Barb loud does\\mix proxy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\htui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="htui"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\htui.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ielw32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ielw32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ielw32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iexplore.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iexplore"
"hkey"="HKLM"
"command"="C:\\Program Files\\Internet Explorer\\iexplore.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ieyu.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ieyu"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ieyu.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imekrmig]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="imekrmig"
"hkey"="HKLM"
"command"="D:\\IME\\IMKR\\imekrmig.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\javadm32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="javadm32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\javadm32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kbdfi]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kbdfi"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\kbdfi.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kbdnec95]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kbdnec95"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\kbdnec95.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxamsp32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxamsp32"
"hkey"="HKLM"
"command"="lxamsp32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcregwiz"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcregwiz.exe /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcupdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLoads Installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dw"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DownloadWare\\dw.exe\" /H"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger Plus! 2\\MsgPlus.exe\" /WinStart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\motoin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm15201518"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\mm15201518.Stub.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnappau"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\MSN Apps\\Updater\\01.02.3000.1001\\en-us\\msnappau.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSVersion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="internetfeatures"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\internetfeatures.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="navapw32"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pg2"
"hkey"="HKCU"
"command"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\popuppers]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="newpop61"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\newpop61.exe"
"inimapping"="0"



COMBOFIX (CONTINUED):

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="printray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rasdlg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rasdlg"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\rasdlg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RFX_auto_upgrade]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunWindowsUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uptodate"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\uptodate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Smc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sygate\\SPF\\Smc.exe -startgui"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StormCodec_Helper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StormSet"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Ringz Studio\\Storm Codec\\StormSet.exe\" /S /opti"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syncui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="syncui"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\syncui.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tcmonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tcm"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\THECLE~1\\tcm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcmdmgrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cdaEngine0400"
"hkey"="HKLM"
"command"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winyu.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winyu"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\winyu.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wmpdxm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wmpdxm"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\wmpdxm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=dword:00000003
"ewido security suite control"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-01 21:25:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-01 21:25:31
C:\ComboFix-quarantined-files.txt ... 07-05-01 21:25
C:\ComboFix2.txt ... 07-04-26 19:06
C:\ComboFix3.txt ... 07-04-25 12:42




NEW HJT:

Logfile of HijackThis v1.99.1
Scan saved at 9:35:09 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - (no file)<

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 02 May 2007 - 05:48 AM

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\SYSTEM32\__c0049F0D.dat
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\SYSTEM32\vxddsk.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\7search.dll
C:\WINDOWS\bi.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\wml.exe
C:\WINDOWS\SYSTEM32\MSIXU.DLL
C:\WINDOWS\SUSP.exe
C:\WINDOWS\mssvr.exe
C:\WINDOWS\SYSTEM32\WER8274.DLL
C:\WINDOWS\voiceip.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\Biprep.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\SYSTEM32\gtv_sd.bin
C:\WINDOWS\flt.dll
C:\WINDOWS\satmat.exe
C:\WINDOWS\Z2VvZmYgdGhvbWE
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\svchtoost.exe
C:\WINDOWS\system32\mljgd.exe

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.
Posted Image
Posted Image

#8 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 02 May 2007 - 11:18 AM

Ok done!

btw, i dont know if this helps but i still have the "OuterInfo" folder/files in my program list from the start menu.


AVENGER:

