WinAntivirusPro2006/Klone Virus

Computing.Net > Forums > Security and Virus > WinAntivirusPro2006/Klone Virus

Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free!

WinAntivirusPro2006/Klone Virus

Original Message

Name: Stabgotham
Date: October 2, 2006 at 12:55:41 Pacific
Subject: WinAntivirusPro2006/Klone Virus
OS: Win XP
CPU/Ram: 3700+
Model/Manufacturer: Home Built

Comment:

Good afternoon everyone! I've got a live one here. I cannot get rid of this Klone Virus. I'm also experiencing a ton of popups, the main one for WinAntiVirusPro 2006. I'm getting other ones as well, but I can't seem to knock this out. Here's what I've done thus far.
I've ran from a standard startup:
Ad-Aware 1.06
Spybot S&D
AVG Free
Microsoft Windows Defender
PandaSoft Active Scan
a-Squared Anti-Malware Utlity
All updates were loaded to each program. I have also run each program in safe mode as well.
Each program picks up on something different and states that the problem has been fixed. However, when I reboot, all the problems come back.
I'm running a Vundo scan right now and I have turned off system restore. Anyone have any suggestions or ideas?
Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
1GB Corsair DDR
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Pepper

Report Offensive Message For Removal

Response Number 1

Name: jabuck
Date: October 2, 2006 at 13:44:19 Pacific

Reply: (edit)

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified.
Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.
Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.
Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Report Offensive Follow Up For Removal

Response Number 2

Name: Stabgotham
Date: October 2, 2006 at 13:59:48 Pacific

Reply: (edit)

Here you go jabuck:
Logfile of HijackThis v1.99.1
Scan saved at 1:59:04 PM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asus...
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://extranet.cps.ca.gov/rd/wfica.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
1GB Corsair DDR
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Pepper

Report Offensive Follow Up For Removal

Response Number 3

Name: Stabgotham
Date: October 2, 2006 at 14:18:36 Pacific

Reply: (edit)

P.S. Per reading previous problems similar to mine, I ran VundoFix in safe mode. I didn't find what I believe I was supposed to. I restarted normally again and it still remains. Spybot just picked it up again.
Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
1GB Corsair DDR
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Pepper

Report Offensive Follow Up For Removal

Response Number 4

Name: jabuck
Date: October 2, 2006 at 14:46:14 Pacific

Reply: (edit)

Rename hijackthis.exe as that sometime helps locate the baddies. Go to start> search> files and folders> type in the top space "hijackthis.exe" without the quotes> click search> when it is found in the right pane (looks like a pile of dynamite)>right click on it> click rename> rename it "show.exe" without the quotes> click a blank space on the screen.
Post a new Hijack This log.
Please download SmitRemFix from this link http://siri.urz.free.fr/Fix/SmitfraudFix.zip Then extract the contents to your desktop.
Do not run any options other than option #1 as doing so will damage the desktop of an uninfected computer.
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Report Offensive Follow Up For Removal

Response Number 5

Name: mjmusic
Date: October 4, 2006 at 00:54:25 Pacific

Reply: (edit)

I have been receiving winantivirus pop up ads for the last several weeks. I recently did a system check with the program hijack this. I was hoping if someone could help me understand which files I need to deleate in order to get the pop ups to stop. Thank you for your attention into this matter.
Logfile of HijackThis v1.99.1
Scan saved at 12:43:48 AM, on 10/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MARK\Local Settings\Temp\wz4295\HijackThis.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://zzz.uv.ro/adver.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://zzz.uv.ro/adver.html/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: download.windowsupdate.com
O15 - Trusted Zone: http://www.windowsupdate.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} (ZtServiceManager Class) - http://mvod.web.aol.com/mce/new/Ser...
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/s...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/s...
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Report Offensive Follow Up For Removal


Klone Virus Klone Virus's Klone Virus =*( I have the Klone virus Klone Virus, Var Trojan Downloaders	Klone virus malware check Klone Virus Removing Assistance. Klone virus I also need help with Klone virus Another Victim of Klone Virus HELP

Response Number 6

Name: jabuck
Date: October 4, 2006 at 07:28:15 Pacific

Reply: (edit)

mjmusic, Start a new thread, just state the problem and do not post any logs until they are requested please.

