Popssible virus

Computing.Net > Forums > Security and Virus > Popssible virus

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Popssible virus

Name: bccamper
Date: October 29, 2006 at 11:17:01 Pacific
OS: Win XP 2002
CPU/Ram: P4 1.8GHZ/256MB
Product: ASUS

Comment:

I am trying to fix a friends machine that is doing weird things including not allowing me to install programs, shutting down Win explorer when I select a certain directory, etc. Could I post a hijack log for some to look at. I believe I have a virus but it seems there is no scanner on this machine and I am unable so far to install one. I have tried online scanners but I get so far and then get kicked out of IE.

Sponsored Link

Ads by Google

Response Number 1

Name: Bob (by BigBob)
Date: October 29, 2006 at 14:11:31 Pacific

Reply:

Yes you can post a HJT log and I will try to help
The master with HJT is Jabuck you also could send him a PM
" Please Post back to let us know if we helped "

Response Number 2

Name: bccamper
Date: October 29, 2006 at 16:55:19 Pacific

Reply:

Logfile of HijackThis v1.99.1
Scan saved at 11:18:27 AM, on 29/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 235.214.107.41 www.virustotal.com
O1 - Hosts: 33.3.169.44 virusscan.jotti.org
O1 - Hosts: 95.95.239.187 sandbox.norman.no
O1 - Hosts: 236.16.252.76 www.symantec.com
O1 - Hosts: 81.237.212.190 securityresponse.symantec.com
O1 - Hosts: 153.77.69.6 symantec.com
O1 - Hosts: 101.81.142.37 www.sophos.com
O1 - Hosts: 51.92.5.83 sophos.com
O1 - Hosts: 22.84.63.236 www.mcafee.com
O1 - Hosts: 204.205.34.167 mcafee.com
O1 - Hosts: 243.212.96.143 liveupdate.symantecliveupdate.com
O1 - Hosts: 61.96.74.78 www.viruslist.com
O1 - Hosts: 104.47.238.203 viruslist.com
O1 - Hosts: 109.147.117.22 f-secure.com
O1 - Hosts: 13.244.51.53 www.f-secure.com
O1 - Hosts: 57.5.230.76 kaspersky.com
O1 - Hosts: 17.115.16.33 www.avp.com
O1 - Hosts: 90.161.208.139 www.kaspersky.com
O1 - Hosts: 50.145.99.80 avp.com
O1 - Hosts: 233.168.246.216 www.networkassociates.com
O1 - Hosts: 64.114.128.249 www.ca.com
O1 - Hosts: 236.121.110.141 ca.com
O1 - Hosts: 54.114.43.161 mast.mcafee.com
O1 - Hosts: 118.182.103.146 my-etrust.com
O1 - Hosts: 221.234.42.53 www.my-etrust.com
O1 - Hosts: 78.49.5.243 download.mcafee.com
O1 - Hosts: 11.207.240.9 dispatch.mcafee.com
O1 - Hosts: 185.176.201.53 secure.nai.com
O1 - Hosts: 219.150.202.149 nai.com
O1 - Hosts: 192.252.18.2 www.nai.com
O1 - Hosts: 21.236.30.16 update.symantec.com
O1 - Hosts: 19.195.32.170 updates.symantec.com
O1 - Hosts: 130.65.67.206 us.mcafee.com
O1 - Hosts: 115.196.49.111 liveupdate.symantec.com
O1 - Hosts: 117.157.101.252 customer.symantec.com
O1 - Hosts: 183.213.47.157 rads.mcafee.com
O1 - Hosts: 68.79.239.155 trendmicro.com
O1 - Hosts: 211.47.228.251 www.trendmicro.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.exe" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Linksys Modem Drivers] linksys.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\rwinrpem.exe GEN001
O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe
O4 - HKLM\..\RunServices: [Creative Audio Drivers] creative.exe
O4 - HKLM\..\RunServices: [Linksys Modem Drivers] linksys.exe
O4 - HKLM\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\m482lelo1hqc.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\h2n00c5mef.dll (file missing)
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Response Number 3

Name: bccamper
Date: October 29, 2006 at 16:59:24 Pacific

Reply:

Yes Jabuck helped me with a problem on a different machine. Let me know if you want me to contact him and how I PM him.

Response Number 4

Name: XpUser4Real
Date: October 29, 2006 at 18:04:44 Pacific

Reply:

Just go to my computing.net link/private message center and type in Jabuck and send him a PM if you'd like. He's pretty prompt at replying...make sure to give him your post number and what forum it is located in.
Good Luck
Hopefully my advice will help you...Please post back with your results....thanks

Response Number 5

Name: bccamper
Date: October 29, 2006 at 18:41:32 Pacific

Reply:

Okay I have sent a PM to jabuck. Thanks.

remove old Realtek RTL8029(AS)-based PCI Ethernet Adapter driver from 2000 hex 92 autoadminlogon	Priscilla v Microsoft url exec hook update for background intelligent transfer service bits 2.0 and winhttp 5.1
See More

Response Number 6

Name: jabuck
Date: October 29, 2006 at 19:27:12 Pacific

Reply:

Download SDfix and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum.
Please download ComboFix to the Desktop from this link:
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the combofix.txt log and a new hijack This log.

Response Number 7

Name: bccamper
Date: October 29, 2006 at 19:56:51 Pacific

Reply:

jabuck, I can't seem to find sdfix. Where can I download it from?

Response Number 8

Name: bccamper
Date: October 29, 2006 at 20:05:55 Pacific

Reply:

Jabuck I found it.

Response Number 9

Name: bccamper
Date: October 29, 2006 at 20:59:38 Pacific

Reply:

Stage Two...

Checking For Malware:
--------------------

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y40FZQWW\drsmartload152a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y40FZQWW\drsmartload46a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y40FZQWW\drsmartload[2].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EJQBY7U9\drsmartload849a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I9WPY12L\drsmartload45a[1].exe
C:\WINDOWS\Prefetch\DRSMARTLOAD.EXE-113D05CC.pf
C:\WINDOWS\Prefetch\DRSMARTLOAD1.EXE-04DD9FC7.pf
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\asus.exe
C:\WINDOWS\system32\bootini.exe
C:\WINDOWS\system32\creative.exe
C:\WINDOWS\system32\dllcache\msvps.exe
C:\WINDOWS\system32\linksys.exe
C:\WINDOWS\system32\MS32.exe
C:\WINDOWS\system32\msjava.exe
C:\WINDOWS\system32\stonedrv.exe
C:\WINDOWS\system32\SVKP.SYS

Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Files:
------
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y40FZQWW\drsmartload152a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y40FZQWW\drsmartload46a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y40FZQWW\drsmartload[2].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EJQBY7U9\drsmartload849a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I9WPY12L\drsmartload45a[1].exe
C:\WINDOWS\system32\bootini.exe
C:\WINDOWS\system32\linksys.exe
Any files removed are saved to the SDFix\backups Folder
FINISHED

Response Number 10

Name: bccamper
Date: October 29, 2006 at 21:34:20 Pacific

Reply:

jabuck I left the machine whicle the combofix was running. I came back little later and found the machine constantly booting. I can no longer get into windows even in safe mode. The machine gets to the point where the MS Windows XP Pro windows disappears and then it reboots.

Response Number 11

Name: jabuck
Date: October 30, 2006 at 04:05:35 Pacific

Reply:

The boot.ini or the wininet.dll file was damaged by the malware.
First try to boot into safe mode then select "last known good configuration". Works once in a blue moon but may work.
If this failed you will need the the disk original install disk from the owner of the computer or a xp pro cd. It is possible that a repair install will be needed and only a xp pro cd will work so you may have to borrow one.
If you get the original install disk insert in the cd-rom then click open (don't let it run in auto)then browse through it and see if it offer a repair from console option. If is does try to repair the boot.ini file or if that option is not available and you have to use a xp pro cd to do a repair install these are about the best instructions http://www.michaelstevenstech.com/XPrepairinstall.htm
I have repaired the boot.ini from the recovery console with the 6 floppy disk download so that works also.

Response Number 12

Name: bccamper
Date: October 30, 2006 at 17:58:10 Pacific

Reply:

jabuck, I am a little confused. It sounds like I should be doing a repair from the console but part of Michael Stevens article says do not choose recovery console. He even repeats it although things I read before that seem to indicate that is what I wanted to do. Even Charlie Whites article (a link off of Michael's page says to use recovery console. Can you give me some direction.

Response Number 13

Name: jabuck
Date: October 30, 2006 at 18:51:29 Pacific

Reply:

What type of media do you have, xp pro cd, 6 floppies, oem recovery disk.

Response Number 14

Name: bccamper
Date: October 30, 2006 at 18:54:45 Pacific

Reply:

XP pro CD

Response Number 15

Name: jabuck
Date: October 30, 2006 at 19:34:51 Pacific

Reply:

Try the repair first. Boot with the xp pro cd> press enter (don't boot to recovery console)> accept license agreement> Choose the xp installation you would like to repair (C:\Windows "Windows microsoft XP professional)> press "R" to repair.
Look on the side of the box for the Key (25 alfa/numeric digits I think ) and write it down before you start. You may not need them but you will not have to scuffle for them if you do. Then just follow the prompts. Once finsihed make sure the firewall is turned on then download the windows updates.
And keep in mind that this computer is still infected so post a Hijack This log when you get through.

Response Number 16

Name: bccamper
Date: October 30, 2006 at 20:26:27 Pacific

Reply:

jabuck, I finished the repair. It forced me to activate windows before it would allow me to log in so I had to connect to the internet to do that. Once I started to activate a window came up with the following;
Message from Security_monito to Windows_User on 06-10-30 20:14
Stop! Critical system errors
1. Download registry repair from www.correctreg.com
2. install registry repair
3. run registry repair
4 reboot
Failure to act now may lead to data loss and coruption
I was not logged in yet so I was unable to download anything. After activating windows and logging in SDFIX started running again. It is now finished. I will run hijack and post a new log.

Response Number 17

Name: bccamper
Date: October 30, 2006 at 20:31:14 Pacific

Reply:

the combofix.txt is very long. Is there a way for me to attach it instead of pasting it. Also hijack will no longer run. it starts up and I see the window for a second and then it quits.

Response Number 18

Name: bccamper
Date: October 30, 2006 at 20:50:05 Pacific

Reply:

Jabuck I tried running hijack in safe mode and it ran but when it tried to open the log it said it could not open it. Now when I try to run it it fails on Incorrect function if I click the excutable in the hijack directory. If I do a start run, it says "Windows cannot create a shortcut here. Do you want the shortcut to be placed on the desktop instead? If I say yes it says the shortcut can npt be created - check to see if the disk is full. Looks like I am in a heap of trouble.
LAstly do you wish me to alert you when I need your input or just wait till you respond?

Response Number 19

Name: bccamper
Date: October 30, 2006 at 20:55:11 Pacific

Reply:

Also it seems it has lost the ability to run any exe's. I thought I saw a fix for this recently but I don't recall where.

Response Number 20

Name: jabuck
Date: October 31, 2006 at 03:55:41 Pacific

Reply:

Go to the following link and download the shell open command reset tool and run it http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99
If no luck http://www.kellys-korner-xp.com/xp_tweaks.htm and run item 12 on the list to repair executibale files in xp.
Post the HJT log and the combofix log.

Response Number 21

Name: bccamper
Date: October 31, 2006 at 06:15:27 Pacific

Reply:

I tried both the reset tool and the execfix.reg but neither worked. So I tried safe mode. Here I was able to run the execfix.reg and it gave the two prompts that you should get when loading something into the registry. I could now run hijack. Here are the combo and hijack logs.
ComboFix 06.10.19 - Running from: "D:\"
((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\clsid\{100EB6D4-512D-4293-9A2E-277D9E15CA54}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\clsid\{100EB6D4-512D-4293-9A2E-277D9E15CA54}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{100EB6D4-512D-4293-9A2E-277D9E15CA54}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{100EB6D4-512D-4293-9A2E-277D9E15CA54}\InprocServer32]
@="C:\\WINDOWS\\system32\\kqdru.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{26D6F870-3953-4D3F-9009-3271ACF0483E}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\clsid\{26D6F870-3953-4D3F-9009-3271ACF0483E}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{26D6F870-3953-4D3F-9009-3271ACF0483E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{26D6F870-3953-4D3F-9009-3271ACF0483E}\InprocServer32]
@="C:\\WINDOWS\\system32\\meconf.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{004FD0E5-D836-45DB-9770-5FFFAA884B1F}]
@=""
[HKEY_CLASSES_ROOT\clsid\{004FD0E5-D836-45DB-9770-5FFFAA884B1F}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{004FD0E5-D836-45DB-9770-5FFFAA884B1F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{004FD0E5-D836-45DB-9770-5FFFAA884B1F}\InprocServer32]
@="C:\\WINDOWS\\system32\\splwid.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{EF4CCECA-2061-4A44-9E62-9B9B95E5452E}]
@=""
[HKEY_CLASSES_ROOT\clsid\{EF4CCECA-2061-4A44-9E62-9B9B95E5452E}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{EF4CCECA-2061-4A44-9E62-9B9B95E5452E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{EF4CCECA-2061-4A44-9E62-9B9B95E5452E}\InprocServer32]
@="C:\\WINDOWS\\system32\\ptdx5016.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{379DFD6E-1F7B-4112-9FC8-2EB4A383B649}]
@=""
[HKEY_CLASSES_ROOT\clsid\{379DFD6E-1F7B-4112-9FC8-2EB4A383B649}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{379DFD6E-1F7B-4112-9FC8-2EB4A383B649}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{379DFD6E-1F7B-4112-9FC8-2EB4A383B649}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{8C0B88BC-AFCC-4002-9A59-960C4F971946}]
@=""
[HKEY_CLASSES_ROOT\clsid\{8C0B88BC-AFCC-4002-9A59-960C4F971946}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{8C0B88BC-AFCC-4002-9A59-960C4F971946}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{8C0B88BC-AFCC-4002-9A59-960C4F971946}\InprocServer32]
@="C:\\WINDOWS\\system32\\iZsrad.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{34051B84-280A-4591-AF26-44C001537C51}]
@=""
[HKEY_CLASSES_ROOT\clsid\{34051B84-280A-4591-AF26-44C001537C51}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{34051B84-280A-4591-AF26-44C001537C51}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{34051B84-280A-4591-AF26-44C001537C51}\InprocServer32]
@="C:\\WINDOWS\\system32\\wrv3is.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{B505ACE4-4127-4C77-9467-0307DA08665E}]
@=""
[HKEY_CLASSES_ROOT\clsid\{B505ACE4-4127-4C77-9467-0307DA08665E}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{B505ACE4-4127-4C77-9467-0307DA08665E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{B505ACE4-4127-4C77-9467-0307DA08665E}\InprocServer32]
@="C:\\WINDOWS\\system32\\mkrepl40.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{EB5BB201-8816-46B1-86F4-ABB8625BA582}]
@=""
[HKEY_CLASSES_ROOT\clsid\{EB5BB201-8816-46B1-86F4-ABB8625BA582}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{EB5BB201-8816-46B1-86F4-ABB8625BA582}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{EB5BB201-8816-46B1-86F4-ABB8625BA582}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{488C9FD1-8758-4211-B3D5-97719ACF28C4}]
@=""
[HKEY_CLASSES_ROOT\clsid\{488C9FD1-8758-4211-B3D5-97719ACF28C4}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{488C9FD1-8758-4211-B3D5-97719ACF28C4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{488C9FD1-8758-4211-B3D5-97719ACF28C4}\InprocServer32]
@="C:\\WINDOWS\\system32\\tintsvrp.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{135AB6E7-A592-4200-9694-E65E9A540FD3}]
@=""
[HKEY_CLASSES_ROOT\clsid\{135AB6E7-A592-4200-9694-E65E9A540FD3}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{135AB6E7-A592-4200-9694-E65E9A540FD3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{135AB6E7-A592-4200-9694-E65E9A540FD3}\InprocServer32]
@="C:\\WINDOWS\\system32\\wpvdmod.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{CAF1E1B0-E2B7-4B41-B176-51EA6D3F6F54}]
@=""
[HKEY_CLASSES_ROOT\clsid\{CAF1E1B0-E2B7-4B41-B176-51EA6D3F6F54}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{CAF1E1B0-E2B7-4B41-B176-51EA6D3F6F54}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{CAF1E1B0-E2B7-4B41-B176-51EA6D3F6F54}\InprocServer32]
@="C:\\WINDOWS\\system32\\irxmontr.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{44C43A9A-D9C1-41F7-8416-05C393A45697}]
@=""
[HKEY_CLASSES_ROOT\clsid\{44C43A9A-D9C1-41F7-8416-05C393A45697}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{44C43A9A-D9C1-41F7-8416-05C393A45697}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{44C43A9A-D9C1-41F7-8416-05C393A45697}\InprocServer32]
@="C:\\WINDOWS\\system32\\dvauth.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{F185FE32-23E5-441B-956D-CD8BABC76DC7}]
@=""
[HKEY_CLASSES_ROOT\clsid\{F185FE32-23E5-441B-956D-CD8BABC76DC7}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{F185FE32-23E5-441B-956D-CD8BABC76DC7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{F185FE32-23E5-441B-956D-CD8BABC76DC7}\InprocServer32]
@="C:\\WINDOWS\\system32\\coyptext.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{EC5D7807-37A3-4BDB-88E9-B112D45DA21D}]
@=""
[HKEY_CLASSES_ROOT\clsid\{EC5D7807-37A3-4BDB-88E9-B112D45DA21D}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{EC5D7807-37A3-4BDB-88E9-B112D45DA21D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{EC5D7807-37A3-4BDB-88E9-B112D45DA21D}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{C985DBA4-529B-4E95-AFFE-CD176A00F4E9}]
@=""
[HKEY_CLASSES_ROOT\clsid\{C985DBA4-529B-4E95-AFFE-CD176A00F4E9}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{C985DBA4-529B-4E95-AFFE-CD176A00F4E9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{C985DBA4-529B-4E95-AFFE-CD176A00F4E9}\InprocServer32]
@="C:\\WINDOWS\\system32\\mvidle.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{F9723C7B-0986-4CE9-A91F-B72A5DF27C41}]
@=""
[HKEY_CLASSES_ROOT\clsid\{F9723C7B-0986-4CE9-A91F-B72A5DF27C41}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{F9723C7B-0986-4CE9-A91F-B72A5DF27C41}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{F9723C7B-0986-4CE9-A91F-B72A5DF27C41}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{ECE02B2B-FEB1-4D6F-9C64-4D1B76A9F0DF}]
@=""
[HKEY_CLASSES_ROOT\clsid\{ECE02B2B-FEB1-4D6F-9C64-4D1B76A9F0DF}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{ECE02B2B-FEB1-4D6F-9C64-4D1B76A9F0DF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{ECE02B2B-FEB1-4D6F-9C64-4D1B76A9F0DF}\InprocServer32]
@="C:\\WINDOWS\\system32\\kadbene.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{9B24C6C0-E8C7-4C90-A76B-6A71714FD4B2}]
@=""
[HKEY_CLASSES_ROOT\clsid\{9B24C6C0-E8C7-4C90-A76B-6A71714FD4B2}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{9B24C6C0-E8C7-4C90-A76B-6A71714FD4B2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{9B24C6C0-E8C7-4C90-A76B-6A71714FD4B2}\InprocServer32]
@="C:\\WINDOWS\\system32\\SLLSRV32.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{FF77CCAE-06C6-4315-851C-0F8AC81A4BB9}]
@=""
[HKEY_CLASSES_ROOT\clsid\{FF77CCAE-06C6-4315-851C-0F8AC81A4BB9}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{FF77CCAE-06C6-4315-851C-0F8AC81A4BB9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{FF77CCAE-06C6-4315-851C-0F8AC81A4BB9}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{07BC1A18-52FF-4F9D-8920-F13B20531868}]
@=""
[HKEY_CLASSES_ROOT\clsid\{07BC1A18-52FF-4F9D-8920-F13B20531868}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{07BC1A18-52FF-4F9D-8920-F13B20531868}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{07BC1A18-52FF-4F9D-8920-F13B20531868}\InprocServer32]
@="C:\\WINDOWS\\system32\\dlmstor.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{9F34DCED-D6D6-4529-B8AB-80F4CDC0F006}]
@=""
[HKEY_CLASSES_ROOT\clsid\{9F34DCED-D6D6-4529-B8AB-80F4CDC0F006}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{9F34DCED-D6D6-4529-B8AB-80F4CDC0F006}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{9F34DCED-D6D6-4529-B8AB-80F4CDC0F006}\InprocServer32]
@="C:\\WINDOWS\\system32\\dvlay.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{0BA0A4C2-3681-4E05-A5CC-0F8809B96AF0}]
@=""
[HKEY_CLASSES_ROOT\clsid\{0BA0A4C2-3681-4E05-A5CC-0F8809B96AF0}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{0BA0A4C2-3681-4E05-A5CC-0F8809B96AF0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{0BA0A4C2-3681-4E05-A5CC-0F8809B96AF0}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{E9253E35-45AA-40BB-AF33-73F643384E0A}]
@=""
[HKEY_CLASSES_ROOT\clsid\{E9253E35-45AA-40BB-AF33-73F643384E0A}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{E9253E35-45AA-40BB-AF33-73F643384E0A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{E9253E35-45AA-40BB-AF33-73F643384E0A}\InprocServer32]
@="C:\\WINDOWS\\system32\\impromon.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{FE8F349C-4170-431B-8936-413E494D0359}]
@=""
[HKEY_CLASSES_ROOT\clsid\{FE8F349C-4170-431B-8936-413E494D0359}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{FE8F349C-4170-431B-8936-413E494D0359}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{FE8F349C-4170-431B-8936-413E494D0359}\InprocServer32]
@="C:\\WINDOWS\\system32\\rPsrad.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{3058CC60-2CD3-4799-A060-5EDB47AF581A}]
@=""
[HKEY_CLASSES_ROOT\clsid\{3058CC60-2CD3-4799-A060-5EDB47AF581A}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{3058CC60-2CD3-4799-A060-5EDB47AF581A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{3058CC60-2CD3-4799-A060-5EDB47AF581A}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{3B773ECC-E041-4A3F-80D3-C6481179FD71}]
@=""
[HKEY_CLASSES_ROOT\clsid\{3B773ECC-E041-4A3F-80D3-C6481179FD71}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{3B773ECC-E041-4A3F-80D3-C6481179FD71}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{3B773ECC-E041-4A3F-80D3-C6481179FD71}\InprocServer32]
@="C:\\WINDOWS\\system32\\bmackbox.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{627B51D7-5D78-47EB-9923-D0D21F4094C4}]
@=""
[HKEY_CLASSES_ROOT\clsid\{627B51D7-5D78-47EB-9923-D0D21F4094C4}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{627B51D7-5D78-47EB-9923-D0D21F4094C4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{627B51D7-5D78-47EB-9923-D0D21F4094C4}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{BDAE74E1-D2B2-426D-89F1-E2781DF85319}]
@=""
[HKEY_CLASSES_ROOT\clsid\{BDAE74E1-D2B2-426D-89F1-E2781DF85319}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{BDAE74E1-D2B2-426D-89F1-E2781DF85319}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{BDAE74E1-D2B2-426D-89F1-E2781DF85319}\InprocServer32]
@="C:\\WINDOWS\\system32\\ooffilt.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{389817DA-A1E8-47A5-8274-92AF21E3E3A7}]
@=""
[HKEY_CLASSES_ROOT\clsid\{389817DA-A1E8-47A5-8274-92AF21E3E3A7}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{389817DA-A1E8-47A5-8274-92AF21E3E3A7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{389817DA-A1E8-47A5-8274-92AF21E3E3A7}\InprocServer32]
@="C:\\WINDOWS\\system32\\mnxml2.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{A0D24765-1358-44A9-AA01-BE4A92BED8C7}]
@=""
[HKEY_CLASSES_ROOT\clsid\{A0D24765-1358-44A9-AA01-BE4A92BED8C7}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{A0D24765-1358-44A9-AA01-BE4A92BED8C7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{A0D24765-1358-44A9-AA01-BE4A92BED8C7}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{F774B8E7-4E24-4747-98DA-34E1267D17F4}]
@=""
[HKEY_CLASSES_ROOT\clsid\{F774B8E7-4E24-4747-98DA-34E1267D17F4}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{F774B8E7-4E24-4747-98DA-34E1267D17F4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{F774B8E7-4E24-4747-98DA-34E1267D17F4}\InprocServer32]
@="C:\\WINDOWS\\system32\\oyepro32.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{E17B0DC2-C49C-4FEB-8599-9615E5FC1EC4}]
@=""
[HKEY_CLASSES_ROOT\clsid\{E17B0DC2-C49C-4FEB-8599-9615E5FC1EC4}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{E17B0DC2-C49C-4FEB-8599-9615E5FC1EC4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{E17B0DC2-C49C-4FEB-8599-9615E5FC1EC4}\InprocServer32]
@="C:\\WINDOWS\\system32\\ivmpagnt.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{082509AD-036F-42C9-9E25-1CD1A184AEE1}]
@=""
[HKEY_CLASSES_ROOT\clsid\{082509AD-036F-42C9-9E25-1CD1A184AEE1}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{082509AD-036F-42C9-9E25-1CD1A184AEE1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{082509AD-036F-42C9-9E25-1CD1A184AEE1}\InprocServer32]
@="C:\\WINDOWS\\system32\\dicprop.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{A8F12B90-789E-44EC-95D9-25FF72EF33EF}]
@=""
[HKEY_CLASSES_ROOT\clsid\{A8F12B90-789E-44EC-95D9-25FF72EF33EF}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{A8F12B90-789E-44EC-95D9-25FF72EF33EF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{A8F12B90-789E-44EC-95D9-25FF72EF33EF}\InprocServer32]
@="C:\\WINDOWS\\system32\\pmlstore.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\clsid\{9C43FAC0-5F87-462B-BD98-CABAEB1DA9D9}]
@=""
[HKEY_CLASSES_ROOT\clsid\{9C43FAC0-5F87-462B-BD98-CABAEB1DA9D9}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{9C43FAC0-5F87-462B-BD98-CABAEB1DA9D9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{9C43FAC0-5F87-462B-BD98-CABAEB1DA9D9}\InprocServer32]
@="C:\\WINDOWS\\system32\\lbcdll.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