\Registry\Machine\System\CurrentControlSet\Services\bduvxtfx

*******************

Script file located at: \??\C:\WINDOWS\system32\vxnpqxjp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\__c0049F0D.dat deleted successfully.
File C:\WINDOWS\cdsm32.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\vxddsk.exe deleted successfully.
File C:\WINDOWS\salm.exe deleted successfully.
File C:\WINDOWS\mspphe.dll deleted successfully.
File C:\WINDOWS\7search.dll deleted successfully.
File C:\WINDOWS\bi.dll deleted successfully.
File C:\WINDOWS\stcloader.exe deleted successfully.
File C:\WINDOWS\updatetc.exe deleted successfully.
File C:\WINDOWS\pbar.dll deleted successfully.
File C:\WINDOWS\swin32.dll deleted successfully.
File C:\WINDOWS\saiemod.dll deleted successfully.
File C:\WINDOWS\wml.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\MSIXU.DLL deleted successfully.
File C:\WINDOWS\SUSP.exe deleted successfully.
File C:\WINDOWS\mssvr.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\WER8274.DLL deleted successfully.
File C:\WINDOWS\voiceip.dll deleted successfully.
File C:\WINDOWS\bokja.exe deleted successfully.
File C:\WINDOWS\bjam.dll deleted successfully.
File C:\WINDOWS\Biprep.exe deleted successfully.
File C:\WINDOWS\180ax.exe deleted successfully.
File C:\WINDOWS\vxddsk.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\gtv_sd.bin deleted successfully.
File C:\WINDOWS\flt.dll deleted successfully.
File C:\WINDOWS\satmat.exe deleted successfully.


Error: C:\WINDOWS\Z2VvZmYgdGhvbWE is a folder, not a file!
Deletion of file C:\WINDOWS\Z2VvZmYgdGhvbWE failed!

Could not process line:
C:\WINDOWS\Z2VvZmYgdGhvbWE
Status: 0xc00000ba

File C:\WINDOWS\system32\mp43.exe deleted successfully.
File C:\WINDOWS\system32\svchtoost.exe deleted successfully.
File C:\WINDOWS\system32\mljgd.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:09:49 PM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - (no file)
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Bruo] "C:\WINDOWS\SMBOLS~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163437834983
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ddccdbb.dll
O20 - Winlogon Notify: hggfcdb - C:\WINDOWS\
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: __c006D6BE - C:\WINDOWS\system32\__c006D6BE.dat (file missing)
O20 - Winlogon Notify: __c0071205 - C:\WINDOWS\system32\__c0071205.dat (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 02 May 2007 - 12:16 PM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

*********************

Click on Start>Control Panel>Add Remove Programs,uninstall the following programs if listed:
Snowball Wars by OIN
PurityScan by OIN
Yazzle by OIN
Cowabanga by OIN
OuterInfo
OIN
Or anything similar.

Reboot and delete this folder if found:
C:\Program Files\PurityScan

If not listed in Add Remove Programs,do the following:
Go here,download and run the OiUninstaller:
http://www.outerinfo.com/howto.html
When you've done,reboot.

********************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - (no file)
O4 - HKCU\..\Run: [Bruo] "C:\WINDOWS\SMBOLS~1\userinit.exe" -vt yazb
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O20 - Winlogon Notify: hggfcdb - C:\WINDOWS\
O20 - Winlogon Notify: __c006D6BE - C:\WINDOWS\system32\__c006D6BE.dat (file missing)
O20 - Winlogon Notify: __c0071205 - C:\WINDOWS\system32\__c0071205.dat (file missing)


Exit Hijackthis,find and delete:
C:\WINDOWS\Z2VvZmYgdGhvbWE

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#10 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 03 May 2007 - 04:21 PM

i will not be able to perform the next steps for another couple days as i will not be home to use my pc but i will post the reports immediately when i can. thanks again~

#11 geoffre

geoffre
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 24 May 2007 - 01:53 AM

Richie i am sorry it has taken so long to reply to your last post but here are the logs you have asked for. as far as i can tell my computer seems to be doing alright but i currently do not have any protection after having to get rid of kaspersky antivirus and it was when i was using kaspersky that i was getting the hundred thousand popups warning me of all kinds of intrusions and watnot. anyhow is there any good anti-spyware/anti-virus programs that you recommend i use? whatabout old restore points, do they need to be deleted? i will await your next batch of instructions. thanks for all your help~

Attached Files


Edited by geoffre, 24 May 2007 - 01:57 AM.


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 24 May 2007 - 06:56 AM

Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Active Virus Shield
There's a nice setup tutorial Here:
http://www.activevirusshield.com/antivirus/freeav/

*************************

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply,along with a new Hijackthis log.

Please post all replies directly into this topic,not as attachments,thanks.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users