Report Offensive Follow Up For Removal

Response Number 7

Name: Stabgotham
Date: October 5, 2006 at 14:42:09 Pacific

Reply: (edit)

Jabuck...sorry for the delay, I was out of town. Here's the smitfraud report:
SmitFraudFix v2.105
Scan done at 14:41:16.32, Thu 10/05/2006
Run from C:\Documents and Settings\Eric\My Documents\Unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eric

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eric\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Eric\FAVORI~1
C:\DOCUME~1\Eric\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll"

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
1GB Corsair DDR
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Pepper

Report Offensive Follow Up For Removal

Response Number 8

Name: Stabgotham
Date: October 5, 2006 at 14:43:26 Pacific

Reply: (edit)

And the new Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 2:43:09 PM, on 10/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Eric\My Documents\Unzipped\hijackthis\show.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {03C18E72-CF7A-7E47-12B7-008E044819D6} - C:\Documents and Settings\Eric\Local Settings\Application Data\rqkglsk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44B69182-8D7B-4F80-9CD3-486644A44A13} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\ovjkllat.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)
O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asus...
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://extranet.cps.ca.gov/rd/wfica.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O20 - Winlogon Notify: mllmm - C:\WINDOWS\system32\mllmm.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
1GB Corsair DDR
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Pepper

Report Offensive Follow Up For Removal

Response Number 9

Name: jabuck
Date: October 5, 2006 at 17:11:34 Pacific

Reply: (edit)

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Download and install Ewido Security Suite We will need this later in safe mode
Be sure to update Ewido
Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Post the log located at C:\vundofix.txt then continue with Combofix.
Please download ComboFix to the Desktop from this link:
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the combofix.txt log then continue
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {03C18E72-CF7A-7E47-12B7-008E044819D6} - C:\Documents and Settings\Eric\Local Settings\Application Data\rqkglsk.dll
O2 - BHO: (no name) - {44B69182-8D7B-4F80-9CD3-486644A44A13} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\ovjkllat.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)
O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)
Exit Hijack This but remain in safe mode.
Navigate to and delete these files if found:
C:\Documents and Settings\Eric\Local Settings\Application Data\rqkglsk.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\ovjkllat.dll
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
In Safe Mode, run Ewido and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Post the ewido report on your desktop and a new Hijack This log please.

Report Offensive Follow Up For Removal

Response Number 10

Name: Stabgotham
Date: October 5, 2006 at 17:34:41 Pacific

Reply: (edit)

Jabuck...
Here's the Vundo txt:
VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.3
Java version is 1.5.0.6
Scan started at 12:41:50 PM 10/2/2006
Listing files found while scanning....
C:\WINDOWS\system32\sidlpqan.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\sidlpqan.dll
C:\WINDOWS\system32\sidlpqan.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.3
Java version is 1.5.0.6
Scan started at 12:58:00 PM 10/2/2006
Listing files found while scanning....
No infected files were found.

VundoFix V6.2.0
Checking Java version...
Sun Java not detected
Scan started at 5:22:00 PM 10/5/2006
Listing files found while scanning....
C:\WINDOWS\system32\fsckllbr.exe
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mmllm.ini
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.bak2
Beginning removal...
Attempting to delete C:\WINDOWS\system32\fsckllbr.exe
C:\WINDOWS\system32\fsckllbr.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mllmm.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\mmllm.ini
C:\WINDOWS\system32\mmllm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\mmllm.bak2
C:\WINDOWS\system32\mmllm.bak2 Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mllmm.dll Has been deleted!
Performing Repairs to the registry.
Done!