FILES REMOVED:
C:\WINDOWS\system32\ptdx5016.dll
C:\WINDOWS\system32\mkrepl40.dll
C:\WINDOWS\system32\wrv3is.dll
C:\WINDOWS\system32\coyptext.dll
C:\WINDOWS\system32\kadbene.dll
C:\WINDOWS\system32\tintsvrp.dll
C:\WINDOWS\system32\irxmontr.dll
C:\WINDOWS\system32\dlmstor.dll
C:\WINDOWS\system32\ooffilt.dll
C:\WINDOWS\system32\wphip6.dll
C:\WINDOWS\system32\impromon.dll
C:\WINDOWS\system32\pmlstore.dll
C:\WINDOWS\system32\dqound.dll
C:\WINDOWS\system32\nntui1.dll
C:\WINDOWS\system32\nwmsdba.dll
C:\WINDOWS\system32\srnsapi.dll
C:\WINDOWS\system32\wpvdmod.dll
C:\WINDOWS\system32\fbeploy.dll
C:\WINDOWS\system32\dnju0119e.dll
C:\WINDOWS\system32\lbcdll.dll
C:\WINDOWS\system32\oyepro32.dll
C:\WINDOWS\system32\ivmpagnt.dll
C:\WINDOWS\system32\mvl2l93o1.dll
C:\WINDOWS\system32\jt4607hse.dll
C:\WINDOWS\system32\rqhx32.dll
C:\WINDOWS\system32\dicprop.dll
C:\WINDOWS\system32\p88qlil518q.dll
C:\WINDOWS\system32\jOvacypt.dll
C:\WINDOWS\system32\j80s0id7e80.dll
C:\WINDOWS\system32\q4680ejueho80.dll
C:\WINDOWS\system32\fpnq0355e.dll
C:\WINDOWS\system32\lvpo0973e.dll
C:\WINDOWS\system32\l6j8lg1u16.dll
C:\WINDOWS\system32\kt0sl7d71.dll
C:\WINDOWS\system32\j06mlaj11do.dll
C:\WINDOWS\system32\f0j2la1o1d.dll
C:\WINDOWS\system32\dn4u01h9e.dll
C:\WINDOWS\system32\k280lclm1fqa.dll
C:\WINDOWS\system32\r68s0gl7e6q.dll
C:\WINDOWS\system32\mv04l9dq1.dll
C:\WINDOWS\system32\gp80l3lm1.dll
C:\WINDOWS\system32\t6r8lg9u16.dll
C:\WINDOWS\system32\gp08l3du1.dll
C:\WINDOWS\system32\mvn6l95s1.dll
C:\WINDOWS\system32\lvl2093oe.dll
C:\WINDOWS\system32\gp4ml3h11.dll
C:\WINDOWS\system32\l4l6le3s1h.dll
C:\WINDOWS\system32\i2nmlc511f.dll
C:\WINDOWS\system32\h60q0gd5e60.dll

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Mae\Application Data\Sskknwrd.dll
C:\Documents and Settings\Administrator\Application Data\Sskdmns.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\WZUZI9YH\dfndrff_e_uit[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\012Z4523\dfndrff_e[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\8BP36AV5\drsmartload44a[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\LIR35ACU\drsmartload[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\D1G2GJP3\drsmartload[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\JU43Z98X\deskbar_e[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\K1UR8P2F\kybrdff_e[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\012Z4523\kybrdff_e[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\8PWZKZS7\MTE3NDI6ODoxNg[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\8BP36AV5\nwnmff_e[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\V9RW133O\nwnmff_e[1].exe
C:\WINDOWS\offun.exe
C:\WINDOWS\uni_ehhhh.exe
C:\WINDOWS\uninst104.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Program Files\Deskbar
C:\Program Files\network monitor

((((((((((((((((((((((((((((((( Files Created from 2020-07-29 to 202006-10-29 ))))))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"SDFix"="D:\\sdfix\\SDFix\\RunThis.bat /second"
"Linksys Modem Drivers"="linksys.exe"
"Microsoft Windows"="bootini.exe"
"SRFirstRun"="rundll32 srclient.dll,CreateFirstRunRp"
"SchedulingAgent"="mstinit.exe /firstlogon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"TshootDLL_Reg"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\help\\TShoot.dll"
"SstubDLL_Reg"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\help\\sstub.dll"
"SniffpolDLL_Reg"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\help\\sniffpol.dll"
"OE_WMPDRM_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmstor.dll"
"OE_WMPDRM_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmclien.dll"
"OE_WMPDRM_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\asfsipc.dll"
"OE_WMPDRM_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmv2clt.dll"
"OE_WMPDRM_Install_5"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\blackbox.dll"
"OE_WMPDRM_Install_6"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\msnetobj.dll"
"OE_WMPMIndex_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\msisam11.dll\""
"OE_WMPMIndex_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\mindex.dll\""
"OE_WMPWMDM_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\mswmdm.dll\""
"OE_WMPWMDM_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\msscp.dll\""
"OE_WMPWMDM_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\mspmsp.dll\""
"OE_WMPWMDM_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmdmps.dll\""
"OE_WMPWMDM_Install_5"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmdmlog.dll\""
"OE_WMPWMDM_Install_6"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\cewmdm.dll\""
"OE_WMPWMDM_Install_7"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\mspmspsv.dll"
"OE_WMPWMFSDK_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmstream.dll\""
"OE_WMPWMFSDK_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmnetmgr.dll\""
"OE_WMPWMFSDK_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmidx.ocx\""
"OE_WMPWMFSDK_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmvdmod.dll\""
"OE_WMPWMFSDK_Install_5"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmvdmoe.dll\""
"OE_WMPWMFSDK_Install_6"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmadmod.dll\""
"OE_WMPWMFSDK_Install_7"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmadmoe.dll\""
"OE_WMPWMFSDK_Install_8"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\mpg4dmod.dll\""
"OE_WMPWMFSDK_Install_9"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmsdmod.dll\""
"OE_WMPWMFSDK_Install_10"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmsdmoe.dll\""
"OE_WMPWMFSDK_Install_11"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\laprxy.dll\""
"OE_WMPWMFSDK_Install_12"="\"C:\\WINDOWS\\System32\\logagent.exe\" /RegServer"
"OE_WMPWMFSDK_Install_13"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmvcore.dll\""
"OE_WMPWMPCodec_ivf"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\ivfsrc.ax\""
"OE_WMPWMPCodec_wmvax"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmvds32.ax\""
"OE_WMPWMPCodec_msscrnax"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\msscds32.ax\""
"OE_WMPWMPCodec_wmv8ax"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmv8ds32.ax\""
"OE_WMPWMPCodec_wmv8dmo"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmv8dmod.dll\""
"OE_WMPWMP6_Install_1"="C:\\WINDOWS\\INF\\unregmp2.exe /PreInstall"
"OE_WMPWMP6_Install_2"="C:\\WINDOWS\\INF\\unregmp2.exe /RegUniv"
"OE_WMPWMP6_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\msdxm.ocx"
"OE_WMPWMP6_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\dxmasf.dll"
"OE_WMPWMP7_Install_0"="C:\\WINDOWS\\INF\\unregmp2.exe /MigrateLibrary"
"OE_WMPWMP7_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmpcore.dll"
"OE_WMPWMP7_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmpui.dll"
"OE_WMPWMP7_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmp.ocx"
"OE_WMPWMP7_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmclien.dll"
"OE_WMPWMP7_Install_5"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmstor.dll"
"OE_WMPWMP7_Install_6"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\asfsipc.dll"
"OE_WMPWMP7_Install_7"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmv2clt.dll"
"OE_WMPWMP7_Install_8"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\blackbox.dll"
"OE_WMPWMP7_Install_9"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmpcd.dll"
"OE_WMPWMP7_Install_10"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmpshell.dll"
"OE_WMPWMP7_Install_11"="C:\\WINDOWS\\System32\\wmpstub.exe /RegServer"
"OE_WMPWMP7_Install_12"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\Program Files\\Windows Media Player\\wmpvis.dll\""
"OE_WMPWMP7_Install_13"="\"C:\\Program Files\\Windows Media Player\\wmplayer.exe\" /RegServer"
"OE_WMPWMP7_Install_20"="C:\\WINDOWS\\INF\\unregmp2.exe /Shortcuts /RegExts"
"GrpConv"="grpconv -u"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\OEWAB OS Setup]
"OE5_2"="C:\\WINDOWS\\System32\\inetcomm.dll|DllRegisterServer"
"OE5_1"="C:\\Program Files\\Common Files\\System\\directdb.dll|DllRegisterServer"
"OE5_3"="C:\\Program Files\\Outlook Express\\oeimport.dll|DllRegisterServer"
"OE5_4"="C:\\Program Files\\Outlook Express\\oemiglib.dll|DllRegisterServer"
"OE5_5"="C:\\Program Files\\Outlook Express\\msoe.dll|DllRegisterServer"
"OEWABOS_2"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:WINNT /INSTALL"
"WAB5_4"="C:\\WINDOWS\\System32\\msoeacct.dll|DllRegisterServer"
"WAB5_1"="C:\\Program Files\\Common Files\\System\\wab32.dll|DllRegisterServer"
"WAB5_2"="C:\\Program Files\\Outlook Express\\wabimp.dll|DllRegisterServer"
"WAB5_3"="C:\\Program Files\\Outlook Express\\wabfind.dll|DllRegisterServer"
"OEWABOS_1"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:WINNT /INSTALL"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Linksys Modem Drivers"="linksys.exe"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\rykegogig.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Common Files\\pohyd.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_e37"
"hkey"="HKLM"
"command"="C:\\\\dfndrff_e37.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdff_e37"
"hkey"="HKLM"
"command"="C:\\\\kybrdff_e37.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Linksys Modem Drivers]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="linksys"
"hkey"="HKLM"
"command"="linksys.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bootini"
"hkey"="HKLM"
"command"="bootini.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_e37"
"hkey"="HKLM"
"command"="C:\\\\nwnmff_e37.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stonedrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="stonedrv"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\stonedrv.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win3208833699094]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win3208833699094"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win3208833699094.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zkaqb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Onhvppb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dtxdh\\Onhvppb.exe"
"inimapping"="0"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\EFS
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: 2006-10-30 19:58:12.89
C:\ComboFix.txt ... 2006-10-30 19:58

Logfile of HijackThis v1.99.1
Scan saved at 6:13:57 AM, on 31/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\bootini.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe bootini.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,bootini.exe
O1 - Hosts: 235.214.107.41 www.virustotal.com
O1 - Hosts: 33.3.169.44 virusscan.jotti.org
O1 - Hosts: 95.95.239.187 sandbox.norman.no
O1 - Hosts: 236.16.252.76 www.symantec.com
O1 - Hosts: 81.237.212.190 securityresponse.symantec.com
O1 - Hosts: 153.77.69.6 symantec.com
O1 - Hosts: 101.81.142.37 www.sophos.com
O1 - Hosts: 51.92.5.83 sophos.com
O1 - Hosts: 22.84.63.236 www.mcafee.com
O1 - Hosts: 204.205.34.167 mcafee.com
O1 - Hosts: 243.212.96.143 liveupdate.symantecliveupdate.com
O1 - Hosts: 61.96.74.78 www.viruslist.com
O1 - Hosts: 104.47.238.203 viruslist.com
O1 - Hosts: 109.147.117.22 f-secure.com
O1 - Hosts: 13.244.51.53 www.f-secure.com
O1 - Hosts: 57.5.230.76 kaspersky.com
O1 - Hosts: 17.115.16.33 www.avp.com
O1 - Hosts: 90.161.208.139 www.kaspersky.com
O1 - Hosts: 50.145.99.80 avp.com
O1 - Hosts: 233.168.246.216 www.networkassociates.com
O1 - Hosts: 64.114.128.249 www.ca.com
O1 - Hosts: 236.121.110.141 ca.com
O1 - Hosts: 54.114.43.161 mast.mcafee.com
O1 - Hosts: 118.182.103.146 my-etrust.com
O1 - Hosts: 221.234.42.53 www.my-etrust.com
O1 - Hosts: 78.49.5.243 download.mcafee.com
O1 - Hosts: 11.207.240.9 dispatch.mcafee.com
O1 - Hosts: 185.176.201.53 secure.nai.com
O1 - Hosts: 219.150.202.149 nai.com
O1 - Hosts: 192.252.18.2 www.nai.com
O1 - Hosts: 21.236.30.16 update.symantec.com
O1 - Hosts: 19.195.32.170 updates.symantec.com
O1 - Hosts: 130.65.67.206 us.mcafee.com
O1 - Hosts: 115.196.49.111 liveupdate.symantec.com
O1 - Hosts: 117.157.101.252 customer.symantec.com
O1 - Hosts: 183.213.47.157 rads.mcafee.com
O1 - Hosts: 68.79.239.155 trendmicro.com
O1 - Hosts: 211.47.228.251 www.trendmicro.com
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SDFix] D:\sdfix\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [Linksys Modem Drivers] linksys.exe
O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwinrpem.exe GEN001
O4 - HKLM\..\RunServices: [Linksys Modem Drivers] linksys.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xcle...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Response Number 22

Name: jabuck
Date: October 31, 2006 at 17:14:54 Pacific

Reply:

Please download Atribune's http://www.atribune.org/public-beta/Look2Me-Destroyer.exe to your desktop.Run in normal mode.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.

Please post the contents of C:\Look2Me-Destroyer.txt.

If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Download and install AVG Anti-Spyware We will need this later in safe mode
Be sure to update AVG Anti- Spyware
Download Killbox to your desktop from this link Killbox by Option^Explicit. If you already have "Killbox" update to this newer version. We will need it later in safe mode
Go to start> run> type msconfig in the space provided> choose normal startup> apply> ok.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Boot into safe mode.
Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe bootini.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,bootini.exe
O4 - HKLM\..\Run: [Linksys Modem Drivers] linksys.exe
O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwinrpem.exe GEN001
O4 - HKLM\..\RunServices: [Linksys Modem Drivers] linksys.exe
O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe
Exit Hijack this but remain in safe mode
Run Killbox frim safe mode. Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\System32\bootini.exe
C:\WINDOWS\System32\winIogon.exe
C:\WINDOWS\system32\rwinrpem.exe
C:\WINDOWS\system32\linksys.exe
C:\Program Files\Common Files\fiqz\fiqzm.exe
C:\Program Files\Common Files\fiqz\
C:\Program Files\Dtxdh\Onhvppb.exe
C:\Program Files\Dtxdh\
C:\WINDOWS\win3208833699094.exe
c:\windows\system32\stonedrv.exe
C:\nwnmff_e37.exe
C:\kybrdff_e37.exe
C:\dfndrff_e37.exe
C:\WINDOWS\v1201.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let us know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click Here to download and run missingfilesetup.exe. Then try Killbox again.
To remove the 01's in the Hijack This log download Hoster to your desktop. Once installed click the "Restore Microsofts Original Host File" and nothing else.
Boot back to safe mode.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Boot back to normal mode.
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"fiqz"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Linksys Modem Drivers"=-
"Microsoft Windows"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Linksys Modem Drivers"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"fiqz"=-
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"fiqz"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Linksys Modem Drivers]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stonedrv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win3208833699094]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zkaqb]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Post the AVG AntiSpyware report on the desktop, a new combofix log and a new Hijack This log please.