AND HERE IS THE COMBO.TXT
Eric - 06-10-05 17:33:13.82 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Eric\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{F01C13C7-08A3-1033-1201-051115050001}

((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))

2006-10-05 17:19 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-05 16:01 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-10-05 16:01 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-10-05 16:01 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-10-05 16:00 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-10-05 16:00 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-10-05 16:00 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-10-05 16:00 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-10-05 16:00 15,360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2006-10-05 16:00 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2006-10-05 16:00 13,824 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2006-10-05 16:00 117,248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2006-10-03 12:13 86,036 --a------ C:\WINDOWS\system32\ovjkllat.dll
2006-10-01 09:26 94,208 --a------ C:\WINDOWS\system32\cgxwixn.dll
2006-10-01 09:26 72,704 --a------ C:\WINDOWS\system32\rqkglsk.dll
2006-09-30 19:33 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-09-30 19:33 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-09-30 19:33 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-09-30 19:33 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-09-30 19:33 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-09-30 19:33 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-09-14 22:47 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-09-14 22:47 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-09-06 20:42 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-05 17:33 -------- d-------- C:\Program Files\Common Files
2006-10-05 17:31 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-05 17:24 -------- d-------- C:\Program Files\Hijackthis
2006-10-05 17:19 -------- d-------- C:\Program Files\Grisoft
2006-10-05 16:57 -------- d-------- C:\Program Files\TweakNow RegCleaner Std
2006-10-05 16:00 -------- d-------- C:\Program Files\Webroot
2006-10-05 16:00 -------- d-------- C:\Program Files\Alwil Software
2006-10-05 16:00 -------- d-------- C:\Documents and Settings\Eric\Application Data\Webroot
2006-10-01 09:36 -------- d-------- C:\Program Files\a-squared Free
2006-09-30 20:17 -------- d-------- C:\Program Files\dvdSanta
2006-09-29 21:33 -------- d-------- C:\Documents and Settings\Eric\Application Data\Azureus
2006-09-29 21:22 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-29 21:22 -------- d-------- C:\Program Files\ToniArts
2006-09-29 19:05 -------- d-------- C:\Program Files\America's Army
2006-09-23 11:39 -------- d-------- C:\Program Files\JetAudio
2006-09-21 17:27 -------- d-------- C:\Program Files\BeamFile
2006-09-18 21:02 -------- d-------- C:\Documents and Settings\Eric\Application Data\wsInspector
2006-09-18 20:51 -------- d-------- C:\Program Files\Startup Inspector for Windows
2006-09-16 22:49 -------- d-------- C:\Program Files\Common Files\EasyInfo
2006-09-14 22:47 -------- d-------- C:\Program Files\America's Army Server Manager
2006-09-14 22:21 -------- d---s---- C:\Documents and Settings\Eric\Application Data\Microsoft
2006-09-14 22:16 -------- d-------- C:\Documents and Settings\Eric\Application Data\Skype
2006-09-14 20:33 -------- d-------- C:\Program Files\Internet Explorer
2006-09-11 21:28 -------- d-------- C:\Documents and Settings\Eric\Application Data\CoreFTP
2006-09-08 02:08 -------- d-------- C:\Program Files\EA GAMES
2006-09-06 20:42 -------- d-------- C:\Program Files\EA SPORTS
2006-09-05 22:05 -------- d-------- C:\Program Files\PBCool
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 19:02 -------- d-------- C:\Program Files\Absolute Poker
2006-08-20 16:10 -------- d-------- C:\Program Files\America's Army 2.5
2006-08-17 20:01 -------- d-------- C:\Program Files\Windows Defender
2006-08-17 19:57 -------- d-------- C:\Program Files\DVD Region+CSS Free
2006-08-17 19:54 -------- d-------- C:\Program Files\AlienGUIse
2006-08-17 12:40 -------- d-------- C:\Program Files\Starcraft
2006-08-15 11:12 -------- d-------- C:\Program Files\Warcraft III
2006-08-14 20:32 -------- d-------- C:\Program Files\Ubisoft
2006-08-14 20:32 -------- d-------- C:\Documents and Settings\Eric\Application Data\InstallShield Installation Information
2006-08-11 21:45 888832 --a------ C:\WINDOWS\system32\nvmobls.dll
2006-08-11 21:45 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2006-08-11 21:45 5611520 --a------ C:\WINDOWS\system32\nvdisps.dll
2006-08-11 21:45 5251072 --a------ C:\WINDOWS\system32\nvdispsr.dll
2006-08-11 21:45 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2006-08-11 21:45 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-08-11 21:45 3039232 --a------ C:\WINDOWS\system32\nvgames.dll
2006-08-11 21:45 2953216 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2006-08-11 21:45 2928640 --a------ C:\WINDOWS\system32\nvgamesr.dll
2006-08-11 21:45 2904064 --a------ C:\WINDOWS\system32\nvvitvs.dll
2006-08-11 21:45 2859008 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2006-08-11 21:45 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-08-11 21:45 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2006-08-11 21:45 1732608 --a------ C:\WINDOWS\system32\nvwssr.dll
2006-08-11 21:45 1236992 --a------ C:\WINDOWS\system32\nvwss.dll
2006-08-11 21:44 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2006-08-11 21:43 86016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-08-11 21:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-08-11 21:43 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2006-08-11 21:43 7630848 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-08-11 21:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2006-08-11 21:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2006-08-11 21:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2006-08-11 21:43 311296 --a------ C:\WINDOWS\system32\nvexpbar.dll
2006-08-11 21:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2006-08-11 21:43 196608 --a------ C:\WINDOWS\system32\nvapi.dll
2006-08-11 21:43 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2006-08-11 21:43 1519616 --a------ C:\WINDOWS\system32\nwiz.exe
2006-08-11 21:43 1470464 --a------ C:\WINDOWS\system32\nview.dll
2006-08-11 21:43 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2006-08-11 21:43 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2006-08-11 21:43 1011712 --a------ C:\WINDOWS\system32\nvcpluir.dll
2006-08-11 21:42 5636096 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-08-11 21:42 4496128 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-08-11 21:42 3958496 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-08-11 21:42 35840 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-08-11 21:42 35840 --a------ C:\WINDOWS\system32\nvcod.dll
2006-08-11 21:42 155715 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-08-09 01:29 -------- d-------- C:\Program Files\CoreFTP
2006-08-09 01:29 -------- d-------- C:\Documents and Settings\Eric\Application Data\Help
2006-08-05 16:01 -------- d-------- C:\Program Files\DVDFab Decrypter
2006-08-01 19:27 2829 --a------ C:\WINDOWS\War3Unin.pif
2006-08-01 19:27 126976 --a------ C:\WINDOWS\War3Unin.exe
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows LSASS Service"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\DAO\\svchost.exe\""
"SoundMan"="SOUNDMAN.EXE"
"NVIDIA nTune"="\"C:\\Program Files\\NVIDIA Corporation\\nTune\\\\nTune.exe\" clear"
"nTrayFw"="\"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nTrayFw.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,da,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000
"NoLogoff"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SBC Self Support Tool.lnk"
"backup"="C:\\WINDOWS\\pss\\SBC Self Support Tool.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SBCSEL~1\\bin\\matcli.exe -boot"
"item"="SBC Self Support Tool"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\avast!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashDisp"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\cgxwixn.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cgxwixn"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\cgxwixn.dll,nnedfxb"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DiskeeperSystray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DkIcon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NVMixerTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVMixerTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCPitstop Optimize Registration Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Reminder"
"hkey"="HKLM"
"command"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RegistryMechanic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ASUSTeK\\ASUSDVD\\PDVDServ.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ResChanger 2005]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ResChanger2005"
"hkey"="HKCU"
"command"="C:\\Program Files\\ResChanger 2005\\ResChanger2005.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeperUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="1"
"hkey"="HKCU"
"command"="1"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Diskeeper"=dword:00000002
"UleadBurningHelper"=dword:00000002
"LightScribeService"=dword:00000002
"iPodService"=dword:00000003
"Adobe LM Service"=dword:00000003
"WebrootSpySweeperService"=dword:00000002
"AVG Anti-Spyware Guard"=dword:00000002
"avast! Web Scanner"=dword:00000003
"avast! Mail Scanner"=dword:00000003
"avast! Antivirus"=dword:00000002
"aswUpdSv"=dword:00000002
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\wrSpySweeperTrialSweep.job

Completion time: Thu 10/05/2006 17:33:33.32
ComboFix.txt
ComboFix2.txt

STARTING NEXT INSRUCTIONS NOW...
Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
1GB Corsair DDR
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Pepper

Report Offensive Follow Up For Removal

Response Number 11

Name: Stabgotham
Date: October 5, 2006 at 18:10:01 Pacific

Reply: (edit)

Jabuck...
HERE IS THE EWIDO SCAN FILE:

AVG Anti-Spyware - Scan Report

+ Created at: 6:05:27 PM 10/5/2006
+ Scan result:
C:\WINDOWS\browser.exe -> Hijacker.Small : No action taken.
:mozilla.60:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.24:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.48:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Burstbeacon : No action taken.
:mozilla.40:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.44:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.46:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.47:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.62:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Coremetrics : No action taken.
:mozilla.22:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.9:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.74:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.75:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.76:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.77:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.25:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.26:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.27:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.28:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.29:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.32:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.33:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.34:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.35:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.45:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.10:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.11:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.12:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.13:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.14:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.23:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.49:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.

::Report end
Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
1GB Corsair DDR
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Pepper

Report Offensive Follow Up For Removal

Response Number 12

Name: Stabgotham
Date: October 5, 2006 at 18:10:57 Pacific

Reply: (edit)

You didn't say, so I assumed that the followup hijackthis log you wanted was after a reboot. Here it is:

AVG Anti-Spyware - Scan Report

+ Created at: 6:05:27 PM 10/5/2006
+ Scan result:
C:\WINDOWS\browser.exe -> Hijacker.Small : No action taken.
:mozilla.60:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.24:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.48:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Burstbeacon : No action taken.
:mozilla.40:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.44:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.46:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.47:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.62:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Coremetrics : No action taken.
:mozilla.22:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.9:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.74:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.75:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.76:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.77:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Reliablestats : No action taken.
:mozilla.25:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.26:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.27:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.28:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.29:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.32:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.33:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.34:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.35:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.45:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.10:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.11:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.12:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.13:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.14:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.23:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.49:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\exybj4wk.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.

::Report end
Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
1GB Corsair DDR
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Pepper

Report Offensive Follow Up For Removal

Response Number 13

Name: Stabgotham
Date: October 5, 2006 at 18:12:33 Pacific

Reply: (edit)

SORRY...SCRATCH THAT LAST POST AS THE HIJACKTHIS LOG. ACCIDENTALLY REPOSTED THE OTHER SCAN FILE. HERE'S THE HIJACKTHIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 6:10:48 PM, on 10/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [nTrayFw] "C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asus...
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://extranet.cps.ca.gov/rd/wfica.cab
O16 - DPF: {6697AFA6-1CD3-462E-AC0A-363EF8BCD102} (SyScan2 Control) - http://www.evga.com/Support/SyScan/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: app_filter - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
1GB Corsair DDR
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Pepper

Report Offensive Follow Up For Removal

Response Number 14

Name: Stabgotham
Date: October 5, 2006 at 18:34:32 Pacific

Reply: (edit)

I've done what I think it is that you do, Jabuck. I've cross-referenced all of the processes listed by HiJackThis with the process library and, if I'm right...the above HiJackThis log means I'm finally clean.
I'm running AVAST, EWIDO, SPYBOT, AD-AWARE, and PANDASCAN again just to be sure, but I've rebooted twice and no new processes have shown up on the HiJackThis log. I haven't gotten any popups either, so I'm starting to think all is finally well!
Give me the final okay, but barring any problems...I think I owe you a sincere debt of gratitude. This little b---tard was stubborn as hell. You're the best Jabuck! Thanks in advance!
Lian-Li PC61
ASUS A8N-SLI Deluxe
AMD Athlon 3700+ San Diego @ 2.6 gHz stock cooling
eVGA 7800GT
1GB Corsair DDR
WD Carviar 300gb SATA 3.0gb/s
Samsung 17" 740N Monitor
Dr. Pepper

Report Offensive Follow Up For Removal

Response Number 15

Name: jabuck
Date: October 5, 2006 at 18:43:31 Pacific

Reply: (edit)

Looking better.
Please download Killbox by Option^Explicit. If you already have "Killbox" update to this newer version.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\browser.exe
C:\WINDOWS\system32\cgxwixn.dll,nnedfxb
C:\WINDOWS\system32\cgxwixn.dll
C:\WINDOWS\system32\ovjkllat.dll
C:\WINDOWS\system32\rqkglsk.dll
Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let us know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click Here to download and run missingfilesetup.exe. Then try Killbox again.
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\cgxwixn.dll]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Post a new combofix log please.

Report Offensive Follow Up For Removal

Response Number 16

Name: Stabgotham
Date: October 5, 2006 at 19:02:11 Pacific

Reply: (edit)

Here's the new combofix log:
Eric - 06-10-05 19:01:15.25 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Program Files\Mozilla Firefox"
((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))

2006-10-05 17:19 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-05 16:01 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-10-05 16:01 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-10-05 16:01 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-10-05 16:00 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-10-05 16:00 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-10-05 16:00 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-10-05 16:00 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-10-05 16:00 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2006-09-30 19:33 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-09-30 19:33 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-09-30 19:33 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-09-30 19:33 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-09-30 19:33 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-09-30 19:33 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-09-14 22:47 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-09-14 22:47 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-09-06 20:42 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-05 19:01 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-05 18:28 -------- d-------- C:\Program Files\Startup Inspector for Windows
2006-10-05 18:26 -------- d-------- C:\Program Files\Hijackthis
2006-10-05 17:33 -------- d-------- C:\Program Files\Common Files
2006-10-05 17:19 -------- d-------- C:\Program Files\Grisoft
2006-10-05 16:57 -------- d-------- C:\Program Files\TweakNow RegCleaner Std
2006-10-05 16:00 -------- d-------- C:\Program Files\Alwil Software
2006-10-01 09:36 -------- d-------- C:\Program Files\a-squared Free
2006-09-30 20:17 -------- d-------- C:\Program Files\dvdSanta
2006-09-29 21:33 -------- d-------- C:\Documents and Settings\Eric\Application Data\Azureus
2006-09-29 21:22 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-29 21:22 -------- d-------- C:\Program Files\ToniArts
2006-09-29 19:05 -------- d-------- C:\Program Files\America's Army
2006-09-23 11:39 -------- d-------- C:\Program Files\JetAudio
2006-09-21 17:27 -------- d-------- C:\Program Files\BeamFile
2006-09-18 21:02 -------- d-------- C:\Documents and Settings\Eric\Application Data\wsInspector
2006-09-16 22:49 -------- d-------- C:\Program Files\Common Files\EasyInfo
2006-09-14 22:47 -------- d-------- C:\Program Files\America's Army Server Manager
2006-09-14 22:21 -------- d---s---- C:\Documents and Settings\Eric\Application Data\Microsoft
2006-09-14 22:16 -------- d-------- C:\Documents and Settings\Eric\Application Data\Skype
2006-09-14 20:33 -------- d-------- C:\Program Files\Internet Explorer
2006-09-11 21:28 -------- d-------- C:\Documents and Settings\Eric\Application Data\CoreFTP
2006-09-08 02:08 -------- d-------- C:\Program Files\EA GAMES
2006-09-06 20:42 -------- d-------- C:\Program Files\EA SPORTS
2006-09-05 22:05 -------- d-------- C:\Program Files\PBCool
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 19:02 -------- d-------- C:\Program Files\Absolute Poker
2006-08-20 16:10 -------- d-------- C:\Program Files\America's Army 2.5
2006-08-17 20:01 -------- d-------- C:\Program Files\Windows Defender
2006-08-17 19:57 -------- d-------- C:\Program Files\DVD Region+CSS Free
2006-08-17 19:54 -------- d-------- C:\Program Files\AlienGUIse
2006-08-17 12:40 -------- d-------- C:\Program Files\Starcraft
2006-08-15 11:12 -------- d-------- C:\Program Files\Warcraft III
2006-08-14 20:32 -------- d-------- C:\Program Files\Ubisoft
2006-08-14 20:32 -------- d-------- C:\Documents and Settings\Eric\Application Data\InstallShield Installation Information
2006-08-11 21:45 888832 --a------ C:\WINDOWS\system32\nvmobls.dll
2006-08-11 21:45 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2006-08-11 21:45 5611520 --a------ C:\WINDOWS\system32\nvdisps.dll
2006-08-11 21:45 5251072 --a------ C:\WINDOWS\system32\nvdispsr.dll
2006-08-11 21:45 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2006-08-11 21:45 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-08-11 21:45 3039232 --a------ C:\WINDOWS\system32\nvgames.dll
2006-08-11 21:45 2953216 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2006-08-11 21:45 2928640 --a------ C:\WINDOWS\system32\nvgamesr.dll
2006-08-11 21:45 2904064 --a------ C:\WINDOWS\system32\nvvitvs.dll
2006-08-11 21:45 2859008 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2006-08-11 21:45 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-08-11 21:45 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2006-08-11 21:45 1732608 --a------ C:\WINDOWS\system32\nvwssr.dll
2006-08-11 21:45 1236992 --a------ C:\WINDOWS\system32\nvwss.dll
2006-08-11 21:44 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2006-08-11 21:43 86016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-08-11 21:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-08-11 21:43 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2006-08-11 21:43 7630848 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-08-11 21:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2006-08-11 21:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2006-08-11 21:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2006-08-11 21:43 311296 --a------ C:\WINDOWS\system32\nvexpbar.dll
2006-08-11 21:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2006-08-11 21:43 196608 --a------ C:\WINDOWS\system32\nvapi.dll
2006-08-11 21:43 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2006-08-11 21:43 1519616 --a------ C:\WINDOWS\system32\nwiz.exe
2006-08-11 21:43 1470464 --a------ C:\WINDOWS\system32\nview.dll
2006-08-11 21:43 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2006-08-11 21:43 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2006-08-11 21:43 1011712 --a------ C:\WINDOWS\system32\nvcpluir.dll
2006-08-11 21:42 5636096 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-08-11 21:42 4496128 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-08-11 21:42 3958496 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-08-11 21:42 35840 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-08-11 21:42 35840 --a------ C:\WINDOWS\system32\nvcod.dll
2006-08-11 21:42 155715 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-08-09 01:29 -------- d-------- C:\Program Files\CoreFTP
2006-08-09 01:29 -------- d-------- C:\Documents and Settings\Eric\Application Data\Help
2006-08-05 16:01 -------- d-------- C:\Program Files\DVDFab Decrypter
2006-08-01 19:27 2829 --a------ C:\WINDOWS\War3Unin.pif
2006-08-01 19:27 126976 --a------ C:\WINDOWS\War3Unin.exe
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"NVIDIA nTune"="\"C:\\Program Files\\NVIDIA Corporation\\nTune\\\\nTune.exe\" clear"
"nTrayFw"="\"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nTrayFw.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,da,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000
"NoLogoff"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SBC Self Support Tool.lnk"
"backup"="C:\\WINDOWS\\pss\\SBC Self Support Tool.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SBCSEL~1\\bin\\matcli.exe -boot"
"item"="SBC Self Support Tool"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\avast!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashDisp"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DiskeeperSystray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DkIcon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NVMixerTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVMixerTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCPitstop Optimize Registration Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Reminder"
"hkey"="HKLM"
"command"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RegistryMechanic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ASUSTeK\\ASUSDVD\\PDVDServ.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ResChanger 2005]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ResChanger2005"
"hkey"="HKCU"
"command"="C:\\Program Files\\ResChanger 2005\\ResChanger2005.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeperUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Wi