Response Number 23

Name: bccamper
Date: October 31, 2006 at 18:28:39 Pacific

Reply:

I ran the lokk2me-detroyer and it seemed to work except I got a copy error 53. I clicked ok and it seemed to continue. The machine shutdown as you stated but now it is back to the old problem where it just keeps rebooting. Do I need to do the repair again and if I do will that undo what look2me did?

Response Number 24

Name: jabuck
Date: October 31, 2006 at 18:36:35 Pacific

Reply:

Yes, do the repair the continue.

Response Number 25

Name: bccamper
Date: October 31, 2006 at 18:39:50 Pacific

Reply:

Okay and when that is finished do I run the look2me again or continue with the strp after that?

Response Number 26

Name: jabuck
Date: October 31, 2006 at 18:50:11 Pacific

Reply:

Continue at "Download ATF-Cleaner" and make sure that firewall is turned on.

Response Number 27

Name: bccamper
Date: November 1, 2006 at 05:19:44 Pacific

Reply:

jabuck an update of where I am at. I finished the reapir and continued on with the hijack. I had to run hijack twice as the first time the two f2's did not get cleaned up. I then ran killbox but was a little confused and not sure if I ran it correctly. I ran it, clicked 'Delete on reboot' and then clicked on the all files button. I then went to Win Explorer and and for each file I right clicked on the file and then clicked copy. I then went back to killbox and chose paste from clipboard from the file menu. Nothing seems to happen and when I click the read and white delete button it says I have not specified any file to delete. Also I was unable to install AVG. I have it on a cd but as soon as I click the directory in Explorer, Explorer closes. If I do start-->run and then choose the program it runsd for a few seconds and then dies. I went to google.ca but as soon as I put 'AVG free scanner' in the search IE closes.

Response Number 28

Name: bccamper
Date: November 1, 2006 at 06:08:51 Pacific

Reply:

jabuck I looked at the help web page for killbox and tried to load each file one at a time and then hit the red and white delete button for each file. For each file I got a message that said 'file will be deleted on reboot, do you want to reboot now'. I didn't say yes until the last file. I then ran Hoster. It told me that my hosts file was not writable and was it okay to make it so. When I go into the program I also had to click a button to make it writable. After this it seem to restore Microsofts original file. It did howver tell me that the attributes will not be restored so I will have to do that after.
Next I ran ATF Cleaner. It finished okay. Nice program!!. Now I tried to install AVG again. It look like it was going to work until I noticed it was uninstalling and then failed on a message 'local machine: installation failed. Error action failed for file avgamsvr.exe starting service ... Access is denied (5)

Response Number 29

Name: jabuck
Date: November 1, 2006 at 21:22:56 Pacific

Reply:

Please download Brute Force Uninstaller
Unzip it to it’s own folder (c:\BFU)
Double click BFU.exe to run it. When the "Brute Force Uninstaller" window appears, click the "globe" icon in the top right hand corner.
In the "Download BFU script..." window, copy and paste the following and then click OK:
http://metallica.geekstogo.com/alcanshorty.bfu
You should see the file alcanshorty.bfu appear in the bfu folder next to BFU.exe.
Reboot into safe mode.
Open the bfu folder and double click BFU.exe.
To select the scriptfile to execute, first double click the folder icon to the left of the globe.
You should now see a window containing alcanshorty.bfu, simply double click it.
Finally, click the Execute button to begin.
When the tool has finished running, you will get a "BFU" window with the message "Completed script execution", click on OK.
Run Hoster and see if you can run AVG_AntiSpyware and post a new combofix log and a Hijack This log.

Response Number 30

Name: bccamper
Date: November 2, 2006 at 15:56:00 Pacific

Reply:

jabuck I still can't install AVG. I still get the same message about access denied trying to start the avgamsvr service. Also I got a screen this time when I rebotted from Messenger Service saying my registry is corrup and that I should go to www.registrycleanerxp.com and install the program. Should I do this? I have a print screen of everything if there is a way to send it to you.

Response Number 31

Name: bccamper
Date: November 2, 2006 at 16:04:29 Pacific

Reply:

I was finally able to get pandsoftware to run. It has found over 80 virus infected file so far. I also have another window from Messenger Service telling e to go to www.regfixit.com.

Response Number 32

Name: jabuck
Date: November 2, 2006 at 16:16:34 Pacific

Reply:

Were you able to run brute force uninstaller?

Response Number 33

Name: bccamper
Date: November 2, 2006 at 17:28:12 Pacific

Reply:

Yes I was. I left while the panda software was running and when I cam back it look like the machine had half rebooted. Now whether I go into safe mode or not the desktop never appears. Do I have to repair again?

Response Number 34

Name: jabuck
Date: November 2, 2006 at 17:37:50 Pacific

Reply:

Try to open task manager. Press ctrl, alt, delete and see if it will open. If so go to file> run new task> type "explorer.exe" , without the quotes, in the space provided> click ok. If it boots post a Hijack This log and a combofix log.

Response Number 35

Name: bccamper
Date: November 2, 2006 at 18:00:13 Pacific

Reply:

Its says explorer is not a valid Win32 application.

Response Number 36

Name: jabuck
Date: November 2, 2006 at 18:10:39 Pacific

Reply:

Run the repair once again then post a Hijack This log and a Combofix log please.

Response Number 37

Name: bccamper
Date: November 2, 2006 at 18:56:49 Pacific

Reply:

Here is the hijack log. Combofix encounters and error everytime I run it and has to close.

Logfile of HijackThis v1.99.1
Scan saved at 6:52:27 PM, on 02/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: (no name) - {F2004E53-6676-4A86-A437-6F1269A7056D} - C:\Program Files\ComPlus Applications\poces.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [Zkaqb] C:\Program Files\Dtxdh\Onhvppb.exe
O4 - HKLM\..\Run: [win3208833699094] C:\WINDOWS\win3208833699094.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e46a.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e46.exe
O4 - HKLM\..\Run: [MSNS PLUS XP2] ejtwkr.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\RunServices: [MSNS PLUS XP2] ejtwkr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00330010-0000-0000-0000-000020160010} - http://207.234.185.217/ABoxInst_int...
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xcle...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Response Number 38

Name: bccamper
Date: November 2, 2006 at 19:00:21 Pacific

Reply:

I also have the following exe's in my root dir again.
19/09/2006 11:00 AM 251,352 deskbar.exe
02/11/2006 04:13 PM 442,368 windows.exe
02/11/2006 04:47 PM 73,728 drsmartload.exe
01/11/2006 04:35 AM 38,400 DXC9.exe
01/11/2006 04:35 AM 274,432 yz02.exe
02/11/2006 03:42 PM 696,561 deskbar_e46.exe
02/11/2006 03:42 PM 438,272 dfndrff_e46a.exe
02/11/2006 03:42 PM 36,864 mc44a46.exe
02/11/2006 03:42 PM 380,928 kybrdff_e46.exe
01/11/2006 04:36 AM 30,737 MTE3NDI6ODoxNgMTE3NDI6ODoxNg.exe
02/11/2006 03:38 PM 376,832 nwnmff_e46.exe

Response Number 39

Name: jabuck
Date: November 2, 2006 at 19:29:26 Pacific

Reply:

First make sure your firewall is turned on. Go to add/remove programs and uninstall SurfSideKick if found.
Please download Brute Force Uninstaller
Unzip it to it’s own folder (c:\BFU)
Double click BFU.exe to run it. When the "Brute Force Uninstaller" window appears, click the "globe" icon in the top right hand corner.
In the "Download BFU script..." window, copy and paste the following and then click OK:
http://metallica.geekstogo.com/alcanshorty.bfu
You should see the file alcanshorty.bfu appear in the bfu folder next to BFU.exe.
Reboot into safe mode.
Open the bfu folder and double click BFU.exe.
To select the scriptfile to execute, first double click the folder icon to the left of the globe.
You should now see a window containing alcanshorty.bfu, simply double click it.
Finally, click the Execute button to begin.
Post a new Hijack This log please.
When the tool has finished running, you will get a "BFU" window with the message "Completed script execution", click on OK.

Response Number 40

Name: bccamper
Date: November 2, 2006 at 19:52:50 Pacific

Reply:

followed these instructions;
Open Network Connections
Click the Dial-up, LAN or High-Speed Internet connection that you want to protect, and then, under Network Tasks, click Change settings of this connection.
On the Advanced tab, under Internet Connection Firewall, select one of the following:
To enable Internet Connection Firewall (ICF), select the Protect my computer and network by limiting or preventing access to this computer from the Internet check box.
To disable Internet Connection Firewall, clear the Protect my computer and network by limiting or preventing access to this computer from the Internet check box.

Whern I click the check box I get an error;

An error occurred while internet sharing was being enabled. The specified service does not exist as an installed service.

Response Number 41

Name: jabuck
Date: November 2, 2006 at 20:06:55 Pacific

Reply:

Because the compter does not have sp2 on it yet the firewall is not installed yet. Run Brute force uninstaller anyway.

Response Number 42

Name: bccamper
Date: November 2, 2006 at 20:30:17 Pacific

Reply:

Okay I ran it. It finishes but quite often now I am getting a NT System message that say the machine is going to shutdown because the Remote Procedure Call service terminated unexpectly.
Is it time to format the drive and reinstall a clean copy?

Response Number 43

Name: jabuck
Date: November 3, 2006 at 04:08:18 Pacific

Reply:

You still have deluxe communications, new.net, 3 viruses and you have picked up msblast since last night which is giving you the rpc error so formating is up to you.
We have to see the HT and combofix logs after each removal to help determine the procedure for removing the baddies and internet access has to be minimized to specific sites.
Should you choose to continue go online with the infected computer and in a search engine typse in "msblast removal", go to the symantec site and run their removal tool.
Then search for "free zone alarm firewall" and install it.
Go to this link and run the "deluxe communication removal tool" http://www.bleepingcomputer.com/forums/topic66364.html
Go add/remove programs and uninstall new.net , if it still shows up in the HJT log go to this link and run the uninstaller http://forums.spywareinfo.com/lofiversion/index.php/t87147.html
Post your HJT log and a combofix log.

Response Number 44

Name: bccamper
Date: November 3, 2006 at 08:53:54 Pacific

Reply:

So jabuck, ate you saying that I should refrain from having the computer connected to the internet. I was doing rhis before, trying to download any software from another machine and copying it onto a floppy or a cd. Unfortunately it seemed that BFU had to have the machine connected to the internet. I will continue with over the weekend to see if we can resolve it and try not to connect the machine to the internet to avoid futher problems.

Response Number 45

Name: jabuck
Date: November 3, 2006 at 14:46:30 Pacific

Reply:

May not look like it but there are signs of improvement, so you are doing well. Just need to keep the internet to a minimum with the firewall not installed as you are picking up new baddies, we will need it connected to the internet with some cleaners. Once you get it installed be sure to update the AV then you should be ok.
All the microsoft updates are not installed and that makes for more holes, but we should install the last as it take some time unless you have high speed.
If you have run "Brute Force" and have the firewall installed post the Hijack This and Combofix logs.

Response Number 46

Name: bccamper
Date: November 3, 2006 at 16:19:06 Pacific

Reply:

Here is the hijack log. I am unable to send the Conv\bo log at this time because after running it the computer continue to reboot itself. I need to do the repair again and then I will send it.
Logfile of HijackThis v1.99.1
Scan saved at 16:06, on 06-11-03
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\csrs.exe
C:\WINDOWS\System32\spooIsv.exe
C:\WINDOWS\System32\lssas.exe
C:\WINDOWS\System32\mslaugh.exe
C:\Program Files\Shaw Secure\Common\FSMA32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Shaw Secure\Common\FSMB32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Shaw Secure\Common\FCH32.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.exe
C:\WINDOWS\System32\wins\DLLHOST.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\update\updmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rasautou.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyoun...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyoun...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyoun...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {F2004E53-6676-4A86-A437-6F1269A7056D} - C:\Program Files\ComPlus Applications\poces.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [Zkaqb] C:\Program Files\Dtxdh\Onhvppb.exe
O4 - HKLM\..\Run: [win3208833699094] C:\WINDOWS\win3208833699094.exe
O4 - HKLM\..\Run: [MSNS PLUS XP2] ejtwkr.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\System32\csrs.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spooIsv.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\RunServices: [MSNS PLUS XP2] ejtwkr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\PROGRA~1\Save\Save.exe"
O4 - HKCU\..\Run: [Linksys Modem Drivers] linksys.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [Ms Java for Windows NT] mguard.exe
O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\RunServices: [Creative Audio Drivers] creative.exe
O4 - HKCU\..\RunServices: [Ms Java for Windows NT] msi32info.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00330010-0000-0000-0000-000020160010} - http://207.234.185.217/ABoxInst_int...
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xcle...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe

Response Number 47

Name: bccamper
Date: November 3, 2006 at 16:46:46 Pacific

Reply:

jabuck I have finished the repair and I uninstalled news.net which was listed under add/remove programs. I am now going to install Zonealarm.

Response Number 48

Name: bccamper
Date: November 3, 2006 at 16:53:16 Pacific

Reply:

Here is the combo log;
ComboFix 06.10.19 - Running from: "D:\"
((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\dxclib303562752.dll
C:\Documents and Settings\Mae\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Mae\Application Data\Dxcuknwrd.dll
C:\Documents and Settings\Administrator\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Administrator\Application Data\Dxcuknwrd.dll
C:\WINDOWS\system32\bkd.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
C:\Program Files\DeluxeCommunications\Dxc.exe

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\teller2.chk
C:\MTE3NDI6ODoxNgMTE3NDI6ODoxNg.exe
C:\RDFX4.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Deskbar

((((((((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011/03/2006 ))))))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"Zkaqb"="C:\\Program Files\\Dtxdh\\Onhvppb.exe"
"win3208833699094"="C:\\WINDOWS\\win3208833699094.exe"
"MSNS PLUS XP2"="ejtwkr.exe"
"Client Server Runtime Process"="C:\\WINDOWS\\System32\\csrs.exe"
"Spooler SubSystem App"="C:\\WINDOWS\\System32\\spooIsv.exe"
"Local Security Authority Service"="C:\\WINDOWS\\System32\\lssas.exe"
"Windows Automation"="mslaugh.exe"
"Winamp Agent"="C:\\WINDOWS\\System32\\winamp.exe"
"Application Layer Gateway Service"="C:\\WINDOWS\\System32\\algs.exe"
"Microsoft (R) Windows Update Manager"="C:\\WINDOWS\\update\\updmgr.exe"
"SRFirstRun"="rundll32 srclient.dll,CreateFirstRunRp"
"SchedulingAgent"="mstinit.exe /firstlogon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"TshootDLL_Reg"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\help\\TShoot.dll"
"SstubDLL_Reg"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\help\\sstub.dll"
"SniffpolDLL_Reg"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\help\\sniffpol.dll"
"OE_WMPDRM_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmstor.dll"
"OE_WMPDRM_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmclien.dll"
"OE_WMPDRM_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\asfsipc.dll"
"OE_WMPDRM_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmv2clt.dll"
"OE_WMPDRM_Install_5"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\blackbox.dll"
"OE_WMPDRM_Install_6"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\msnetobj.dll"
"OE_WMPMIndex_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\msisam11.dll\""
"OE_WMPMIndex_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\mindex.dll\""
"OE_WMPWMDM_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\mswmdm.dll\""
"OE_WMPWMDM_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\msscp.dll\""
"OE_WMPWMDM_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\mspmsp.dll\""
"OE_WMPWMDM_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmdmps.dll\""
"OE_WMPWMDM_Install_5"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmdmlog.dll\""
"OE_WMPWMDM_Install_6"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\cewmdm.dll\""
"OE_WMPWMDM_Install_7"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\mspmspsv.dll"
"OE_WMPWMFSDK_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmstream.dll\""
"OE_WMPWMFSDK_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmnetmgr.dll\""
"OE_WMPWMFSDK_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmidx.ocx\""
"OE_WMPWMFSDK_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmvdmod.dll\""
"OE_WMPWMFSDK_Install_5"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmvdmoe.dll\""
"OE_WMPWMFSDK_Install_6"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmadmod.dll\""
"OE_WMPWMFSDK_Install_7"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmadmoe.dll\""
"OE_WMPWMFSDK_Install_8"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\mpg4dmod.dll\""
"OE_WMPWMFSDK_Install_9"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmsdmod.dll\""
"OE_WMPWMFSDK_Install_10"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmsdmoe.dll\""
"OE_WMPWMFSDK_Install_11"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\laprxy.dll\""
"OE_WMPWMFSDK_Install_12"="\"C:\\WINDOWS\\System32\\logagent.exe\" /RegServer"
"OE_WMPWMFSDK_Install_13"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmvcore.dll\""
"OE_WMPWMPCodec_ivf"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\ivfsrc.ax\""
"OE_WMPWMPCodec_wmvax"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmvds32.ax\""
"OE_WMPWMPCodec_msscrnax"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\msscds32.ax\""
"OE_WMPWMPCodec_wmv8ax"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmv8ds32.ax\""
"OE_WMPWMPCodec_wmv8dmo"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmv8dmod.dll\""
"OE_WMPWMP6_Install_1"="C:\\WINDOWS\\INF\\unregmp2.exe /PreInstall"
"OE_WMPWMP6_Install_2"="C:\\WINDOWS\\INF\\unregmp2.exe /RegUniv"
"OE_WMPWMP6_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\msdxm.ocx"
"OE_WMPWMP6_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\dxmasf.dll"
"OE_WMPWMP7_Install_0"="C:\\WINDOWS\\INF\\unregmp2.exe /MigrateLibrary"
"OE_WMPWMP7_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmpcore.dll"
"OE_WMPWMP7_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmpui.dll"
"OE_WMPWMP7_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmp.ocx"
"OE_WMPWMP7_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmclien.dll"
"OE_WMPWMP7_Install_5"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmstor.dll"
"OE_WMPWMP7_Install_6"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\asfsipc.dll"
"OE_WMPWMP7_Install_7"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmv2clt.dll"
"OE_WMPWMP7_Install_8"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\blackbox.dll"
"OE_WMPWMP7_Install_9"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmpcd.dll"
"OE_WMPWMP7_Install_10"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmpshell.dll"
"OE_WMPWMP7_Install_11"="C:\\WINDOWS\\System32\\wmpstub.exe /RegServer"
"OE_WMPWMP7_Install_12"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\Program Files\\Windows Media Player\\wmpvis.dll\""
"OE_WMPWMP7_Install_13"="\"C:\\Program Files\\Windows Media Player\\wmplayer.exe\" /RegServer"
"OE_WMPWMP7_Install_20"="C:\\WINDOWS\\INF\\unregmp2.exe /Shortcuts /RegExts"
"GrpConv"="grpconv -u"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\OEWAB OS Setup]
"OE5_2"="C:\\WINDOWS\\System32\\inetcomm.dll|DllRegisterServer"
"OE5_1"="C:\\Program Files\\Common Files\\System\\directdb.dll|DllRegisterServer"
"OE5_3"="C:\\Program Files\\Outlook Express\\oeimport.dll|DllRegisterServer"
"OE5_4"="C:\\Program Files\\Outlook Express\\oemiglib.dll|DllRegisterServer"
"OE5_5"="C:\\Program Files\\Outlook Express\\msoe.dll|DllRegisterServer"
"OEWABOS_2"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:WINNT /INSTALL"
"WAB5_4"="C:\\WINDOWS\\System32\\msoeacct.dll|DllRegisterServer"
"WAB5_1"="C:\\Program Files\\Common Files\\System\\wab32.dll|DllRegisterServer"
"WAB5_2"="C:\\Program Files\\Outlook Express\\wabimp.dll|DllRegisterServer"
"WAB5_3"="C:\\Program Files\\Outlook Express\\wabfind.dll|DllRegisterServer"
"OEWABOS_1"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:WINNT /INSTALL"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"MSNS PLUS XP2"="ejtwkr.exe"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\rykegogig.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Common Files\\pohyd.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\EFS
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: Fri 11/03/2006 16:33:54.67
C:\ComboFix.txt ... 11/03/2006 16:33

Response Number 49

Name: bccamper
Date: November 3, 2006 at 16:56:04 Pacific

Reply:

I now have zonealarm installed. However I have not checked for any updates as I do not have the internet connected. Can updates for zonealarm be downloaded on another computer and then updated like AGV allows you to do?

Response Number 50

Name: jabuck
Date: November 3, 2006 at 19:48:02 Pacific

Reply:

Get online and update the firewall.
Download and install AVG antivirus from this link AVG Antivirus then update it.
Run the New.Net uninstaller in response 43.
Go to start > controlpanel > software > add/remove programs and uninstall next if present:
SaveNow
WhenUSave (or anything with WhenU in it)
Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.
If OIN not listed, download and run this uninstaller OiUninstaller.exe
Reboot when done! Really important!
Run Hijack This from normal mode, close all windows and browsers except Hijack This, place a check to the left of the following items (some will reappear ,we will deal with them later):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyoun...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyoun...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyoun...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {F2004E53-6676-4A86-A437-6F1269A7056D} - C:\Program Files\ComPlus Applications\poces.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [Zkaqb] C:\Program Files\Dtxdh\Onhvppb.exe
O4 - HKLM\..\Run: [win3208833699094] C:\WINDOWS\win3208833699094.exe
O4 - HKLM\..\Run: [MSNS PLUS XP2] ejtwkr.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\System32\csrs.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spooIsv.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\RunServices: [MSNS PLUS XP2] ejtwkr.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\PROGRA~1\Save\Save.exe"
O4 - HKCU\..\Run: [Linksys Modem Drivers] linksys.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [Ms Java for Windows NT] mguard.exe
O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\RunServices: [Creative Audio Drivers] creative.exe
O4 - HKCU\..\RunServices: [Ms Java for Windows NT] msi32info.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {00330010-0000-0000-0000-000020160010} - http://207.234.185.217/ABoxInst_int...
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
Exit Hijack This
Post a new Hijack This and Combofix log please.

Response Number 51

Name: bccamper
Date: November 3, 2006 at 23:22:58 Pacific

Reply:

sorry Jabuck, by update the firewall are you referring to zonealarm?

Response Number 52

Name: bccamper
Date: November 4, 2006 at 00:09:34 Pacific

Reply:

the following programs are asking for access to the internet through zonealarm;
lsssas.exe, spoolsv.exe, updmgr.exe, dllhost.exe, csrs.exe, mslaugh.exe, iexplore.exe, project1. I would guess some are a definate no, but are any okay to allow.

Response Number 53

Name: bccamper
Date: November 4, 2006 at 01:00:53 Pacific

Reply:

jabuck I updated zonealarm, ran nnuninstall. All of the items you listed were not on my list when I looked in add/remove programs. I then ran OiUninstaller, rebooted and then ran hijack and cleaned up the entries. I am now posting a new hijack log and combo log. I am still unable to install AVG because of the service not wanting to start.

Logfile of HijackThis v1.99.1
Scan saved at 00:45, on 06-11-04
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Shaw Secure\Common\FSMA32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Shaw Secure\Common\FSMB32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\wins\DLLHOST.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\update\updmgr.exe
C:\Program Files\Shaw Secure\Common\FCH32.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xcle...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
ComboFix 06.10.19 - Running from: "D:\"

Response Number 54

Name: jabuck
Date: November 4, 2006 at 07:41:52 Pacific

Reply:

Looks better. Download, install and update this free antivirus http://www.free-av.com/antivirus/allinonen.html

Response Number 55

Name: bccamper
Date: November 4, 2006 at 09:06:36 Pacific

Reply:

I am unable to get to any internet pages even though I have a connection and can ping thinks like www.google.com. I am downloading avira from another machine and will try to install it.

Response Number 56

Name: bccamper
Date: November 4, 2006 at 09:39:56 Pacific

Reply:

Internet is now working. It helps if you reconnect the internet cable from the night before.

Response Number 57

Name: bccamper
Date: November 4, 2006 at 09:42:30 Pacific

Reply:

I downloaded and tried to install avira. It extracts to a directory called RarSFX0. When it has completed extracting a message comes up saying 'the crc sum of upgrade.exe has been changed. This could be due to a virus. Do you want to shutdown setup.' It only gives me an OK buton.

Response Number 58

Name: jabuck
Date: November 4, 2006 at 09:50:53 Pacific

Reply:

That is probably you firewall.Rigt click the ZA icon on your task bar> program control on left of page> program tab. From here there should be nothing "green checked" in the left colunm headed "Server". In the right Column headed "Access" click on "Generic Host Process for WIN32 services" under "Access" allow (trusted and internet) and under "Server" allow(trusted) don't allow internet.
Next, under "Access" allow these for trusted and internet.
Spooler Subsystem App
TCP/IP Ping Command
Windows NT Logon Application
Windows Installer
Services and Controller App
Run a Dll as an App
Any Java's
Internet Explorer
Then try to get on the internet.

Response Number 59

Name: bccamper
Date: November 4, 2006 at 09:58:03 Pacific

Reply:

Okay under Server I actually have Generic Host Process for Win32 Services with a green check under the trusted column.

Response Number 60

Name: bccamper
Date: November 4, 2006 at 10:06:27 Pacific

Reply:

Spooler Subsystem App - don't seem to have this, although I do have spoolsv.exe - is this the same?
TCP/IP Ping Command - trusted and internet already checked under access
Windows NT Logon Application - trusted and internet already checked under access
Windows Installer - don't have this one
Services and Controller App - trusted and internet already checked under access

Run a Dll as an App - had to turn this one on in both places.
Any Java's - don't see any of these
Internet Explorer - had to turn this on in both places
We might me mixed up here a bit on the timing of the messages going back and forth. I am on the internet but am curren;y having a problem with the CRC sum when installing Avira.
I was getting lots of pop-ups as well so I ran Adaware-SE. Got rid of about 40 items.

Response Number 61

Name: bccamper
Date: November 4, 2006 at 12:03:30 Pacific

Reply:

I can get a copy of MacAfee from work. Would this be worth while?

Response Number 62

Name: bccamper
Date: November 4, 2006 at 12:23:43 Pacific

Reply:

jabuck I ran a scan from pandasoftware. According to the scan it found over 1000 files infected bu\y a virus. Not sure if this is accurate or not. Anyway it ran until it had scanned about 50000 files and then it dies, and once again I have no desktop so I am doing another repair.

Response Number 63

Name: jabuck
Date: November 4, 2006 at 13:18:03 Pacific

Reply:

Can you access the internet now?
We still have a few things to clean up.
In this order post a combofix log and a Hijack This log please.

Response Number 64

Name: bccamper
Date: November 4, 2006 at 13:28:24 Pacific

Reply:

Logfile of HijackThis v1.99.1
Scan saved at 13:19, on 06-11-04
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Shaw Secure\Common\FSMA32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Shaw Secure\Common\FSMB32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Shaw Secure\Common\FCH32.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\update\updmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xcle...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Response Number 65

Name: bccamper
Date: November 4, 2006 at 13:30:52 Pacific

Reply:

ComboFix 06.10.19 - Running from: "D:\"
((((((((((((((((((((((((((((((( Files Created from 2006-10-04 to 2006-11-04 ))))))))))))))))))))))))))))))))))

2006-11-04 12:34 40,960 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-11-04 12:34 15,360 --a------ C:\WINDOWS\system32\mstinit.exe
2006-11-04 12:33 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-11-04 12:33 9,728 --a------ C:\WINDOWS\system32\reset.exe
2006-11-04 12:33 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2006-11-04 12:33 61,952 --a------ C:\WINDOWS\system32\rdshost.exe
2006-11-04 12:33 56,832 --a------ C:\WINDOWS\system32\sol.exe
2006-11-04 12:33 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2006-11-04 12:33 534,016 --a------ C:\WINDOWS\system32\spider.exe
2006-11-04 12:33 5,632 --a------ C:\WINDOWS\system32\write.exe
2006-11-04 12:33 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2006-11-04 12:33 41,984 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-11-04 12:33 40,448 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-11-04 12:33 385,536 --a------ C:\WINDOWS\system32\mstsc.exe
2006-11-04 12:33 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2006-11-04 12:33 33,792 --a------ C:\WINDOWS\system32\regini.exe
2006-11-04 12:33 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe
2006-11-04 12:33 20,992 --a------ C:\WINDOWS\system32\msg.exe
2006-11-04 12:33 18,432 --a------ C:\WINDOWS\system32\qprocess.exe
2006-11-04 12:33 179,200 --a------ C:\WINDOWS\system32\accwiz.exe
2006-11-04 12:33 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2006-11-04 12:33 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe
2006-11-04 12:33 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2006-11-04 12:33 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe
2006-11-04 12:33 15,360 --a------ C:\WINDOWS\system32\logoff.exe
2006-11-04 12:33 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2006-11-04 12:33 14,848 --a------ C:\WINDOWS\system32\tscon.exe
2006-11-04 12:33 14,848 --a------ C:\WINDOWS\system32\shadow.exe
2006-11-04 12:33 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-11-04 12:33 135,680 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-11-04 12:33 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2006-11-04 12:33 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-11-04 12:33 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-11-04 12:33 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2006-11-04 12:33 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2006-11-04 12:33 114,688 --a------ C:\WINDOWS\system32\calc.exe
2006-11-04 12:33 112,128 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-11-04 12:33 11,776 --a------ C:\WINDOWS\system32\msdtc.exe
2006-11-04 12:31 29,696 --a------ C:\WINDOWS\system32\devldr32.exe
2006-11-04 12:31 19,017 --a------ C:\WINDOWS\system32\drivers\RTL8029.sys
2006-11-04 12:30 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-11-04 12:30 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-11-02 20:16 199,680 --ah----- C:\WINDOWS\system32\vjjsriv.exe
2006-11-02 20:09 442,368 --a------ C:\windows.exe
2006-11-02 19:55 200,704 --ah----- C:\WINDOWS\system32\mzevzta.exe
2006-11-01 04:38 188,928 --a-s---- C:\WINDOWS\NDNuninstall7_22.exe
2006-11-01 04:35 56,320 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe
2006-10-30 20:19 130 --a------ C:\WINDOWS\system32\jbuyzwmx.bat
2006-10-30 19:55 95,744 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-10-30 19:55 197,632 --a------ C:\WINDOWS\system32\termsrv.dll
2006-10-25 16:41 9,728 --a------ C:\WINDOWS\system32\drivers\pxscinst.dll
2006-10-25 16:41 7,680 --a------ C:\WINDOWS\system32\drivers\pxinst.dll
2006-10-25 16:41 7,552 --a------ C:\WINDOWS\system32\drivers\pxcom.sys
2006-10-25 16:41 266,112 --a------ C:\WINDOWS\system32\drivers\pxfsf.sys
2006-10-25 16:41 18,432 --a------ C:\WINDOWS\system32\drivers\pxtdi.sys
2006-10-25 16:41 13,568 --a------ C:\WINDOWS\system32\drivers\pxrd.sys
2006-10-25 16:41 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-10-25 16:41 100,864 --a------ C:\WINDOWS\system32\drivers\PxEmu.sys
2006-10-21 16:46 77,824 --a------ C:\WINDOWS\logon.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-04 12:14 102400 --a------ C:\WINDOWS\ScUnin.exe
2006-11-04 12:11 98304 --a------ C:\WINDOWS\unvise32.exe
2006-11-04 12:11 65536 --a------ C:\WINDOWS\uneng.exe
2006-11-04 12:11 51712 --a------ C:\WINDOWS\setdebug.exe
2006-11-04 12:11 39424 --a------ C:\WINDOWS\Q330994.exe
2006-11-04 12:11 39424 --a------ C:\WINDOWS\oeuninst.exe
2006-11-04 12:11 39424 --a------ C:\WINDOWS\ieuninst.exe
2006-11-04 12:11 38912 --a------ C:\WINDOWS\muninst.exe
2006-11-04 12:11 36864 --a------ C:\WINDOWS\eTEZDSCl.exe
2006-11-04 12:07 43520 --a------ C:\WINDOWS\system32\MAPISRVR.exe
2006-11-04 12:07 28672 --a------ C:\WINDOWS\system32\drload.exe
2006-11-04 12:07 202752 --ah----- C:\WINDOWS\system32\spooIsv.exe
2006-11-04 12:07 177152 --a------ C:\WINDOWS\system32\wjview.exe
2006-11-04 12:07 125440 --ahs---- C:\WINDOWS\system32\msi32info.exe
2006-11-04 12:06 54784 --a------ C:\WINDOWS\system32\clspack.exe
2006-11-04 12:06 36352 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-11-04 12:06 20480 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-11-04 12:06 177664 --a------ C:\WINDOWS\system32\jview.exe
2006-11-04 11:53 -------- d-------- C:\Program Files\Java
2006-10-30 20:20 976 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-29 12:03 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2006-10-29 11:53 -------- d-------- C:\Program Files\Spyware Nuker
2006-10-29 11:48 -------- d-------- C:\Program Files\Uniblue
2006-10-25 22:16 16384 --a------ C:\WINDOWS\IsUninst.exe
2006-10-25 18:58 -------- d-------- C:\Program Files\PCPitstop
2006-10-25 16:41 -------- d-------- C:\Program Files\Prevx1
2006-10-25 12:21 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-25 12:15 -------- d-------- C:\Program Files\CCleaner
2006-10-25 10:03 -------- d-------- C:\Program Files\Hijackthis
2006-10-21 16:53 1259 --a------ C:\WINDOWS\system32\buq6484e.sys
2006-09-14 16:01 53120 --a------ C:\WINDOWS\srvoocaftl.exe
2006-09-14 16:01 215308 --a------ C:\WINDOWS\srvvrkzlsg.exe
2006-09-04 14:46 5120 --a------ C:\WINDOWS\SYSHOST.DLL
2006-08-23 20:34 53120 --a------ C:\WINDOWS\srvlrtogom.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Winamp Agent"="C:\\WINDOWS\\System32\\winamp.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Microsoft (R) Windows Update Manager"="C:\\WINDOWS\\update\\updmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\rykegogig.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Common Files\\pohyd.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,c8,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: 06-11-04 13:30:09.74
C:\ComboFix3.txt ... 06-11-03 16:33
C:\ComboFix2.txt ... 06-11-04 00:46
C:\ComboFix.txt ... 06-11-04 13:30

Response Number 66

Name: jabuck
Date: November 4, 2006 at 14:18:14 Pacific

Reply:

Go to add remove programs and uninstall this program if found:
Spyware Nuker.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok
Reboot into safe mode.
Run Hijack this and remove these items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
Exit Hijack This but remain in safe mode.
Run Killbox from safe mode. Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\update\updmgr.exe
C:\WINDOWS\update\
C:\windows.exe
C:\WINDOWS\logon.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\NDNuninstall6_38.exe
:\WINDOWS\unvise32.exe
C:\WINDOWS\system32\drload.exe
C:\WINDOWS\system32\spooIsv.exe
C:\WINDOWS\system32\msi32info.exe
C:\WINDOWS\SYSHOST.DLL
Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let us know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
Navigate to and delete this folder if found:
C:\Program Files\Spyware Nuker
Go to start> control panel> administrative tool> services> scroll down to "Windows Update Manager"> double click it> click stop>click ok. Then in the same box on the far right of "startup type" click the blue drop down arrow> click diable>apply>ok. Exit control panel.
Go to run then type the following commands and press enter after eack:
sc stop (UpdateManager)
sc delete (UpdateManager)
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Microsoft (R) Windows Update Manager"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"fiqz"=-
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"fiqz"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Restart the computer.
Post a new Hijack This log and and new combofix log please.

Response Number 67

Name: bccamper
Date: November 4, 2006 at 15:02:07 Pacific

Reply:

Jabuck, I need further nstruction on killbox. Everytime I try it it doesn't work. I start it, click delete on reboot and click on all files. The when you want me to copy the files to the clipboard do I do this in Windows explorer. If so do I shutdown killbox or leave it running. What I did was left it running and then in Win Explorer found each file, right clicked on it and clicked copy. I then return to Killbox and do file, paste from clipboard, but nothing seems to happen. When I click the red X button it says I have not picked a file yet.

Response Number 68

Name: bccamper
Date: November 4, 2006 at 15:31:38 Pacific

Reply:

Jabuck,
I forgot to mention one other thing. Ypu asked me to go to add/remove programs and uninstall this program if found:
Spyware Nuker.
It wasn't there but I do have the icon on my desktop which points to C:\Program Files\Spyware Nuker which has an uninstall.exe in it. Should I try uninstall it here?

Response Number 69

Name: jabuck
Date: November 4, 2006 at 16:16:06 Pacific

Reply:

You should just copy the list from my post then press "Ctrl C" the place your cursor into Killbox window and press "Ctrl V".Or try this tool.
Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip
1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Files to delete:
C:\WINDOWS\update\updmgr.exe
C:\windows.exe
C:\WINDOWS\logon.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\unvise32.exe
C:\WINDOWS\system32\drload.exe
C:\WINDOWS\system32\spooIsv.exe
C:\WINDOWS\system32\msi32info.exe
C:\WINDOWS\SYSHOST.DLL
Folders to delete:
C:\WINDOWS\update
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply and post a new Hijack This log.

Response Number 70

Name: bccamper
Date: November 4, 2006 at 16:34:27 Pacific

Reply:

I tried to run avenger and got the following message;
Integrity check failed! This file has been modified. Reasons might be possible virus infection!
Can I just paste and delete the files one at a time into killbox, or does that not work?

Response Number 71

Name: bccamper
Date: November 5, 2006 at 12:49:07 Pacific

Reply:

I ran Ad-Aware SE and spybot and they both run clean now so I am posting another hijack log;
Logfile of HijackThis v1.99.1
Scan saved at 12:48, on 06-11-05
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Shaw Secure\Common\FSMA32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Shaw Secure\Common\FSMB32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Shaw Secure\Common\FCH32.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xcle...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Response Number 72

Name: jabuck
Date: November 5, 2006 at 14:03:17 Pacific

Reply:

That looks a lot better. Run Hijack This from normal mode and remove these items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm (if you have this set to blank then don't remove it)
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
Looks like F-secure is you antivirus and zonealarm is the firewall, if I am wrong let me know.
Uninstall AVG in add/remove programs if found.
Post one more combofix log.
Perform an online scan with Panda ActiveScan
Dowanload from this link Panda Acticescan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Response Number 73

Name: bccamper
Date: November 5, 2006 at 14:40:26 Pacific

Reply:

I did not delete the R0 entry as I am using about:blanks as the start page in IE. I tried removing the 23 entry 3 times but it comes back every time I run a scan.
Yes F_secure should be the virus and spyware cleaner on this machien as it is the software supllied by the person ISP. However I only seem to see the spyware installed and I am not even sure if it is working based on the problems this machine had.
AVG does not show us in add/remove programs.
I will try the panda scan now. When I ran it yesterday it reported over 1000 files infected with a virus. Does this sound normal or is it a red hearring. Anyway we will see what happens this time.
Here is the combo log;
ComboFix 06.10.19 - Running from: "D:\"
((((((((((((((((((((((((((((((( Files Created from 2006-10-05 to 2006-11-05 ))))))))))))))))))))))))))))))))))

2006-11-04 12:34 40,960 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-11-04 12:34 15,360 --a------ C:\WINDOWS\system32\mstinit.exe
2006-11-04 12:33 86,016 --a------ C:\WINDOWS\system32\charmap.exe
2006-11-04 12:33 67,584 --a------ C:\WINDOWS\system32\rdshost.exe
2006-11-04 12:33 62,464 --a------ C:\WINDOWS\system32\sol.exe
2006-11-04 12:33 60,928 --a------ C:\WINDOWS\system32\freecell.exe
2006-11-04 12:33 539,648 --a------ C:\WINDOWS\system32\spider.exe
2006-11-04 12:33 47,616 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-11-04 12:33 46,080 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-11-04 12:33 391,168 --a------ C:\WINDOWS\system32\mstsc.exe
2006-11-04 12:33 39,424 --a------ C:\WINDOWS\system32\regini.exe
2006-11-04 12:33 345,600 --a------ C:\WINDOWS\system32\mspaint.exe
2006-11-04 12:33 27,648 --a------ C:\WINDOWS\system32\qwinsta.exe
2006-11-04 12:33 26,624 --a------ C:\WINDOWS\system32\msg.exe
2006-11-04 12:33 24,064 --a------ C:\WINDOWS\system32\qprocess.exe
2006-11-04 12:33 22,528 --a------ C:\WINDOWS\system32\tsshutdn.exe
2006-11-04 12:33 22,528 --a------ C:\WINDOWS\system32\qappsrv.exe
2006-11-04 12:33 22,016 --a------ C:\WINDOWS\system32\tskill.exe
2006-11-04 12:33 21,504 --a------ C:\WINDOWS\system32\rwinsta.exe
2006-11-04 12:33 20,992 --a------ C:\WINDOWS\system32\logoff.exe
2006-11-04 12:33 20,480 --a------ C:\WINDOWS\system32\tsdiscon.exe
2006-11-04 12:33 20,480 --a------ C:\WINDOWS\system32\tscon.exe
2006-11-04 12:33 20,480 --a------ C:\WINDOWS\system32\shadow.exe
2006-11-04 12:33 184,832 --a------ C:\WINDOWS\system32\accwiz.exe
2006-11-04 12:33 17,920 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-11-04 12:33 15,360 --a------ C:\WINDOWS\system32\reset.exe
2006-11-04 12:33 144,384 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-11-04 12:33 135,680 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-11-04 12:33 132,608 --a------ C:\WINDOWS\system32\mshearts.exe
2006-11-04 12:33 130,048 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-11-04 12:33 125,440 --a------ C:\WINDOWS\system32\winmine.exe
2006-11-04 12:33 122,368 --a------ C:\WINDOWS\system32\mplay32.exe
2006-11-04 12:33 120,320 --a------ C:\WINDOWS\system32\calc.exe
2006-11-04 12:33 117,760 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-11-04 12:33 11,776 --a------ C:\WINDOWS\system32\msdtc.exe
2006-11-04 12:33 11,264 --a------ C:\WINDOWS\system32\write.exe
2006-11-04 12:33 104,448 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-11-04 12:33 10,752 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2006-11-04 12:31 29,696 --a------ C:\WINDOWS\system32\devldr32.exe
2006-11-04 12:31 19,017 --a------ C:\WINDOWS\system32\drivers\RTL8029.sys
2006-11-04 12:30 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-11-04 12:30 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-11-02 20:16 199,680 --ah----- C:\WINDOWS\system32\vjjsriv.exe
2006-11-02 20:09 442,368 --a------ C:\windows.exe
2006-11-02 19:55 200,704 --ah----- C:\WINDOWS\system32\mzevzta.exe
2006-11-01 04:38 188,928 --a-s---- C:\WINDOWS\NDNuninstall7_22.exe
2006-11-01 04:35 56,320 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe
2006-10-30 20:19 130 --a------ C:\WINDOWS\system32\jbuyzwmx.bat
2006-10-30 19:55 95,744 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-10-30 19:55 197,632 --a------ C:\WINDOWS\system32\termsrv.dll
2006-10-25 16:41 9,728 --a------ C:\WINDOWS\system32\drivers\pxscinst.dll
2006-10-25 16:41 7,680 --a------ C:\WINDOWS\system32\drivers\pxinst.dll
2006-10-25 16:41 7,552 --a------ C:\WINDOWS\system32\drivers\pxcom.sys
2006-10-25 16:41 266,112 --a------ C:\WINDOWS\system32\drivers\pxfsf.sys
2006-10-25 16:41 18,432 --a------ C:\WINDOWS\system32\drivers\pxtdi.sys
2006-10-25 16:41 13,568 --a------ C:\WINDOWS\system32\drivers\pxrd.sys
2006-10-25 16:41 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-10-25 16:41 100,864 --a------ C:\WINDOWS\system32\drivers\PxEmu.sys
2006-10-21 16:46 77,824 --a------ C:\WINDOWS\logon.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-04 12:14 102400 --a------ C:\WINDOWS\ScUnin.exe
2006-11-04 12:11 98304 --a------ C:\WINDOWS\unvise32.exe
2006-11-04 12:11 65536 --a------ C:\WINDOWS\uneng.exe
2006-11-04 12:11 51712 --a------ C:\WINDOWS\setdebug.exe
2006-11-04 12:11 39424 --a------ C:\WINDOWS\Q330994.exe
2006-11-04 12:11 39424 --a------ C:\WINDOWS\oeuninst.exe
2006-11-04 12:11 39424 --a------ C:\WINDOWS\ieuninst.exe
2006-11-04 12:11 38912 --a------ C:\WINDOWS\muninst.exe
2006-11-04 12:11 36864 --a------ C:\WINDOWS\eTEZDSCl.exe
2006-11-04 12:07 43520 --a------ C:\WINDOWS\system32\MAPISRVR.exe
2006-11-04 12:07 28672 --a------ C:\WINDOWS\system32\drload.exe
2006-11-04 12:07 202752 --ah----- C:\WINDOWS\system32\spooIsv.exe
2006-11-04 12:07 177152 --a------ C:\WINDOWS\system32\wjview.exe
2006-11-04 12:07 125440 --ahs---- C:\WINDOWS\system32\msi32info.exe
2006-11-04 12:06 54784 --a------ C:\WINDOWS\system32\clspack.exe
2006-11-04 12:06 36352 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-11-04 12:06 20480 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-11-04 12:06 177664 --a------ C:\WINDOWS\system32\jview.exe
2006-11-04 11:53 -------- d-------- C:\Program Files\Java
2006-10-30 20:20 976 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-29 12:03 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2006-10-29 11:53 -------- d-------- C:\Program Files\Spyware Nuker
2006-10-29 11:48 -------- d-------- C:\Program Files\Uniblue
2006-10-25 22:16 16384 --a------ C:\WINDOWS\IsUninst.exe
2006-10-25 18:58 -------- d-------- C:\Program Files\PCPitstop
2006-10-25 16:41 -------- d-------- C:\Program Files\Prevx1
2006-10-25 12:21 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-25 12:15 -------- d-------- C:\Program Files\CCleaner
2006-10-25 10:03 -------- d-------- C:\Program Files\Hijackthis
2006-10-21 16:53 1259 --a------ C:\WINDOWS\system32\buq6484e.sys
2006-09-14 16:01 53120 --a------ C:\WINDOWS\srvoocaftl.exe
2006-09-14 16:01 215308 --a------ C:\WINDOWS\srvvrkzlsg.exe
2006-09-04 14:46 5120 --a------ C:\WINDOWS\SYSHOST.DLL
2006-08-23 20:34 53120 --a------ C:\WINDOWS\srvlrtogom.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Winamp Agent"="C:\\WINDOWS\\System32\\winamp.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\rykegogig.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Common Files\\pohyd.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,c8,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: 06-11-05 14:36:14.57
C:\ComboFix.txt ... 06-11-05 14:36
C:\ComboFix3.txt ... 06-11-04 00:46
C:\ComboFix2.txt ... 06-11-04 13:30

Response Number 74

Name: bccamper
Date: November 5, 2006 at 14:45:51 Pacific

Reply:

I have only scanned 1000 fiels and it has already reported 70 files infeccted with the w32/Virutaas.B virus. The odd thing is it show the file is disenfected but I am not sure becuase when I run the scan again it seems to report the same files again.

Response Number 75

Name: bccamper
Date: November 5, 2006 at 14:57:10 Pacific

Reply:

jabuck the scan ran until 30132 files scanned and 709 files infected with 1 spyware found. At this point I got the following message;
The application failed to to initialize properly (0xc0000142). Click on Ok to terminate the application.
When I click on OK I get the following message;
The instruction at "0x77d4a5f9" referenced memory at "0x77d4a5f9". the memory could not be read. Click OK to terminate the program. I don't know a lot about this but it looked the program overwrote part of itself.
I then clicked okay and the scan continued. Insert sigh of relief here. To be continued....

Response Number 76

Name: bccamper
Date: November 5, 2006 at 15:07:02 Pacific

Reply:

The activescan window has not disappeared and all I have on my screen is the background (no icons). The disk light flashes every 4 or 5 seconds so I am not sure if it is still going or not. The scan was current at 1176 viruses, 14 spyware, 0 hijacks, 2 dialers, 0 security risks and 2 suspicious files.

Response Number 77

Name: jabuck
Date: November 5, 2006 at 15:33:22 Pacific

Reply:

I can see by the combofix log that you still have a few files that need to be deleted so see if you can exit the virus scan. Then reboot the computer. Let me know when you have rebooted.

Response Number 78

Name: bccamper
Date: November 5, 2006 at 16:33:06 Pacific

Reply:

Okay I have rebooted but explorer will not start and I have no icons on my desktop. If I go to taskmgr and run explorer as a new task, I get that explorer is not a valid win32 app. Time to repair again?

Response Number 79

Name: jabuck
Date: November 5, 2006 at 17:12:46 Pacific

Reply:

Appears that way if you are up to it.

Response Number 80

Name: bccamper
Date: November 5, 2006 at 17:21:50 Pacific

Reply:

Okay I am repairing. What should I do after that?

Response Number 81

Name: jabuck
Date: November 5, 2006 at 17:34:20 Pacific

Reply:

Run the blaster removal tool at this link then post a combofix log. http://www.microsoft.com/security/malwareremove/default.mspx Click skip the details and run the tool.

Response Number 82

Name: bccamper
Date: November 5, 2006 at 17:48:44 Pacific

Reply:

Quickscan or fullscan?

Response Number 83

Name: jabuck
Date: November 5, 2006 at 18:02:23 Pacific

Reply:

I believe full would be best.

Response Number 84

Name: bccamper
Date: November 5, 2006 at 18:22:31 Pacific

Reply:

I ran both a quickscan and a fullscan and it did not find any malicious software.

Response Number 85

Name: bccamper
Date: November 5, 2006 at 18:23:49 Pacific

Reply:

I forgot to mention earlier that I do have high speed internet for when we want to upgrade to SP2.

Response Number 86

Name: jabuck
Date: November 5, 2006 at 18:31:30 Pacific

Reply:

Ok, we need to be clean before the update. Hopefully removing blaster with the Microsoft tool will help with the missing desktop.

Response Number 87

Name: bccamper
Date: November 5, 2006 at 18:48:42 Pacific

Reply:

But the tool didn't find or remove anything. What is the next step?

Response Number 88

Name: jabuck
Date: November 5, 2006 at 18:50:34 Pacific

Reply:

Post the combofix log and lets try to delete them manually.

Response Number 89

Name: bccamper
Date: November 5, 2006 at 19:24:13 Pacific

Reply:

I ran combo and now the desktop is screwed again. Is this a virus that can't be fixed?

Response Number 90

Name: jabuck
Date: November 5, 2006 at 19:37:59 Pacific

Reply:

I don't think so. I does seem like every time we run a scan other than Hijack This or combofix (up till now and you first attempt to run it) it kills the desktop. Which is usually a group of files that Brute Force Uninstaller and SDFix will remove. You may have a newer variant although we seem to have it cornered to the group of files in response # 66 which have the signitures of msblaster, new.net, and a couple of other worms that should delete.

Response Number 91

Name: bccamper
Date: November 5, 2006 at 19:41:25 Pacific

Reply:

Okay so what is the next step?

Response Number 92

Name: jabuck
Date: November 5, 2006 at 19:59:57 Pacific

Reply:

Get windows running again. Boot to safe mode.
Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.
Navigate to and delete these files:
C:\WINDOWS\update\updmgr.exe
C:\windows.exe
C:\WINDOWS\logon.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\NDNuninstall6_38.exe
:\WINDOWS\unvise32.exe
C:\WINDOWS\system32\drload.exe
C:\WINDOWS\system32\spooIsv.exe
C:\WINDOWS\system32\msi32info.exe
C:\WINDOWS\SYSHOST.DLL
Navigate to and delete this folder:
C:\WINDOWS\update\
Then try to post a combofix log

Response Number 93

Name: bccamper
Date: November 5, 2006 at 20:48:54 Pacific

Reply:

jabuck I cannot delete the following files because they are being used by a process. When I go to task manager they are running as processes. When I try to end them, I get a message 'the operation could not be completed. Access is denied.

Response Number 94

Name: bccamper
Date: November 5, 2006 at 21:08:51 Pacific

Reply:

I rebooted to safe mode (without networking and I was able to delete the three files as they were no longer running as processes. I am back in safe mode (with networking) now.

Response Number 95

Name: bccamper
Date: November 5, 2006 at 21:30:30 Pacific

Reply:

I just looked and those three files and process are back again.

Response Number 96

Name: jabuck
Date: November 6, 2006 at 03:53:29 Pacific

Reply:

There must be something hidden or that I missed that is bringing that file back, lets try a couple of programs and see if we can find it.
Download Blacklight Beta from this website:
http://www.f-secure.com/blacklight/
Save it to your desktop and double click on the file.
Have it scan your computer but do not try to fix or delete anything identified by the tool, it may list legitimate programs.
If the scan does find anything then copy and paste the log back to this thread. The log should be on your desktop or root directory (C:\). This is the format for the log file name:
fsbl-<date-and-time>.log
If you have any trouble finding it do a search for fsbl*.log.
Download WinPFind2.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind2 on your desktop.
Open the folder and double-click on winpfind2.exe to start the program.
Click on the Services tab.
From the two drop down boxes next to Filter list:, on the left one choose List all type of services and on the right one choose List all services.
Click on the Configuration tab.
Keep the standard settings and then in the AddOn-Options box click the checkboxes for
HKCU_IEDesktop.def
Policies.def
SID_Run_Policies.def
to select them.
Under File Options click Select All
Under Other Options put a check to both Show All boxes
Please maximize the window in order to be able to view the Status Bar where you can see the progress of the scan.
Now click the Run All Scans button on the toolbar.
When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is, click on it to uncheck it and then please post that report into this topic. After posting please check if the whole report fit into the post. If it did fit, it should say <End of Report> at the end. If not, please post the section that was cut off in a second post.

Response Number 97

Name: bccamper
Date: November 6, 2006 at 05:46:26 Pacific

Reply:

jabuck, blackligh beta would not run due to 'Backligh could not require neccessary privileges (SeDebugPrivilege)
Ypur settings may prevent aquiring these privileges
A ,alicios program might have disabled these privileges
I ran WinPFind2 and I am posting the log here;
Logfile created on: 11-06-2006 05:41
WinPFind2 by OldTimer - Version 1.0.12 Folder = D:\WinPFind2\
Microsoft Windows XP (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2600.0000)

< All Processes >
\systemroot\system32\smss.exe - (Microsoft Corporation )
\??\c:\windows\system32\winlogon.exe - (Microsoft Corporation )
c:\windows\system32\services.exe - (Microsoft Corporation )
c:\windows\system32\lsass.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K RPCSS] - (Microsoft Corporation )
(RpcSs) C:\WINDOWS\system32\rpcss.dll - (Microsoft Corporation )
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.exe -K NETSVCS] - (Microsoft Corporation )
(AppMgmt) C:\WINDOWS\System32\appmgmts.dll - (Microsoft Corporation )
(AudioSrv) C:\WINDOWS\System32\audiosrv.dll - (Microsoft Corporation )
(BITS) C:\WINDOWS\System32\qmgr.dll - (Microsoft Corporation )
(Browser) C:\WINDOWS\System32\browser.dll - (Microsoft Corporation )
(CryptSvc) C:\WINDOWS\System32\cryptsvc.dll - (Microsoft Corporation )
(Dhcp) C:\WINDOWS\System32\dhcpcsvc.dll - (Microsoft Corporation )
(dmserver) C:\WINDOWS\System32\dmserver.dll - (Microsoft Corp. )
(ERSvc) C:\WINDOWS\System32\ersvc.dll - (Microsoft Corporation )
(EventSystem) C:\WINDOWS\System32\es.dll - (Microsoft Corporation )
(FastUserSwitchingCompatibility) C:\WINDOWS\System32\shsvcs.dll - (Microsoft Corporation )
(helpsvc) %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - (File not found))
(HidServ) C:\WINDOWS\System32\hidserv.dll - (File not found))
(lanmanserver) C:\WINDOWS\System32\srvsvc.dll - (Microsoft Corporation )
(lanmanworkstation) C:\WINDOWS\System32\wkssvc.dll - (Microsoft Corporation )
(Messenger) C:\WINDOWS\System32\msgsvc.dll - (Microsoft Corporation )
(Netman) C:\WINDOWS\System32\netman.dll - (Microsoft Corporation )
(Nla) C:\WINDOWS\System32\mswsock.dll - (Microsoft Corporation )
(NtmsSvc) C:\WINDOWS\system32\ntmssvc.dll - (Microsoft Corporation )
(RasAuto) C:\WINDOWS\System32\rasauto.dll - (Microsoft Corporation )
(RasMan) C:\WINDOWS\System32\rasmans.dll - (Microsoft Corporation )
(RemoteAccess) C:\WINDOWS\System32\mprdim.dll - (Microsoft Corporation )
(Schedule) C:\WINDOWS\system32\schedsvc.dll - (Microsoft Corporation )
(seclogon) C:\WINDOWS\System32\seclogon.dll - (Microsoft Corporation )
(SENS) C:\WINDOWS\system32\sens.dll - (Microsoft Corporation )
(ShellHWDetection) C:\WINDOWS\System32\shsvcs.dll - (Microsoft Corporation )
(srservice) C:\WINDOWS\System32\srsvc.dll - (Microsoft Corporation )
(TapiSrv) C:\WINDOWS\System32\tapisrv.dll - (Microsoft Corporation )
(TermService) C:\WINDOWS\System32\termsrv.dll - (Microsoft Corporation )
(TermService) C:\WINDOWS\System32\termsrv.dll - (Microsoft Corporation )
(Themes) C:\WINDOWS\System32\shsvcs.dll - (Microsoft Corporation )
(TrkWks) C:\WINDOWS\system32\trkwks.dll - (Microsoft Corporation )
(uploadmgr) %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - (File not found))
(W32Time) C:\WINDOWS\System32\w32time.dll - (Microsoft Corporation )
(winmgmt) C:\WINDOWS\system32\wbem\WMIsvc.dll - (Microsoft Corporation )
(WmdmPmSp) C:\WINDOWS\System32\mspmspsv.dll - (Microsoft Corporation )
(Wmi) C:\WINDOWS\System32\advapi32.dll - (Microsoft Corporation )
(wuauserv) C:\WINDOWS\System32\wuauserv.dll - (Microsoft Corporation )
(WZCSVC) C:\WINDOWS\System32\wzcsvc.dll - (Microsoft Corporation )
c:\windows\system32\zonelabs\vsmon.exe - (Zone Labs, LLC )
c:\windows\explorer.exe - (Microsoft Corporation )
c:\program files\zone labs\zonealarm\zlclient.exe - (Zone Labs, LLC )
c:\windows\system32\ctfmon.exe - (Microsoft Corporation )
c:\windows\system32\spoolsv.exe - (Microsoft Corporation )
c:\program files\shaw secure\common\fsma32.exe - (F-Secure Corporation )
c:\program files\common files\microsoft shared\vs7debug\mdm.exe - (Microsoft Corporation )
c:\program files\shaw secure\common\fsmb32.exe - (F-Secure Corporation )
c:\program files\network monitor\netmon.exe - ( )
c:\program files\prevx1\pxagent.exe - (Prevx )
c:\program files\shaw secure\common\fch32.exe - (F-Secure Corporation )
c:\program files\shaw secure\common\fameh32.exe - (F-Secure Corporation )
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.exe -K IMGSVC] - (Microsoft Corporation )
(stisvc) C:\WINDOWS\system32\wiaservc.dll - (Microsoft Corporation )
c:\windows\system32\devldr32.exe - (Creative Technology Ltd. )
c:\windows\system32\wuauclt.exe - (Microsoft Corporation )
c:\program files\internet explorer\iexplore.exe - (Microsoft Corporation )
d:\winpfind2\winpfind2.exe - (OldTimer Tools )
< Registry Entries >
[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://www.microsoft.com/isapi/redi...
HKLM->Main\\Search Page - http://www.microsoft.com/isapi/redi...
HKLM->Main\\Default_Page_URL - http://www.microsoft.com/isapi/redi...
HKLM->Main\\Default_Search_URL - http://www.microsoft.com/isapi/redi...
HKLM->Main\\Local Page - %SystemRoot%\system32\blank.htm
HKCU->Main\\Start Page - about:blank
HKCU->Main\\Search Bar - http://www.google.com/ie
HKCU->Main\\Search Page - http://www.google.com
HKCU->Main\\Local Page - \blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC17...
HKLM->Search\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC17...
HKCU->Search\\SearchAssistant - http://www.google.com/ie
HKCU->URLSearchHooks\\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - Reg Data - Value does not exist = C:\Program Files\DeluxeCommunications\DxcBho.dll ( )
HKCU->Internet Settings\\ProxyEnable - 0
[>> BHO's <<]
[>> Internet Explorer Bars, Toolbars and Extensions <<]
[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
[HKCU-> Internet Explorer Bars]
{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{BDEADE7F-C265-11D0-BCED-00A0C90AB50F} - &Discuss = shdocvw.dll (Microsoft Corporation )
{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
[HKLM-> Internet Explorer ToolBars]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio = C:\WINDOWS\System32\msdxm.ocx ( )
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN = C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (File not found)
[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Data - Key not found = Reg Data - Key not found (File not found)
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Data - Key not found = Reg Data - Key not found (File not found)
WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN = C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (File not found)
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Toolbar = Reg Data - Key not found (File not found)
[HKCU-> Internet Explorer CmdMapping]
{200DB664-75B5-47c0-8B45-A44ACCF73C00} - 8194 - Reg Data - Key not found
{200DB664-75B5-47c0-8B45-A44ACCF73F01} - 8195 - Reg Data - Key not found
{200DB664-75B5-47c0-8B45-A44ACCF73F02} - 8196 - Reg Data - Key not found
{200DB664-75B5-47c0-8B45-A44ACCF73F03} - 8197 - Reg Data - Key not found
{200DB664-75B5-47c0-8B45-A44ACCF73F04} - 8198 - Reg Data - Key not found
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - 8199 - Reg Data - Key not found
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - 8202 - @shdoclc.dll,-864
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8193 - Messenger
NextId - 8203
[HKLM-> Internet Explorer Extensions]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - ButtonText: @shdoclc.dll,-866 = %SystemRoot%\web\related.htm ( )
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\MSMSGS.exe (Microsoft Corporation )
[HKCU-> Internet Explorer Menu Extensions]
E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation )
[HKLM-> Internet Explorer Plugins]
.spop - Reg Data - Value does not exist = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc. )
[>> Approved Shell Extensions (Non-Microsoft only) <<]
[HKLM-> Approved Shell Extensions]
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data - Key not found (File not found)
{389817DA-A1E8-47A5-8274-92AF21E3E3A7} - = C:\WINDOWS\system32\mnxml2.dll (File not found)
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found)
{5E44E225-A408-11CF-B581-008029601108} - Adaptec DirectCD Shell Extension = C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll (Roxio )
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data - Key not found (File not found)
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data - Key not found (File not found)
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data - Key not found (File not found)
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc. )
[>> ContextMenuHandlers (Non-Microsoft only) <<]
[HKLM-> ContextMenuHandlers]
[>> ColumnHandlers (Non-Microsoft only) <<]
[HKLM-> ColumnHandlers]
[>> File Associations Keys <<]
HKLM->SOFTWARE\Classes\.bat\\'' - batfile
HKLM->SOFTWARE\Classes\batfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.cmd\\'' - cmdfile
HKLM->SOFTWARE\Classes\cmdfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.com\\'' - comfile
HKLM->SOFTWARE\Classes\comfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.exe\\'' - exefile
HKLM->SOFTWARE\Classes\exefile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.hta\\'' - htafile
HKLM->SOFTWARE\Classes\htafile\shell\open\command\\'' - C:\WINDOWS\System32\mshta.exe "%1" %*
HKLM->SOFTWARE\Classes\.js\\'' - JSFile
HKLM->SOFTWARE\Classes\jsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.jse\\'' - JSEFile
HKLM->SOFTWARE\Classes\jsefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.scr\\'' - scrfile
HKLM->SOFTWARE\Classes\scrfile\shell\open\command\\'' - "%1" /s
HKLM->SOFTWARE\Classes\.vbe\\'' - VBEFile
HKLM->SOFTWARE\Classes\vbefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.vbs\\'' - VBSFile
HKLM->SOFTWARE\Classes\vbsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsf\\'' - WSFFile
HKLM->SOFTWARE\Classes\wsffile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsh\\'' - WSHFile
HKLM->SOFTWARE\Classes\wshfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.txt\\'' - txtfile
HKLM->SOFTWARE\Classes\txtfile\shell\open\command\\'' - %SystemRoot%\system32\NOTEPAD.exe %1
[>> Registry Run Keys <<]
HKLM->Run\\DeluxeCommunications - C:\Program Files\DeluxeCommunications\Dxc.exe ( )
HKLM->Run\\Winamp Agent - C:\WINDOWS\System32\winamp.exe (File not found)
HKLM->Run\\Zone Labs Client - "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Zone Labs, LLC )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\CTFMON.exe - C:\WINDOWS\System32\ctfmon.exe (Microsoft Corporation )
HKCU->Run\\DeluxeCommunications - C:\Program Files\DeluxeCommunications\Dxc.exe ( )
[>> Miscellaneous Startup Keys <<]
[AppInit DLLs]
AppInit_DLL - dxclib303562752.dll ( )
[Image File Execution Options]
Your Image File Name Here without a path - Debugger = ntsd -d
[Shell Service Object Delay Load]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )
[Shell Execute Hooks]
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )
[Shared Task Scheduler]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
[SafeBoot Option]
[HKLM Command Processor AutoRun]
HKLM->Command Processor\\AutoRun -
[HKCU Command Processor AutoRun]
[Security Providers]
SecurityProviders\\SecurityProviders - msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
[BootExecute]
Session Manager\\BootExecute - autocheck autochk *;
[PendingFileRenameOperations]
[FileRenameOperations]
[ExcludeFromKnownDlls]
Session Manager\\ExcludeFromKnownDlls -
[>> Disabled MSConfig Items <<]
[>> User Agent Post Platform <<]
[>> Winlogon <<]
HMLM->AltDefaultDomainName - PHOEBE
HMLM->AltDefaultUserName - Mae
HMLM->AutoAdminLogon - 0
HMLM->DefaultDomainName - PHOEBE
HMLM->DefaultUserName - Mae
HKLM->Shell - Explorer.exe (Microsoft Corporation )
HKLM->System - (File not found)
HMLM->UserInit - C:\WINDOWS\SYSTEM32\Userinit.exe, (Microsoft Corporation )
HKLM->VMApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )
Notify\wzcnotif - wzcdlg.dll (Microsoft Corporation )
[>> DNS Name Servers <<]
{464657D3-927C-487C-BA00-07FA26A77C78} - ()
{8D6491B5-2244-4A3F-83C0-EA19D8739354} - (SMC EZ Card PCI 10 Adapter (SMC1208))
[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 (Tcpip) - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 (NTDS) - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 (Network Location Awareness (NLA) Namespace) - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found)
msdaipp - (File not found)
vnd.ms.radio - C:\WINDOWS\System32\msdxm.ocx ( )
[>> Protocol Filters (Non-Microsoft only) <<]
< All Services >
Abiosdsk (Abiosdsk) - (File not found)) [Disabled - Stopped - Kernel driver]
abp480n5 (abp480n5) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft ACPI Driver (ACPI) - \SystemRoot\System32\DRIVERS\ACPI.sys (Microsoft Corporation ) [ - Running - Kernel driver]
ACPIEC (ACPIEC) - (File not found)) [Disabled - Stopped - Kernel driver]
adpu160m (adpu160m) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft Kernel Acoustic Echo Canceller (aec) - system32\drivers\aec.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
AFD Networking Support Environment (AFD) - \SystemRoot\System32\drivers\afd.sys (Microsoft Corporation ) [Automatic - Running - Kernel driver]
Intel AGP Bus Filter (agp440) - \SystemRoot\System32\DRIVERS\agp440.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Aha154x (Aha154x) - (File not found)) [Disabled - Stopped - Kernel driver]
aic78u2 (aic78u2) - (File not found)) [Disabled - Stopped - Kernel driver]
aic78xx (aic78xx) - (File not found)) [Disabled - Stopped - Kernel driver]
Alerter (Alerter) - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Application Layer Gateway Service (ALG) - C:\WINDOWS\System32\alg.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
AliIde (AliIde) - (File not found)) [Disabled - Stopped - Kernel driver]
amsint (amsint) - (File not found)) [Disabled - Stopped - Kernel driver]
Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
asc (asc) - (File not found)) [Disabled - Stopped - Kernel driver]
asc3350p (asc3350p) - (File not found)) [Disabled - Stopped - Kernel driver]
asc3550 (asc3550) - (File not found)) [Disabled - Stopped - Kernel driver]
RAS Asynchronous Media Driver (AsyncMac) - System32\DRIVERS\asyncmac.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Standard IDE/ESDI Hard Disk Controller (atapi) - \SystemRoot\System32\DRIVERS\atapi.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Atdisk (Atdisk) - (File not found)) [Disabled - Stopped - Kernel driver]
atimtag (atimtag) - System32\DRIVERS\atimtag.sys (ATI Technologies Inc. ) [On Demand - Running - Kernel driver]
ATM ARP Client Protocol (Atmarpc) - System32\DRIVERS\atmarpc.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Audio Stub Driver (audstub) - System32\DRIVERS\audstub.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Beep (Beep) - (File not found)) [ - Running - Kernel driver]
Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
cbidf2k (cbidf2k) - (File not found)) [Disabled - Stopped - Kernel driver]
cd20xrnt (cd20xrnt) - (File not found)) [Disabled - Stopped - Kernel driver]
Cdaudio (Cdaudio) - (File not found)) [ - Stopped - Kernel driver]
Cdfs (Cdfs) - (File not found)) [Disabled - Running - Filesystem driver]
Cdr4_xp (Cdr4_xp) - (File not found)) [ - Running - Kernel driver]
Cdralw2k (Cdralw2k) - (File not found)) [ - Running - Kernel driver]
CD-ROM Driver (Cdrom) - System32\DRIVERS\cdrom.sys (Microsoft Corporation ) [ - Running - Kernel driver]
cdudf_xp (cdudf_xp) - (File not found)) [ - Running - Filesystem driver]
Changer (Changer) - (File not found)) [ - Stopped - Kernel driver]
Indexing Service (cisvc) - C:\WINDOWS\system32\cisvc.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
CmdIde (CmdIde) - (File not found)) [Disabled - Stopped - Kernel driver]
COM+ System Application (COMSysApp) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Cpqarray (Cpqarray) - (File not found)) [Disabled - Stopped - Kernel driver]
Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Creative SBLive! Gameport (ctljystk) - System32\DRIVERS\ctljystk.sys (Creative Technology Ltd. ) [On Demand - Running - Kernel driver]
dac960nt (dac960nt) - (File not found)) [Disabled - Stopped - Kernel driver]
DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Disk Driver (Disk) - \SystemRoot\System32\DRIVERS\disk.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com (Microsoft Corp., Veritas Software ) [On Demand - Stopped - Win32, running in a shared process]
dmboot (dmboot) - System32\drivers\dmboot.sys (Microsoft Corp., Veritas Software ) [Disabled - Stopped - Kernel driver]
Logical Disk Manager Driver (dmio) - \SystemRoot\System32\DRIVERS\dmio.sys (Microsoft Corp., Veritas Software ) [ - Running - Kernel driver]
dmload (dmload) - (File not found)) [ - Running - Kernel driver]
Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Microsoft Kernel DLS Syntheiszer (DMusic) - system32\drivers\DMusic.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
MS IEEE-1284.4 Driver (dot4) - System32\DRIVERS\Dot4.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Print Class Driver for IEEE-1284.4 (Dot4Print) - System32\DRIVERS\Dot4Prt.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Scan Class Driver for IEEE-1284.4 (Dot4Scan) - System32\DRIVERS\Dot4Scan.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Dot4USB Filter Dot4USB Filter (dot4usb) - System32\DRIVERS\dot4usb.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
dpti2o (dpti2o) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft Kernel DRM Audio Descrambler (drmkaud) - system32\drivers\drmkaud.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
dvd_2K (dvd_2K) - (File not found)) [On Demand - Stopped - Kernel driver]
3Com EtherLink XL 90XB/C Adapter Driver (EL90XBC) - System32\DRIVERS\el90xbc5.sys (File not found)) [On Demand - Stopped - Kernel driver]
Creative SB Live! (WDM) (emu10k) - system32\drivers\emu10k1m.sys (Creative Technology Ltd. ) [On Demand - Running - Kernel driver]
Creative Interface Manager Driver (WDM) (emu10k1) - system32\drivers\ctlfacem.sys (Creative Technology Ltd. ) [On Demand - Running - Kernel driver]
Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Event Log (Eventlog) - C:\WINDOWS\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
F-Secure File System Filter (F-Secure Filter) - \??\C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys (File not found)) [Automatic - Stopped - Kernel driver]
F-Secure Gatekeeper (F-Secure Gatekeeper) - \??\C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSgk.sys (File not found)) [Automatic - Stopped - Kernel driver]
F-Secure File System Recognizer (F-Secure Recognizer) - \??\C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys (File not found)) [Automatic - Stopped - Kernel driver]
Fastfat (Fastfat) - (File not found)) [Disabled - Running - Filesystem driver]
Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Floppy Disk Controller Driver (Fdc) - System32\DRIVERS\fdc.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Fips (Fips) - (File not found)) [ - Running - Kernel driver]
Floppy Disk Driver (Flpydisk) - System32\DRIVERS\flpydisk.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
F-Secure Management Agent (FSMA) - "C:\Program Files\Shaw Secure\Common\FSMA32.exe" (F-Secure Corporation ) [Automatic - Running - Win32, running in it's own process]
Volume Manager Driver (Ftdisk) - \SystemRoot\System32\DRIVERS\ftdisk.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Game Port Enumerator (gameenum) - System32\DRIVERS\gameenum.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Generic Packet Classifier (Gpc) - System32\DRIVERS\msgpc.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Human Interface Device Access (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Disabled - Stopped - Win32, running in a shared process]
Microsoft HID Class Driver (HidUsb) - System32\DRIVERS\hidusb.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
hpn (hpn) - (File not found)) [Disabled - Stopped - Kernel driver]
hpt3xx (hpt3xx) - (File not found)) [Disabled - Stopped - Kernel driver]
i2omgmt (i2omgmt) - (File not found)) [ - Stopped - Kernel driver]
i2omp (i2omp) - (File not found)) [Disabled - Stopped - Kernel driver]
i8042 Keyboard and PS/2 Mouse Port Driver (i8042prt) - System32\DRIVERS\i8042prt.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Imapi (Imapi) - system32\drivers\Imapi.sys (Microsoft Corporation ) [ - Running - Kernel driver]
IMAPI CD-Burning COM Service (ImapiService) - C:\WINDOWS\System32\imapi.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
ini910u (ini910u) - (File not found)) [Disabled - Stopped - Kernel driver]
IntelIde (IntelIde) - \SystemRoot\System32\DRIVERS\intelide.sys (Microsoft Corporation ) [ - Running - Kernel driver]
IP Traffic Filter Driver (IpFilterDriver) - System32\DRIVERS\ipfltdrv.sys (Microsoft Corporation ) [ - Running - Kernel driver]
IP in IP Tunnel Driver (IpInIp) - System32\DRIVERS\ipinip.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
IP Network Address Translator (IpNat) - System32\DRIVERS\ipnat.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
IPSEC driver (IPSec) - System32\DRIVERS\ipsec.sys (Microsoft Corporation ) [ - Running - Kernel driver]
IR Enumerator Service (IRENUM) - System32\DRIVERS\irenum.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
PnP ISA/EISA Bus Driver (isapnp) - \SystemRoot\System32\DRIVERS\isapnp.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Keyboard Class Driver (Kbdclass) - System32\DRIVERS\kbdclass.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Microsoft Kernel Wave Audio Mixer (kmixer) - system32\drivers\kmixer.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
KSecDD (KSecDD) - (File not found)) [ - Running - Kernel driver]
Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
lbrtfdc (lbrtfdc) - (File not found)) [ - Stopped - Kernel driver]
TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Machine Debug Manager (MDM) - "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Messenger (Messenger) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
mmc_2K (mmc_2K) - (File not found)) [On Demand - Running - Kernel driver]
mnmdd (mnmdd) - (File not found)) [ - Running - Kernel driver]
NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINDOWS\System32\mnmsrvc.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Modem (Modem) - (File not found)) [On Demand - Running - Kernel driver]
Mouse Class Driver (Mouclass) - System32\DRIVERS\mouclass.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Mouse HID Driver (mouhid) - System32\DRIVERS\mouhid.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
MountMgr (MountMgr) - (File not found)) [ - Running - Kernel driver]
mraid35x (mraid35x) - (File not found)) [Disabled - Stopped - Kernel driver]
WebDav Client Redirector (MRxDAV) - System32\DRIVERS\mrxdav.sys (Microsoft Corporation ) [On Demand - Running - Filesystem driver]
MRXSMB (MRxSmb) - System32\DRIVERS\mrxsmb.sys (Microsoft Corporation ) [ - Running - Filesystem driver]
Distributed Transaction Coordinator (MSDTC) - C:\WINDOWS\System32\msdtc.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Msfs (Msfs) - (File not found)) [ - Running - Filesystem driver]
Windows Installer (MSIServer) - C:\WINDOWS\System32\msiexec.exe /V (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Microsoft Streaming Service Proxy (MSKSSRV) - system32\drivers\MSKSSRV.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Microsoft Streaming Clock Proxy (MSPCLOCK) - system32\drivers\MSPCLOCK.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Microsoft Streaming Quality Manager Proxy (MSPQM) - system32\drivers\MSPQM.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Mup (Mup) - (File not found)) [ - Running - Filesystem driver]
NDIS System Driver (NDIS) - (File not found)) [ - Running - Kernel driver]
Remote Access NDIS TAPI Driver (NdisTapi) - System32\DRIVERS\ndistapi.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
NDIS Usermode I/O Protocol (Ndisuio) - System32\DRIVERS\ndisuio.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Remote Access NDIS WAN Driver (NdisWan) - System32\DRIVERS\ndiswan.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
NDIS Proxy (NDProxy) - (File not found)) [On Demand - Running - Kernel driver]
NetBIOS Interface (NetBIOS) - System32\DRIVERS\netbios.sys (Microsoft Corporation ) [ - Running - Filesystem driver]
NetBT (NetBT) - System32\DRIVERS\netbt.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Network DDE (NetDDE) - C:\WINDOWS\system32\netdde.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Network DDE DSDM (NetDDEdsdm) - C:\WINDOWS\system32\netdde.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Net Logon (Netlogon) - C:\WINDOWS\System32\lsass.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Network Monitor (Network Monitor) - C:\Program Files\Network Monitor\netmon.exe service ( ) [Automatic - Running - Win32, running in it's own process]
Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Npfs (Npfs) - (File not found)) [ - Running - Filesystem driver]
NPPTNT2 (NPPTNT2) - \??\C:\WINDOWS\System32\npptNT2.sys (INCA Internet Co., Ltd. ) [ - Running - Kernel driver]
Ntfs (Ntfs) - (File not found)) [Disabled - Stopped - Filesystem driver]
NT LM Security Support Provider (NtLmSsp) - C:\WINDOWS\System32\lsass.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Removable Storage (NtmsSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Null (Null) - (File not found)) [ - Running - Kernel driver]
IPX Traffic Filter Driver (NwlnkFlt) - System32\DRIVERS\nwlnkflt.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
IPX Traffic Forwarder Driver (NwlnkFwd) - System32\DRIVERS\nwlnkfwd.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
oreans32 (oreans32) - \??\C:\WINDOWS\system32\drivers\oreans32.sys ( ) [ - Running - Kernel driver]
Parallel port driver (Parport) - System32\DRIVERS\parport.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
PartMgr (PartMgr) - (File not found)) [ - Running - Kernel driver]
ParVdm (ParVdm) - (File not found)) [Automatic - Running - Kernel driver]
PCI Bus Driver (PCI) - \SystemRoot\System32\DRIVERS\pci.sys (Microsoft Corporation ) [ - Running - Kernel driver]
PCIDump (PCIDump) - (File not found)) [ - Stopped - Kernel driver]
PCIIde (PCIIde) - (File not found)) [Disabled - Stopped - Kernel driver]
Pcmcia (Pcmcia) - (File not found)) [Disabled - Stopped - Kernel driver]
PDCOMP (PDCOMP) - (File not found)) [On Demand - Stopped - Kernel driver]
PDFRAME (PDFRAME) - (File not found)) [On Demand - Stopped - Kernel driver]
PDRELI (PDRELI) - (File not found)) [On Demand - Stopped - Kernel driver]
PDRFRAME (PDRFRAME) - (File not found)) [On Demand - Stopped - Kernel driver]
perc2 (perc2) - (File not found)) [Disabled - Stopped - Kernel driver]
perc2hib (perc2hib) - (File not found)) [Disabled - Stopped - Kernel driver]
Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
IPSEC Services (PolicyAgent) - C:\WINDOWS\System32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
WAN Miniport (PPTP) (PptpMiniport) - System32\DRIVERS\raspptp.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Prevx Agent (PREVXAgent) - "C:\Program Files\Prevx1\PXAgent.exe" -f (Prevx ) [Automatic - Running - Win32, running in it's own process]
PREVX Kernel Mode Agent (PrevxDriver) - \SystemRoot\system32\drivers\pxfsf.sys (Prevx Limited, http://www.prevx1.com/ ) [ - Running - Filesystem driver]
PREVX Emulator Driver (PrevxEmulator) - system32\drivers\pxemu.sys (Prevx Limited, http://www.prevx1.com/ ) [On Demand - Stopped - Kernel driver]
PREVX Tdi filter (PrevxTdi) - system32\drivers\pxtdi.sys (Prevx Limited, http://www.prevx1.com/ ) [ - Running - Kernel driver]
Processor Driver (Processor) - System32\DRIVERS\processr.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
QoS Packet Scheduler (PSched) - System32\DRIVERS\psched.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Direct Parallel Link Driver (Ptilink) - System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc. ) [On Demand - Running - Kernel driver]
pwd_2K (pwd_2K) - (File not found)) [ - Running - Kernel driver]
PREVX Rootkitscan driver (PXRDDriver) - \??\C:\WINDOWS\system32\drivers\pxrd.sys ( ) [On Demand - Stopped - Kernel driver]
ql1080 (ql1080) - (File not found)) [Disabled - Stopped - Kernel driver]
Ql10wnt (Ql10wnt) - (File not found)) [Disabled - Stopped - Kernel driver]
ql12160 (ql12160) - (File not found)) [Disabled - Stopped - Kernel driver]
ql1240 (ql1240) - (File not found)) [Disabled - Stopped - Kernel driver]
ql1280 (ql1280) - (File not found)) [Disabled - Stopped - Kernel driver]
Remote Access Auto Connection Driver (RasAcd) - System32\DRIVERS\rasacd.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Remote Access Auto Connection Manager (RasAuto) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
WAN Miniport (L2TP) (Rasl2tp) - System32\DRIVERS\rasl2tp.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Remote Access PPPOE Driver (RasPppoe) - System32\DRIVERS\raspppoe.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Direct Parallel (Raspti) - System32\DRIVERS\raspti.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Rdbss (Rdbss) - System32\DRIVERS\rdbss.sys (Microsoft Corporation ) [ - Running - Filesystem driver]
RDPCDD (RDPCDD) - System32\DRIVERS\RDPCDD.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Terminal Server Device Redirector Driver (rdpdr) - System32\DRIVERS\rdpdr.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
RDPWD (RDPWD) - (File not found)) [On Demand - Stopped - Kernel driver]
Remote Desktop Help Session Manager (RDSessMgr) - C:\WINDOWS\system32\sessmgr.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Digital CD Audio Playback Filter Driver (redbook) - System32\DRIVERS\redbook.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Routing and Remote Access (RemoteAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Disabled - Stopped - Win32, running in a shared process]
Remote Registry (RemoteRegistry) - C:\WINDOWS\system32\svchost.exe -k LocalService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINDOWS\System32\locator.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
QoS RSVP (RSVP) - C:\WINDOWS\System32\rsvp.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver (rtl8029) - System32\DRIVERS\RTL8029.SYS (Realtek Semiconductor Corporation ) [On Demand - Running - Kernel driver]
Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Smart Card Helper (SCardDrv) - C:\WINDOWS\System32\SCardSvr.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Smart Card (SCardSvr) - C:\WINDOWS\System32\SCardSvr.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Secdrv (Secdrv) - System32\DRIVERS\secdrv.sys ( ) [On Demand - Stopped - Kernel driver]
Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Serenum Filter Driver (serenum) - System32\DRIVERS\serenum.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Serial port driver (Serial) - System32\DRIVERS\serial.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Sfloppy (Sfloppy) - (File not found)) [ - Stopped - Kernel driver]
Creative SoundFont Manager Driver (WDM) (sfman) - system32\drivers\sfmanm.sys (Creative Technology Ltd. ) [On Demand - Running - Kernel driver]
Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Simbad (Simbad) - (File not found)) [Disabled - Stopped - Kernel driver]
Sony USB Filter Driver (SONYPVU1) (SONYPVU1) - System32\DRIVERS\SONYPVU1.SYS (Sony Corporation ) [On Demand - Stopped - Kernel driver]
Sparrow (Sparrow) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft Kernel Audio Splitter (splitter) - system32\drivers\splitter.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
System Restore Filter Driver (sr) - \SystemRoot\System32\DRIVERS\sr.sys (Microsoft Corporation ) [ - Running - Filesystem driver]
srescan (srescan) - \SystemRoot\System32\ZoneLabs\srescan.sys (Zone Labs, LLC ) [ - Running - Kernel driver]
System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Srv (Srv) - System32\DRIVERS\srv.sys (Microsoft Corporation ) [On Demand - Running - Filesystem driver]
SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\System32\svchost.exe -k imgsvc (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Software Bus Driver (swenum) - System32\DRIVERS\swenum.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Microsoft Kernel GS Wavetable Synthesizer (swmidi) - system32\drivers\swmidi.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
MS Software Shadow Copy Provider (SwPrv) - C:\WINDOWS\System32\dllhost.exe /Processid:{2812FBAB-03ED-4265-9B40-83E9DDA02C50} (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
symc810 (symc810) - (File not found)) [Disabled - Stopped - Kernel driver]
symc8xx (symc8xx) - (File not found)) [Disabled - Stopped - Kernel driver]
SymWMI Service (SymWSC) - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (Symantec Corporation ) [Automatic - Stopped - Win32, running in it's own process]
sym_hi (sym_hi) - (File not found)) [Disabled - Stopped - Kernel driver]
sym_u3 (sym_u3) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft Kernel System Audio Device (sysaudio) - system32\drivers\sysaudio.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Performance Logs and Alerts (SysmonLog) - C:\WINDOWS\system32\smlogsvc.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
TCP/IP Protocol Driver (Tcpip) - System32\DRIVERS\tcpip.sys (Microsoft Corporation ) [ - Running - Kernel driver]
TDPIPE (TDPIPE) - (File not found)) [On Demand - Stopped - Kernel driver]
TDTCP (TDTCP) - (File not found)) [On Demand - Stopped - Kernel driver]
Terminal Device Driver (TermDD) - System32\DRIVERS\termdd.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Terminal Services (TermService) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Themes (Themes) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Telnet (TlntSvr) - C:\WINDOWS\System32\tlntsvr.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
TosIde (TosIde) - (File not found)) [Disabled - Stopped - Kernel driver]
Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Udfreadr_xp (Udfreadr_xp) - (File not found)) [ - Running - Filesystem driver]
Udfs (Udfs) - (File not found)) [Disabled - Stopped - Filesystem driver]
ultra (ultra) - (File not found)) [Disabled - Stopped - Kernel driver]
Microcode Update Driver (Update) - System32\DRIVERS\update.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Windows Update Manager (UpdateManager) - C:\WINDOWS\update\updmgr.exe /updatemgr (File not found)) [Automatic - Stopped - Win32, running in it's own process]
Upload Manager (uploadmgr) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Universal Plug and Play Device Host (upnphost) - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Uninterruptible Power Supply (UPS) - C:\WINDOWS\System32\ups.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
USB2 Enabled Hub (usbhub) - System32\DRIVERS\usbhub.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
USB Mass Storage Driver (USBSTOR) - System32\DRIVERS\USBSTOR.SYS (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Microsoft USB Universal Host Controller Miniport Driver (usbuhci) - System32\DRIVERS\usbuhci.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Messenger Sharing USN Journal Reader service (usnsvc) - C:\WINDOWS\System32\svchost.exe -k usnsvc (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
User Privilege Service (usprserv) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
VgaSave (VgaSave) - \SystemRoot\System32\drivers\vga.sys (Microsoft Corporation ) [ - Running - Kernel driver]
ViaIde (ViaIde) - (File not found)) [Disabled - Stopped - Kernel driver]
VolSnap (VolSnap) - (File not found)) [ - Running - Kernel driver]
vsdatant (vsdatant) - System32\vsdatant.sys (Zone Labs, LLC ) [ - Running - Kernel driver]
TrueVector Internet Monitor (vsmon) - C:\WINDOWS\system32\ZONELABS\vsmon.exe -service (Zone Labs, LLC ) [Automatic - Running - Win32, running in it's own process]
Volume Shadow Copy (VSS) - C:\WINDOWS\System32\vssvc.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Remote Access IP ARP Driver (Wanarp) - System32\DRIVERS\wanarp.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
WDICA (WDICA) - (File not found)) [On Demand - Stopped - Kernel driver]
Microsoft WINMM WDM Audio Compatibility Driver (wdmaud) - system32\drivers\wdmaud.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
WebClient (WebClient) - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Portable Media Serial Number (WmdmPmSp) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Windows Management Instrumentation Driver Extensions (Wmi) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
WMI Performance Adapter (WmiApSrv) - C:\WINDOWS\System32\wbem\wmiapsrv.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Windows Socket 2.0 Non-IFS Service Provider Support Environment (WS2IFSL) - \SystemRoot\System32\drivers\ws2ifsl.sys (Microsoft Corporation ) [Disabled - Stopped - Kernel driver]
Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
AVG7 Wrap Driver (Avg7RsW) - \SystemRoot\System32\Drivers\avg7rsw.sys (File not found)) [Disabled - Running - Kernel driver]
< Files >
%SystemDrive%
%ProgramFilesDir%
%WinDir%
%System%
C:\WINDOWS\SYSTEM32\dfrg.msc - PEC2 ( [Ver = | Size = 41397 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\MRT.exe - PECompact2 (Microsoft Corporation [Ver = 1.21.1628.0 | Size = 9639336 bytes | Date = 10-04-2006 13:03 | Attr = ])
C:\WINDOWS\SYSTEM32\MRT.exe - aspack (Microsoft Corporation [Ver = 1.21.1628.0 | Size = 9639336 bytes | Date = 10-04-2006 13:03 | Attr = ])
C:\WINDOWS\SYSTEM32\nusrmgr.cpl - WSUD (Microsoft Corporation [Ver = 6.00.2600.0000 (xpclient.010817-1148) | Size = 256000 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\rasdlg.dll - Umonitor (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 630784 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\wbdbase.deu - winsync ( [Ver = | Size = 1309184 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\ntbackup.exe - WSUD (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 1135616 bytes | Date = 08-23-2001 04:00 | Attr = ])
%System%\Drivers folder and sub-folders
%windir% + sub-dirs for System or Hidden files less than 60 days old
C:\WINDOWS\WindowsShell.Manifest - ( [Ver = | Size = 749 bytes | Date = 11-06-2006 05:08 | Attr = RH ])
C:\WINDOWS\bootstat.dat - ( [Ver = | Size = 2048 bytes | Date = 11-06-2006 05:18 | Attr = S])
C:\WINDOWS\system32\vsconfig.xml - ( [Ver = | Size = 48883 bytes | Date = 11-06-2006 05:19 | Attr = H ])
C:\WINDOWS\system32\mzevzta.exe - ( [Ver = | Size = 200704 bytes | Date = 11-02-2006 19:59 | Attr = H ])
C:\WINDOWS\system32\zllictbl.dat - ( [Ver = | Size = 4212 bytes | Date = 11-03-2006 16:51 | Attr = H ])
C:\WINDOWS\system32\vjjsriv.exe - ( [Ver = | Size = 199680 bytes | Date = 11-02-2006 20:18 | Attr = H ])
C:\WINDOWS\system32\ncpa.cpl.manifest - ( [Ver = | Size = 749 bytes | Date = 11-06-2006 05:08 | Attr = RH ])
C:\WINDOWS\system32\nwc.cpl.manifest - ( [Ver = | Size = 749 bytes | Date = 11-06-2006 05:08 | Attr = RH ])
C:\WINDOWS\system32\sapi.cpl.manifest - ( [Ver = | Size = 749 bytes | Date = 11-06-2006 05:08 | Attr = RH ])
C:\WINDOWS\system32\wuaucpl.cpl.manifest - ( [Ver = | Size = 749 bytes | Date = 11-06-2006 05:08 | Attr = RH ])
C:\WINDOWS\system32\logonui.exe.manifest - ( [Ver = | Size = 488 bytes | Date = 11-06-2006 05:09 | Attr = RH ])
C:\WINDOWS\system32\cdplayer.exe.manifest - ( [Ver = | Size = 749 bytes | Date = 11-06-2006 05:08 | Attr = RH ])
C:\WINDOWS\system32\WindowsLogon.manifest - ( [Ver = | Size = 488 bytes | Date = 11-06-2006 05:09 | Attr = RH ])
C:\WINDOWS\system32\msi32info.exe - ( [Ver = | Size = 125440 bytes | Date = 11-05-2006 14:49 | Attr = HS])
C:\WINDOWS\system32\config\system.LOG - ( [Ver = | Size = 1024 bytes | Date = 11-06-2006 05:23 | Attr = H ])
C:\WINDOWS\system32\config\software.LOG - ( [Ver = | Size = 1024 bytes | Date = 11-06-2006 05:40 | Attr = H ])
C:\WINDOWS\system32\config\default.LOG - ( [Ver = | Size = 1024 bytes | Date = 11-06-2006 05:41 | Attr = H ])
C:\WINDOWS\system32\config\userdiff.LOG - ( [Ver = | Size = 1024 bytes | Date = 11-06-2006 05:10 | Attr = H ])
C:\WINDOWS\system32\config\TempKey.LOG - ( [Ver = | Size = 1024 bytes | Date = 11-06-2006 05:02 | Attr = H ])
C:\WINDOWS\system32\config\SAM.LOG - ( [Ver = | Size = 1024 bytes | Date = 11-06-2006 05:18 | Attr = H ])
C:\WINDOWS\system32\config\SECURITY.LOG - ( [Ver = | Size = 1024 bytes | Date = 11-06-2006 05:19 | Attr = H ])
C:\WINDOWS\system32\config\system.tmp.LOG - ( [Ver = | Size = 0 bytes | Date = 10-30-2006 19:46 | Attr = H ])
C:\WINDOWS\system32\config\software.tmp.LOG - ( [Ver = | Size = 0 bytes | Date = 10-30-2006 19:47 | Attr = H ])
C:\WINDOWS\system32\config\default.tmp.LOG - ( [Ver = | Size = 0 bytes | Date = 10-30-2006 19:47 | Attr = H ])
C:\WINDOWS\system32\config\userdifr.LOG - ( [Ver = | Size = 1024 bytes | Date = 11-06-2006 05:10 | Attr = H ])
C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG - ( [Ver = | Size = 1024 bytes | Date = 11-05-2006 17:49 | Attr = H ])
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 11-05-2006 14:40 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 11-05-2006 20:38 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S9MBGHA7\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 11-05-2006 20:38 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\BIVNXMN3\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 11-05-2006 20:38 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EZE9OT8B\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 11-05-2006 20:38 | Attr = HS])
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K7WD4LM5\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 11-05-2006 20:38 | Attr = HS])
C:\WINDOWS\repair\ntuser.dat - ( [Ver = | Size = 700416 bytes | Date = 11-06-2006 05:10 | Attr = H ])
C:\WINDOWS\Fonts\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 11-06-2006 05:09 | Attr = HS])
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 11-05-2006 20:26 | Attr = HS])
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GONKIF2B\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 11-05-2006 20:26 | Attr = HS])
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\89GBC18F\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 11-05-2006 20:26 | Attr = HS])
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\9J7PXYTY\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 11-05-2006 20:26 | Attr = HS])
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OPQRSTUV\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 11-05-2006 20:26 | Attr = HS])
C:\WINDOWS\Temp\History\History.IE5\desktop.ini - ( [Ver = | Size = 113 bytes | Date = 11-05-2006 20:26 | Attr = HS])
C:\WINDOWS\Tasks\SA.DAT - ( [Ver = | Size = 6 bytes | Date = 11-06-2006 05:19 | Attr = H ])
C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_54.cab - ( [Ver = | Size = 242478 bytes | Date = 11-06-2006 05:09 | Attr = RHS])
C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_55.cab - ( [Ver = | Size = 19959 bytes | Date = 11-06-2006 05:09 | Attr = RHS])
C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_56.cab - ( [Ver = | Size = 727 bytes | Date = 11-06-2006 05:09 | Attr = RHS])
C:\WINDOWS\Downloaded Program Files\desktop.ini - ( [Ver = | Size = 65 bytes | Date = 11-06-2006 05:09 | Attr = H ])
C:\WINDOWS\Offline Web Pages\desktop.ini - ( [Ver = | Size = 65 bytes | Date = 11-06-2006 05:09 | Attr = H ])
C:\WINDOWS\CSC\00000001 - ( [Ver = | Size = 64 bytes | Date = 11-06-2006 05:18 | Attr = S])
C:\WINDOWS\CSC\csc1.tmp - ( [Ver = | Size = 64 bytes | Date = 10-25-2006 16:51 | Attr = S])
C:\WINDOWS\CSC\00000002 - ( [Ver = | Size = 64 bytes | Date = 11-01-2006 04:43 | Attr = S])
CPL files
C:\WINDOWS\SYSTEM32\desk.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 130048 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\appwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 558592 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\hdwwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 150016 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2600.0000 (xpclient.010817-1148) | Size = 294912 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\intl.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 119808 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\joy.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 65536 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\main.cpl - (Microsoft Corporation [Ver = 5.1.2403.1 | Size = 187904 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\mmsys.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 559616 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\nusrmgr.cpl - (Microsoft Corporation [Ver = 6.00.2600.0000 (xpclient.010817-1148) | Size = 256000 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\nwc.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 36864 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\odbccp32.cpl - (Microsoft Corporation [Ver = 3.520.7713.0 | Size = 36864 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\powercfg.cpl - (Microsoft Corporation [Ver = 6.00.2600.0000 (xpclient.010817-1148) | Size = 109056 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\sysdm.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 270848 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\telephon.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 28160 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\timedate.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 90112 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\ncpa.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\access.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 66048 bytes | Date = 08-18-2001 11:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 36864 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl - (Microsoft Corporation [Ver = 3.520.7713.0 | Size = 36864 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\access.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 66048 bytes | Date = 08-18-2001 11:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 558592 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\desk.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 130048 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 150016 bytes | Date = 08-23-2001 12:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2600.0000 (xpclient.010817-1148) | Size = 294912 bytes | Date = 08-23-2001

Response Number 98

Name: bccamper
Date: November 6, 2006 at 06:49:01 Pacific

Reply:

Also while I was waiting for you to respond, I googled deskbar which I seem to have a lot of it and it reported a program called XoftspySE. I downloaded and it reported a whole bunh of stuff that was bad. It doesn't clean the stuff unless you buy a licence so I cleaned everything manually.

Response Number 99

Name: jabuck
Date: November 6, 2006 at 15:17:42 Pacific

Reply:

Boot into safe mode.
Run ATF-Cleaner
Navigate to and delete these files and folders if found:
C:\Program Files\network monitor\netmon.exe (file)
C:\Program Files\network monitor (folder)
C:\Program Files\Common Files\fiqz\fiqzm.exe (file)
C:\Program Files\Common Files\fiqz (folder)
C:\WINDOWS\system32\mzevzta.exe(file)
C:\WINDOWS\system32\vjjsriv.exe (file)
Exit Safe mode.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next follow the directions at this link to remove DeluxeCommunications http://www.bleepingcomputer.com/forums/topic66364.html
Please download Dr Web CureIt to your desktop from this link ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan.
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives.
A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable.
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log on your desktop.

Response Number 100

Name: bccamper
Date: November 7, 2006 at 07:15:56 Pacific

Reply:

Jabuck, I've run all the things in your last post. The Dr. Web Curit was taking a long long time so I let it run overnight. When I looked this morning I couldn't get my screen to display and eventually had to reboot. There was no log file on my desktop. Should I rerun it? Also I keep getting zonealarm message for project1 so it would seem I have that virus as well. Is there a way to get rid of it?

Response Number 101

Name: jabuck
Date: November 7, 2006 at 14:57:08 Pacific

Reply:

I'm convinced there is a way to defeat this. I have asked for help with this and once they respond I will back out just follow their advice.

Response Number 102

Name: teacup61
Date: November 7, 2006 at 15:19:44 Pacific

Reply:

Hello bccamper,
I'd like to do some things here that don't involve downloading anything, so they should be easy. First thing is to get your desktop back :
Navigate to C:\Program Files\Common Files
Delete the following file:
pohyd.html
Navigate to C:\Program Files\MSN Gaming Zone
Delete the following file:
rykegogig.html
Then Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),
Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.
Let me know if your desktop is back to normal now.
tea
PS Please forgive any formatting errors....I'm not real familiar with this site. :)

Response Number 103

Name: bccamper
Date: November 7, 2006 at 17:11:00 Pacific

Reply:

Hello teacup,
Welcome to my nightmare.
I have my desktop back as I rebooted and then it was fine. I looked for the two html files you referred and they are not in the specified locations. I did however find them in the quarantine directory of DR Web so I guess tyhey got cleaned up already. them.
When I looked at the web tab there was only 1 item checked and the name was blank. The 'my current home page was unchecked so I left it that way'. The 'lock desktop items' was not checked.
What I will add is that I seem to be having a real problem with deskbar.exe. Jabuck has had me do things that seem to clean it and then it always comes back. Currently I have my desktop in tact but web pages do not seem to work. When I tried to update this post by going to the url, the url it actually tried to go to was http://deskbar.worldtostart.com/dns... I do not have the internet cable connected currently, but at most it should have just said 'page not found'.

Response Number 104

Name: bccamper
Date: November 7, 2006 at 17:34:45 Pacific

Reply:

I should also add that if downloading stuff is helping to cause the problem, I can leave the machine disconnected from the internet and download stuff from another machine. In fact I have been doing that a lot already.

Response Number 105

Name: teacup61
Date: November 8, 2006 at 12:38:17 Pacific

Reply:

Hello,
Can you give me the exact path to deskbar.exe?
I'd like for you to try another scan with Dr.Web, please. Sometimes a system is so heavily infected that it actually takes several of tries before it can complete a scan. If you can get it to run through, please post the report from it. It would help enormously. :)
tea

Response Number 106

Name: bccamper
Date: November 8, 2006 at 19:53:53 Pacific

Reply:

Okay I will run another scan. The deskbar.exe is always in the root directory (ie c:\deskbar.exe)

Response Number 107

Name: bccamper
Date: November 8, 2006 at 20:11:36 Pacific

Reply:

teacup, I just went to run the scan and noticed the deskbar this time was under c:\program files\deskbar. I tried to delete the directory but the desktop.dll file could not be deleted. I started the scan and it reported adware.softomate but did not say it was going to take any action for the file. There were also some other files with adware.* and no action specified either. Maybe I need to run something else to clean these. I will let you know the results of the scan.

Response Number 108

Name: bccamper
Date: November 8, 2006 at 21:44:09 Pacific

Reply:

The scan is still running. It is at the pont where it really run slow and seems to be scanning a file called c:\...ot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot

Response Number 109

Name: bccamper
Date: November 8, 2006 at 23:56:13 Pacific

Reply:

Teacup the scan is finished. Everytime is runs it reports that Dr WEb cureit is infected itself. I ran it anyway and it created a bunch of file in the temp\rsafix0 directory. I deleted most of these files (around 2000) and the scan picked up speed. I am now running it once more. What would you liek me to do next?

Response Number 110

Name: teacup61
Date: November 9, 2006 at 08:10:57 Pacific

Reply:

Hello,
If it finished, I'd like to see the report please. :) The long file you told me about is relevant here, and it would be a huge help to see it all. Now, I need to clarify here....you told me you saw deskbar in 3 different ways. 1) deskbar.dll.....located where? 2) c:\program files\deskbar 3) c:\deskbar.exe In my directions below I've used #3. If it doesn't work, use #2 location. I need to know the full path of the .dll, please. :)
Open HiJackThis. It should open to a "New users quickstart" menu
Click "Open the Misc Tools section"
Click "Delete a file on reboot..."
In the "Enter file to delete on reboot..." window, navigate to:
c:\
And select the file
deskbar.exe
Then click Open. After you click Open, HiJackThis will ask you if you want to restart your computer now. You do, so click Yes.
If you already have ComboFix, please delete it and download a fresh one.
1. Download this file - http://download.bleepingcomputer.co...
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Response Number 111

Name: bccamper
Date: November 9, 2006 at 19:52:54 Pacific

Reply:

Right now I don't have deskbar files at all. Using Dr Web I have been able to get rid of all of them. I am running a new scan again right now. When it finishes I will run a combofix and a hijackthis.

Response Number 112

Name: bccamper
Date: November 9, 2006 at 21:58:25 Pacific

Reply:

teacup here is the DrWeb.csv and the hijack log. I tried to run ComboFix but it runs the scan and is then supposed to start over but it never seems to come back. I can tell you though when the scan runs it reports that the machine has SurfSideKick.
A0005136.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;BackDoor.Generic.1372;Deleted.;
A0005137.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;BackDoor.Generic.1372;Deleted.;
cureit.exe;C:\DOCUME~1\Mae\LOCALS~1\Temp\RarSFX0;Win32.Virut - write error - write error;Deleted.;
pxagent.exe;c:\program files\prevx1;Win32.Virut - write error;Cannot delete.;
PXSetup.exe;C:\Program Files\Prevx1;Win32.Virut;;
PXAgent.exe;C:\Program Files\Prevx1;Win32.Virut;;
PXConsole.exe;C:\Program Files\Prevx1;Win32.Virut;;
PXL.exe;C:\Program Files\Prevx1;Win32.Virut;;
PXL1.exe;C:\Program Files\Prevx1;Win32.Virut;;
pxsupport.exe;C:\Program Files\Prevx1;Win32.Virut;;
PXToolbar.exe;C:\Program Files\Prevx1;Win32.Virut;;
sdbconvert.exe;C:\Program Files\Prevx1;Win32.Virut - write error;Cannot delete.;
_start.exe;c:\documents and settings\mae\local settings\temp\rarsfx0;Win32.Virut;Will be cured after reboot.;
qappsrv.exe;C:\WINDOWS\system32\dllcache;Win32.Virut;Cured.;
regwiz.exe;C:\WINDOWS\system32\dllcache;Win32.Virut;Cured.;
wb32.exe;C:\WINDOWS\system32\dllcache;Win32.Virut;Cured.;
oobebaln.exe;C:\WINDOWS\system32\oobe;Win32.Virut;Cured.;
cureit.exe.delete_on_reboot;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
_start.exe.delete_on_reboot;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
cureit.exe.delete_on_reboot.delete_on_reboot;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
_start.exe.delete_on_reboot.delete_on_reboot;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
cureit.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
_start.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
cureit.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
_start.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
cureit.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
_start.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
cureit.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
_start.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
cureit.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_rebo;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
_start.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_rebo;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
cureit.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_rebo;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
_start.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_rebo;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
cureit.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_rebo;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
_start.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_rebo;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
cureit.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_rebo;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
_start.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_rebo;C:\Documents and Settings\Mae\Local Settings\Temp\RarSFX0;Win32.Virut;Will be cured after reboot.;
sapisvr.exe;C:\Program Files\Common Files\Microsoft Shared\Speech;Win32.Virut;Cured.;
icwtutor.exe;C:\Program Files\Internet Explorer\Connection Wizard;Win32.Virut;Cured.;
icwrmind.exe;C:\Program Files\Internet Explorer\Connection Wizard;Win32.Virut;Cured.;
setup_wm.exe;C:\Program Files\Windows Media Player;Win32.Virut;Cured.;
A0003154.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003160.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003190.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003198.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003201.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003233.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003258.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003261.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003262.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003277.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003286.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003300.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003309.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003316.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003317.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003325.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003355.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003356.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003371.scr;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003374.scr;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003377.scr;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003378.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003381.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003388.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003406.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003425.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0003524.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0004247.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0004267.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0004317.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0004451.scr;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0004964.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0004986.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0004991.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005136.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005137.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005140.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005141.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005143.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005145.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005146.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005472.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005473.EXE;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005474.EXE;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005475.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005476.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0006035.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0006038.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0006055.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0006169.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0006611.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0006668.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0006674.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0006712.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0006802.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0006803.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0006804.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0006805.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0006806.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0006807.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP4;Win32.Virut;Cured.;
A0005345.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005362.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005363.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005364.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005365.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005366.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005370.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005371.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005372.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005373.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005374.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005375.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005376.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005377.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005378.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005379.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005380.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005381.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005382.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005383.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005384.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005385.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005386.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005387.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005388.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005389.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005405.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005406.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005411.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005412.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005413.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005414.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005415.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005416.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005419.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005421.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005422.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005426.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005427.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005428.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005429.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005430.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005431.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005432.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005433.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005434.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005435.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005436.EXE;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005438.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005439.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005440.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005441.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005442.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005444.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005445.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005446.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005447.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005448.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005449.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005452.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005453.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005454.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005455.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005456.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Win32.Virut;Cured.;
A0005443.exe;D:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Tool.Prockill;Deleted.;
A0005147.exe;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Adware.Surfside;Deleted.;
A0005457.dll;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Adware.Dh;Deleted.;
A0005458.dll;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Adware.Softomate;Deleted.;
A0005459.dll;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Adware.Dh;Deleted.;
A0005460.dll;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Adware.Surfside;Deleted.;
A0005461.dll;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Adware.Surfside;Deleted.;
A0005466.DLL;C:\System Volume Information\_restore{39436674-203A-46C6-A922-1673DCC07898}\RP3;Adware.Softomate;Deleted.;
Logfile of HijackThis v1.99.1
Scan saved at 21:22, on 06-11-09
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Shaw Secure\Common\FSMA32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Shaw Secure\Common\FSMB32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Shaw Secure\Common\FCH32.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyoun...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyoun...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xcle...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Response Number 113

Name: teacup61
Date: November 10, 2006 at 08:04:21 Pacific

Reply:

Very good! Most of that was in system restore, and we'll take care of it when the machine is clean. :)
Are you using Prevx as your main Anti Virus, or F-Secure(Shaw)? You must make sure you only have one running real time protection, and the other must be disabled. Since you are completely unpatched here, you must also try to remain offline as much as possible until you are clean enough to update to SP2. Otherwise you'll get reinfected faster than we can get this clean. :)
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyoun...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyoun...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)
Close all browsers and other windows except for HijackThis!, and click "Fix Checked".
Navigate to and delete the following, if present:
C:\WINDOWS\update\updmgr.exe <----I'd also like to know what else is in the <u>update</u> folder. Please right click on it, properties, and tell me if it's from MS or not. DO delete the file for now. :)
Reboot your computer. Please try to run ComboFix again, and post the report from it as well as a new HijackThis log in your reply.That will be an enormous help. How is it running?
Thanks,
tea

Response Number 114

Name: bccamper
Date: November 10, 2006 at 22:16:00 Pacific

Reply:

Tea,
I do not have the machine conencted to the interney anymore. Any programs I need I download from another computer onto floppy or cd if it is too big.
I ran the hijackthis and cleaned up the entries. All of them went away except the 023 updatemanager. I tried 3 times and it doesn't fix it. I looked for the update directory under windows and I don't see it. I even did a search of the C drive and it doesn't find it.
Next I rebooted into safe and uninstalled prevx. The machine originally had F-Secure on it. I installed prevx as I saw it on one of the posts that jabuck referred to me and I thought it might help clean up things. Since then it seems like it might be infected and is causing more harm than good.
I then booted back to regular mode and checked the add/remove programs to ensure prevx is gone. It is. I then tried hijackthis again to see if I could remove the 023 entry. Still won't go away. I then tried to run combo again. It started, started again within 10 seconds, rebooted the computer and then produced a log. Here it is.
ComboFix 06.11.9 - Running from: "D:\"
((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Administrator\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Administrator\Application Data\Dxcdmns.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\teller2.chk
C:\RDFX4.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\TGFycnkgUm9zcw

((((((((((((((((((((((((((((((( Files Created from 2006-10-05 to 2006-11-05 ))))))))))))))))))))))))))))))))))

2006-11-06 05:22 3,968 --------- C:\WINDOWS\system32\drivers\avgclean.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-06 21:50 375808 --a------ C:\WINDOWS\system32\cmd.exe
2006-11-06 21:50 13312 --a------ C:\WINDOWS\system32\ctfmon.exe
2006-11-06 21:50 1000960 --a------ C:\WINDOWS\explorer.exe
2006-11-06 03:36 -------- d-------- C:\Program Files\XoftSpySE
2006-11-05 15:00 94208 --a------ C:\WINDOWS\ScUnin.exe
2006-11-05 14:57 57344 --a------ C:\WINDOWS\uneng.exe
2006-11-05 14:57 46080 --a------ C:\WINDOWS\setdebug.exe
2006-11-05 14:57 33792 --a------ C:\WINDOWS\Q330994.exe
2006-11-05 14:57 33792 --a------ C:\WINDOWS\oeuninst.exe
2006-11-05 14:57 33792 --a------ C:\WINDOWS\ieuninst.exe
2006-11-05 14:57 33280 --a------ C:\WINDOWS\muninst.exe
2006-11-05 14:57 28672 --a------ C:\WINDOWS\eTEZDSCl.exe
2006-11-05 14:48 37888 --a------ C:\WINDOWS\system32\MAPISRVR.exe
2006-11-05 14:48 172032 --a------ C:\WINDOWS\system32\jview.exe
2006-11-05 14:48 171520 --a------ C:\WINDOWS\system32\wjview.exe
2006-11-05 14:48 14848 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-11-05 14:47 49152 --a------ C:\WINDOWS\system32\clspack.exe
2006-11-05 14:47 30720 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-11-04 11:53 -------- d-------- C:\Program Files\Java
2006-10-30 20:20 976 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-29 12:03 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2006-10-29 11:53 -------- d-------- C:\Program Files\Spyware Nuker
2006-10-29 11:48 -------- d-------- C:\Program Files\Uniblue
2006-10-25 22:16 16384 --a------ C:\WINDOWS\IsUninst.exe
2006-10-25 18:58 -------- d-------- C:\Program Files\PCPitstop
2006-10-25 12:21 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-25 12:15 -------- d-------- C:\Program Files\CCleaner
2006-10-25 10:03 -------- d-------- C:\Program Files\Hijackthis
2006-10-21 16:53 1259 --a------ C:\WINDOWS\system32\buq6484e.sys
2006-09-14 16:01 215308 --a------ C:\WINDOWS\srvvrkzlsg.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"=""
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"=""
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,c8,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\XoftSpySE.job
Completion time: 06-11-10 22:13:01.92
C:\ComboFix.txt ... 06-11-10 22:13
C:\ComboFix3.txt ... 06-11-09 20:27
C:\ComboFix2.txt ... 06-11-09 21:23

Response Number 115

Name: teacup61
Date: November 11, 2006 at 06:07:48 Pacific

Reply:

Hello,
Can you update me real quick on how it's running please? Better, worse......?
Thanks,
tea

Response Number 116

Name: bccamper
Date: November 11, 2006 at 11:07:51 Pacific

Reply:

well right now it seems to be fine.

Response Number 117

Name: bccamper
Date: November 11, 2006 at 12:04:14 Pacific

Reply:

The only thing is the "O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)" entry is still around when I run hijack.

Response Number 118

Name: teacup61
Date: November 11, 2006 at 21:04:55 Pacific

Reply:

Hello there :)
Good to know it's running well.
Let's see about getting rid of that pesky 023
Please copy (Ctrl+C) and paste (Ctrl+V) the following text to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop UpdateManager
sc delete UpdateManager
exit

Double click FixServices.bat. A window will open and close. This is normal.
Now see if the entry is gone in HijackThis.
There is also a file I'm still concerned about, so if you could, please do a search for the following file : fiqzm.exe Delete it if it's there, and let me know if it doesn't delete. Reboot after deletion.
Once again, please let me know how the computer is running, and what problems persist, if any. :)
Thanks,
tea

Response Number 119

Name: bccamper
Date: November 11, 2006 at 21:53:24 Pacific

Reply:

I ran the batch file and that got rid of the 023 entry. I did a search and the only fiq* files I have is fiqz.dat in c:\windows\fiqz.
The computer is stable at the moment.

Response Number 120

Name: teacup61
Date: November 11, 2006 at 22:46:20 Pacific

Reply:

Wonderful news :)
Can you delete the folder fiqz?

Response Number 121

Name: bccamper
Date: November 11, 2006 at 22:54:15 Pacific

Reply:

Yes I deleted it.

Response Number 122

Name: teacup61
Date: November 12, 2006 at 08:07:26 Pacific

Reply:

Hello,
From your original post :
not allowing me to install programs, shutting down Win explorer when I select a certain directory, etc.
and then get kicked out of IE.
Have these problems been resolved?
I'd like to see a final HijackThis log, please. :) If all is well, we'll get rid of everything in system restore, and you can then update to SP2! :)))
Thanks,
tea

Response Number 123

Name: bccamper
Date: November 12, 2006 at 09:34:51 Pacific

Reply:

Well jabuck and I were trying to install AVG or Avira many times without success. Should I try again. The reason is I am not sure F-secure is installed or configured correctly because it doesn't come up in the system tray like it should. Maybe I will try run it first. What do you think?

Response Number 124

Name: bccamper
Date: November 12, 2006 at 09:41:38 Pacific

Reply:

Teacup, the f-secure that is installed looks like a spyware only. I ran it and oddly enough it looks exactly like Ad-Aware SE. The screens were identical. On a positive note I was now able to install AVG. Yahooooooo!!!!

Response Number 125

Name: bccamper
Date: November 12, 2006 at 10:41:55 Pacific

Reply:

Teacup I was also able to update AVG by downloading all the updates on a different machine and burning them to CD. AVG now reports that it is up to date. I am running another scan. The previous scan showed a lot of problems in the system information area as you had stated before. Before we connect to the internet again with this machine I would like to make sure AVG, Ad-Aware and Spybot run clean.

Response Number 126

Name: teacup61
Date: November 12, 2006 at 16:31:50 Pacific

Reply:

That's great! :))) Let me know when you're satisfied with the results of the scans and we'll finish.

Response Number 127

Name: bccamper
Date: November 12, 2006 at 22:21:40 Pacific

Reply:

Hi,
AVG is showing viruses and they are all in the c:\System Volume Information\_restore\.... and are all A00*.exe files. Should I ignore these for now?

Response Number 128

Name: bccamper
Date: November 12, 2006 at 22:40:25 Pacific

Reply:

When I ran Ad-Aware and it tried to scan the files, AVG reported them as virus infected and gave me the option of moving them to the vault, which I did. I then went and emptied the vault so I think I have got rid of them. I am running an AVG scan to be sure.

Response Number 129

Name: bccamper
Date: November 13, 2006 at 00:07:04 Pacific

Reply:

The AVG scan showed there is only 2 now (there was 33 before). I will run Ad-Aware again to see if I can nab the last 2.

Response Number 130

Name: teacup61
Date: November 13, 2006 at 06:56:26 Pacific

Reply:

If they are just cookies, then no problem.
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files.This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Next :
Delete Temp Files:
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.
This should open up the temp directory that your machine uses. Please delete all files that are found there.
Delete Temporary Internet Files:
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.
Then update to SP2! :))
Let me know how that goes.
tea

Response Number 131

Name: bccamper
Date: November 13, 2006 at 09:43:03 Pacific

Reply:

I guess there is no way to update to sp2 without connecting to the internet (ie downloading sp2 on another computer and burning it to cd and then updating from there). Also jabuck and I installed zonealarm. At what point should I dump this? After upgrading to SP2?

Response Number 132

Name: bccamper
Date: November 13, 2006 at 10:13:25 Pacific

Reply:

I now have no viruses when I run AVG. I have downloaded SP2 on a different computer and will burn it to CD and install it.

Response Number 133

Name: bccamper
Date: November 13, 2006 at 11:19:52 Pacific

Reply:

Okay I have SP2 installed now. I have been unable to turn on the firewall though. When I go to settings under the network connection properties, I get the following message;
Due to an unidentified problem, Windows canot display Windows Firewall settings.
The network conenction also has a yellow triangle with a black exclamation mark beside it. Is this because I have not connected to the internet yet?

Response Number 134

Name: teacup61
Date: November 13, 2006 at 17:41:11 Pacific

Reply:

Hello,
I see no reason why you shouldn't connect to the internet now. :)

Response Number 135

Name: bccamper
Date: November 13, 2006 at 22:07:04 Pacific

Reply:

have connected to the internet now. I have resolved the issue of not being able to open the firewall settings. I found a solution on a web posting that said this is common after cleaning a machine that was heavily infected by virus.
I am now using the internet on this machine to update and run Ad-Aware and will then do the same with Spybot.
I would like to express my greatest thanks to you and jabuck helping get this machine back in working order. Any way I can sent a token of gratitude, even if it only enough to buy your favorite 24 pack, or a bottle of your favorite spirit. I really really appreciate the help.

Response Number 136

Name: bccamper
Date: November 13, 2006 at 22:08:18 Pacific

Reply:

One last thing? Should I uninstall Zonealarm now as I assume Windows Firefall will take care fo every thing?

Response Number 137

Name: bccamper
Date: November 13, 2006 at 22:13:53 Pacific

Reply:

Sorry one more last last thing. Should I uninstall the programs we used to fix the computer like ccleaner, hijackthis, panda activescan, PC Pitstop exterminate, SpywareBalster v3.5.1, and XsoftSpySE.

Response Number 138

Name: teacup61
Date: November 14, 2006 at 06:39:38 Pacific

Reply:

You really need a Software Firewall. I run a router (Hardware Firewall) and Windows Firewall, and for me and my system it works. If Zone Alarm is too heavy for your system there are others that are lighter on resources and free as well.Let me know if you need links to those. :) Actually, the programs you mentioned in your last post are fine to keep. You can run CCleaner periodically to help keep the system cleaned out. HijackThis can go if you like. I run it every once in a while just to make sure nothing has changed on my system. Run Panda periodically online....just good practice since no one AV catches it all. ;) PCPitstop Exterminate is up to you. but you should really keep SpywareBlaster.
I honestly don't know about donations on this site. It's very nice that you offer, but jabuck will know more than I would. :)
Regards,
tea

Response Number 139

Name: jabuck
Date: November 14, 2006 at 14:28:49 Pacific

Reply:

A special "Thanks" to teacup61 for kindly lending the expert knowledge needed to get the posters computer repaired and the post finalized.
Thank you for the kind offer bccamper. Currently there is no way to donate to computing.net that I know of. Thank You's are greatly appreciated.
Thanks for hanging in there, it was a long and difficult repair effort and your really did well.
Glad we could help.

Response Number 140

Name: bccamper
Date: November 15, 2006 at 09:47:36 Pacific

Reply:

Okay was last huge thank you then. This is the second time Jabucks has helped me and I'm sure it won't be the last. Cheers guys.

Sponsored Link

Ads by Google

Key Logging Detected by S...

Posting Trend Micro Antis...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Popssible virus

google redirect virus removed but

Summary

www.computing.net/answers/security/google-redirect-virus-removed-but-/26942.html

avg anti-virus 7.1

Summary

www.computing.net/answers/security/avg-antivirus-71/27523.html

Strange anti-virus blocking virus

Summary

www.computing.net/answers/security/strange-antivirus-blocking-virus/27906.html

From the Geek Dictionary
inhumane - Humans lacking and reflecting lack of pity or compassion towards other huma...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
cannot get a connection

unable to boot into windows

Wireless Security

Satelite modem blocking tcp, Icmp Open.

Recycler and Temp Virus

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE