Removal Trojan Downloader Generic HGT etc.

I thnk I have several problems on this Dell laptop with XP home.
IE appears to be comprimised as it will not open without blinking rapidly.
When I scan with AVG several Trojans are found. I can "heal" them but they come back on restart. Also on restart I see in the task manager a file called Project1.
Here is what I've done so far.
Turned restore off.
Disconnected from the internet (actually I can't get on the internet so won't be able to send HJT)
Scanned with the following
cwshredder
Ad-awhere
Spybot
Ewido
AVG
Then went into Safe Mode and scanned all of this again.
I have made some inprovement but it is still not right. On startup I get a couple of DLL files that appear to be missing and AVG finds the Trojan again.

Any help will be greatly appreciated
LarryB227

 

Welcome to the forums Larry.

Whenever dealing with malwares it's never good to turn off system restore. In the case of something catastrophic happening, you have no way to restore your system to some type of working order. And infected system is better than no system and having to reformat.

If this machine cannot get to the Net you're going to have to DL HijackThis from another computer onto a floppy and run it, then post the log for us to look at.

Don't bother with CWShredder, it's not going to do anything with any threats you have.

 

Well I was able to get the net via a wireless connection. Here is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:27:57 AM, on 8/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\dfndrff_13.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\ms05352127-1262.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\sys011262352127-.exe
C:\WINDOWS\win3208127-1262352.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\cvn0.exe
C:\WINDOWS\system32\n9nyb.exe
C:\WINDOWS\system32\wfxqhv.exe
C:\WINDOWS\system32\ghynf.exe
C:\WINDOWS\system32\zqskw.exe
C:\WINDOWS\sys02262352127-1.exe
C:\WINDOWS\system32\czuehf.exe
C:\WINDOWS\system32\ha3f.exe
C:\WINDOWS\system32\fufudc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\svcs.exe
C:\Program Files\PSLister\PSLister.exe
C:\DOCUME~1\CHARLY~1\MYDOCU~1\DOBE~1\mmc.exe
C:\Program Files\Common Files\s?curity\?ti2evxx.exe
C:\WINDOWS\TEMP\idd36B.tmp.exe
C:\DOCUME~1\CHARLY~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\DOCUME~1\CHARLY~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.opera.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe "
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsek.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt1.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\g10158203.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: SEARCHESSISTANT Search - {4E7BD74F-2B8D-469F-83B8-BD2AE6D9FA2E} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O3 - Toolbar: SEARCHESSISTANT Related - {4E7BD74F-2B8D-469E-83B8-BD2AE6D9FA2E} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [defender] C:\\dfndrff_13.exe
O4 - HKLM\..\Run: [xxo4a232] RUNDLL32.EXE w0275b41.dll,n 0034a22f000000110275b41
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_13.exe
O4 - HKLM\..\Run: [ms05352127-1262] C:\WINDOWS\ms05352127-1262.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [sys011262352127-] C:\WINDOWS\sys011262352127-.exe
O4 - HKLM\..\Run: [dkyfjd] C:\WINDOWS\system32\etunjf.exe reg_run
O4 - HKLM\..\Run: [win3208127-1262352] C:\WINDOWS\win3208127-1262352.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_13.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe "
O4 - HKLM\..\Run: [sys02262352127-1] C:\WINDOWS\sys02262352127-1.exe
O4 - HKLM\..\Run: [RreN4HW] C:\WINDOWS\system32\czuehf.exe
O4 - HKLM\..\Run: [FQQERQ] "C:\WINDOWS\system32\kcnzrop6.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe "
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\svcs.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe "
O4 - HKCU\..\Run: [kwui] C:\PROGRA~1\COMMON~1\kwui\kwuim.exe
O4 - HKCU\..\Run: [ahggk] C:\WINDOWS\system32\etunjf.exe reg_run
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\CHARLY~1\MYDOCU~1\DOBE~1\mmc.exe" -vt yax
O4 - HKCU\..\Run: [Oqpnsn] C:\Program Files\Common Files\s?curity\?ti2evxx.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - Winlogon Notify: ddaby - ddaby.dll (file missing)
O20 - Winlogon Notify: h618 - C:\WINDOWS\g587187.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\lv0s09d7e.dll (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\gp42l3ho1.dll (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\p68q0gl5e6q.dll (file missing)
O20 - Winlogon Notify: winjvd32 - C:\WINDOWS\SYSTEM32\winjvd32.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Terminal Connections (terms) - Unknown owner - C:\WINDOWS\system32\terminals.exe (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Thanks
LarryB227

 

YIKES!! What a mess you got there.

Lets run a specialised too and a scan. Tho I don't know how long it will take for your dial up to DL the scanner, at the very least, the one tool is a single file.

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


After that, download Ewido Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run ewido and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.
• Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
• Under "Reports "

• Select "Automatically generate report after every scan "
• Un-Select "Only if threats were found "

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
2. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
4. ewido will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions "
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan and the ComboFix along with a fresh HJT log file too.

 

I am letting combofix.exe run now but thought you might like to know it scanned, several run error popped up then it restarted, then when the desktop came back it just sat there. I double clicked the combofix icon again and it began again. Then I got a vSg21 run error 35756 and a tape G22 run error 35756. It also said it could not find Rundll file. This all on the desk top messages not on combofix. Presently it has only the desk top picture and no icons and I have no indication that anything is happening. I have waited for the computer to do something as no luck so I rebooted but I do not have the log you requested from combofix.
Thanks
LarryB227

 

Here is combofix

Charly Brantley - 06-08-28 15:49:50.42
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Charly Brantley\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Duce6.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\ixt1.dll

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Charly Brantley\My Documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\Charly Brantley\My Documents\DOBE~1\??pPatch
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1\?ti2evxx.exe
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1\w?crtupd.exe


((((((((((((((((((((((((((((((( Files Created from 2006-07-28 to 2006-08-28 ))))))))))))))))))))))))))))))))))


2006-08-28 15:50 45,056 --a------ C:\WINDOWS\system32fufudc.exe
2006-08-28 15:50 24,576 --a------ C:\WINDOWS\system32ha3f.exe
2006-08-28 15:46 45,056 --a------ C:\WINDOWS\system32\fufudc.exe
2006-08-28 15:46 24,576 --a------ C:\WINDOWS\system32\ha3f.exe
2006-08-28 14:02 28,672 --a------ C:\WINDOWS\system32\ra8pv.exe
2006-08-27 20:44 98 --a------ C:\WINDOWS\taskmen32.pif
2006-08-27 19:55 28,672 --a------ C:\WINDOWS\system32ra8pv.exe
2006-08-27 19:54 2 --a------ C:\WINDOWS\system32\wcpsvit.exe
2006-08-27 19:53 215,308 --a------ C:\WINDOWS\srvejadcjf.exe
2006-08-27 19:52 365,568 --a------ C:\814.exe
2006-08-20 16:41 214,752 --a------ C:\Setup100.exe
2006-08-20 16:33 186,219 --a------ C:\WINDOWS\srvhykkohp.exe
2006-08-20 16:30 15,872 --a------ C:\WINDOWS\system32\winjvd32.dll
2006-08-20 16:27 1,167 --a------ C:\WINDOWS\system32\xxo4a232.sys
2006-08-20 16:22 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-20 16:21 214,748 --a------ C:\WINDOWS\Setup90.exe
2006-08-20 16:20 115,160 --a------ C:\WINDOWS\Eim03.exe
2006-08-14 20:52 78,848 --a------ C:\WINDOWS\system32\nsoA5.dll
2006-07-31 12:25 24,576 --a------ C:\WINDOWS\system32\ewxcksr.exe
2006-07-31 12:25 135,168 --a------ C:\WINDOWS\system32\czuehf.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-08-28 14:35 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-08-28 10:29 -------- d-------- C:\Program Files\Hijackthis
2006-08-28 08:07 -------- d-------- C:\Documents and Settings\Charly Brantley\Application Data\AVG7
2006-08-27 19:55 -------- d-------- C:\Program Files\SEARCHESSISTANT Toolbar
2006-08-27 17:21 -------- d-------- C:\Program Files\AIM
2006-08-27 15:34 -------- d-------- C:\Program Files\Common Files\AOL
2006-08-27 15:34 -------- d-------- C:\Program Files\AOL
2006-08-27 09:27 -------- d-------- C:\Program Files\Messenger
2006-08-27 08:03 776096 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-27 08:03 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-08-27 08:03 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-08-27 08:03 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-27 08:03 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-08-27 08:02 -------- d-------- C:\Program Files\Grisoft
2006-08-27 07:39 -------- d-------- C:\Program Files\XoftSpy
2006-08-27 07:39 -------- d-------- C:\Program Files\Common Files\kwui
2006-08-27 07:38 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-25 09:20 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-20 17:44 -------- d-------- C:\Program Files\MSN
2006-08-20 16:32 -------- d-------- C:\Program Files\Online Services
2006-08-18 03:01 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 20:52 -------- d-------- C:\Program Files\Super DX-Ball
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-22 11:32 -------- d-------- C:\Documents and Settings\Charly Brantley\Application Data\Yahoo!
2006-07-22 11:31 -------- d-------- C:\Program Files\Yahoo!
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint "= "C:\\Program Files\\Apoint\\Apoint.exe "
"MMTray "= "\ "C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"xxo4a232 "= "RUNDLL32.EXE w0275b41.dll,n 0034a22f000000110275b41 "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP "
"RreN4HW "= "C:\\WINDOWS\\system32\\czuehf.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "
"PSLister "= "\ "C:\\Program Files\\PSLister\\PSLister.exe\" "
"kwui "= "C:\\PROGRA~1\\COMMON~1\\kwui\\kwuim.exe "
"Sen "= "\ "C:\\DOCUME~1\\CHARLY~1\\MYDOCU~1\\DOBE~1\\mmc.exe\" -vt yax "
"Oqpnsn "= "C:\\Program Files\\Common Files\\s?curity\\?ti2evxx.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\Program Files\\Online Services\\kyze.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "C:\\Program Files\\Messenger\\howyny.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,50,01,00,00,00,00,00,00,40,05,00,00,f8,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk "
"backup "= "C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item "= "Digital Line Detect "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk "
"backup "= "C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item "= "MyWebSearch Email Plugin "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk "
"backup "= "C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item "= "QuickBooks Update Agent "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Charly Brantley^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path "= "C:\\Documents and Settings\\Charly Brantley\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk "
"backup "= "C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup "
"location "= "Startup "
"command "= "C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup "
"item "= "LimeWire On Startup "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Charly Brantley^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path "= "C:\\Documents and Settings\\Charly Brantley\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk "
"backup "= "C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkStartup "
"location "= "Startup "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item "= "MyWebSearch Email Plugin "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "aim "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\AIM\\aim.exe -cnetwait.odl "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATIPTA]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "atiptaxx "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ccApp "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Dell QuickSet]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "quickset "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Dell\\QuickSet\\quickset.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DellSupport]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DSAgnt "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\dla]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "tfswctrl "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\dla\\tfswctrl.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DVDLauncher]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DVDLauncher "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HostManager]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "AOLHostManager "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Common Files\\AOL\\1125277778\\ee\\AOLHostManager.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IntelWireless]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ifrmewrk "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSPM Startup]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ISUSPM "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSScheduler]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "issch "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MMTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mm_tray "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MyWebSearch Email Plugin]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mwsoemon "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCMService]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "PCMService "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "qttask "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "RealPlay "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spyware Begone]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "freescan "
"hkey "= "HKCU "
"command "= "C:\\freescan\\freescan.exe -FastScan "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spyware Doctor]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "swdoctor "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "jusched "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SNDMon "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\THGuard]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "THGuard "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\TrojanHunter 4.2\\THGuard.exe\" "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaby
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\h618
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjvd32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-08-28 15:50:50.35
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

 

I do seem to be able to send the logs you require as I continually get messages that my message too short or to long and it is difficult to cut these up in such a small window. Can you help?
LarryB227

 

I'm afraid there is not much I can do about the length of the logs being more than the forum can handle. If need be, just pos them into more than one reply, sorry about that.

Most of the errors are related to the rootkit, and here is how we remove the rootkit in question:
1. Download gmer from http://www.gmer.net
2. Save it somewhere safe & unzip it to desktop
3. Double click the gmer.exe to run it and select the rootkit tab, press scan
4. When it has finished, right-click the entry highlighted in red - [System] pe386
5. Select 'Delete the service' & then reboot your machine.

Then give me a fresh ComboFix logfile along with a new HJT logfile please, being sure to run the Combo Fix first then HJT.

We will have some more tools to run and clean up wil take some time, but I'm confident we can do so without a reformat.

 

Here is combofix and I have run gmer twice and keep getting the blue screen crash. I wil continue trying

Charly Brantley - 06-08-29 8:50:27.98
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Charly Brantley\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Charly Brantley\My Documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\Charly Brantley\My Documents\DOBE~1\??pPatch
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1\?ti2evxx.exe
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1\w?crtupd.exe


((((((((((((((((((((((((((((((( Files Created from 2006-07-29 to 2006-08-29 ))))))))))))))))))))))))))))))))))


2006-08-28 15:50 45,056 --a------ C:\WINDOWS\system32fufudc.exe
2006-08-28 15:50 24,576 --a------ C:\WINDOWS\system32ha3f.exe
2006-08-28 15:46 45,056 --a------ C:\WINDOWS\system32\fufudc.exe
2006-08-28 15:46 24,576 --a------ C:\WINDOWS\system32\ha3f.exe
2006-08-28 14:02 28,672 --a------ C:\WINDOWS\system32\ra8pv.exe
2006-08-27 20:44 98 --a------ C:\WINDOWS\taskmen32.pif
2006-08-27 19:55 28,672 --a------ C:\WINDOWS\system32ra8pv.exe
2006-08-27 19:54 2 --a------ C:\WINDOWS\system32\wcpsvit.exe
2006-08-27 19:53 215,308 --a------ C:\WINDOWS\srvejadcjf.exe
2006-08-27 19:52 365,568 --a------ C:\814.exe
2006-08-20 16:41 214,752 --a------ C:\Setup100.exe
2006-08-20 16:33 186,219 --a------ C:\WINDOWS\srvhykkohp.exe
2006-08-20 16:30 15,872 --a------ C:\WINDOWS\system32\winjvd32.dll
2006-08-20 16:27 1,167 --a------ C:\WINDOWS\system32\xxo4a232.sys
2006-08-20 16:22 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-20 16:21 214,748 --a------ C:\WINDOWS\Setup90.exe
2006-08-20 16:20 115,160 --a------ C:\WINDOWS\Eim03.exe
2006-08-14 20:52 78,848 --a------ C:\WINDOWS\system32\nsoA5.dll
2006-07-31 12:25 24,576 --a------ C:\WINDOWS\system32\ewxcksr.exe
2006-07-31 12:25 135,168 --a------ C:\WINDOWS\system32\czuehf.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-29 08:00 -------- d-------- C:\Documents and Settings\Charly Brantley\Application Data\AVG7
2006-08-28 16:11 -------- d-------- C:\Program Files\Hijackthis
2006-08-28 16:08 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-08-27 19:55 -------- d-------- C:\Program Files\SEARCHESSISTANT Toolbar
2006-08-27 17:21 -------- d-------- C:\Program Files\AIM
2006-08-27 15:34 -------- d-------- C:\Program Files\Common Files\AOL
2006-08-27 15:34 -------- d-------- C:\Program Files\AOL
2006-08-27 09:27 -------- d-------- C:\Program Files\Messenger
2006-08-27 08:03 776096 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-27 08:03 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-08-27 08:03 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-08-27 08:03 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-27 08:03 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-08-27 08:02 -------- d-------- C:\Program Files\Grisoft
2006-08-27 07:39 -------- d-------- C:\Program Files\XoftSpy
2006-08-27 07:39 -------- d-------- C:\Program Files\Common Files\kwui
2006-08-27 07:38 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-25 09:20 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-20 17:44 -------- d-------- C:\Program Files\MSN
2006-08-20 16:32 -------- d-------- C:\Program Files\Online Services
2006-08-18 03:01 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 20:52 -------- d-------- C:\Program Files\Super DX-Ball
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-22 11:32 -------- d-------- C:\Documents and Settings\Charly Brantley\Application Data\Yahoo!
2006-07-22 11:31 -------- d-------- C:\Program Files\Yahoo!
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint "= "C:\\Program Files\\Apoint\\Apoint.exe "
"MMTray "= "\ "C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"xxo4a232 "= "RUNDLL32.EXE w0275b41.dll,n 0034a22f000000110275b41 "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP "
"RreN4HW "= "C:\\WINDOWS\\system32\\czuehf.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "
"PSLister "= "\ "C:\\Program Files\\PSLister\\PSLister.exe\" "
"kwui "= "C:\\PROGRA~1\\COMMON~1\\kwui\\kwuim.exe "
"Sen "= "\ "C:\\DOCUME~1\\CHARLY~1\\MYDOCU~1\\DOBE~1\\mmc.exe\" -vt yax "
"Oqpnsn "= "C:\\Program Files\\Common Files\\s?curity\\?ti2evxx.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\Program Files\\Online Services\\kyze.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "C:\\Program Files\\Messenger\\howyny.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,50,01,00,00,00,00,00,00,40,05,00,00,f8,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000004
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk "
"backup "= "C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item "= "Digital Line Detect "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk "
"backup "= "C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item "= "MyWebSearch Email Plugin "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk "
"backup "= "C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item "= "QuickBooks Update Agent "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Charly Brantley^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path "= "C:\\Documents and Settings\\Charly Brantley\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk "
"backup "= "C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup "
"location "= "Startup "
"command "= "C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup "
"item "= "LimeWire On Startup "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Charly Brantley^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path "= "C:\\Documents and Settings\\Charly Brantley\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk "
"backup "= "C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkStartup "
"location "= "Startup "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item "= "MyWebSearch Email Plugin "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "aim "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\AIM\\aim.exe -cnetwait.odl "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATIPTA]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "atiptaxx "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ccApp "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Dell QuickSet]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "quickset "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Dell\\QuickSet\\quickset.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DellSupport]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DSAgnt "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\dla]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "tfswctrl "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\dla\\tfswctrl.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DVDLauncher]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DVDLauncher "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HostManager]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "AOLHostManager "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Common Files\\AOL\\1125277778\\ee\\AOLHostManager.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IntelWireless]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ifrmewrk "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSPM Startup]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ISUSPM "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSScheduler]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "issch "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MMTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mm_tray "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MyWebSearch Email Plugin]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mwsoemon "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCMService]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "PCMService "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "qttask "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "RealPlay "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spyware Begone]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "freescan "
"hkey "= "HKCU "
"command "= "C:\\freescan\\freescan.exe -FastScan "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spyware Doctor]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "swdoctor "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "jusched "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SNDMon "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\THGuard]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "THGuard "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\TrojanHunter 4.2\\THGuard.exe\" "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaby
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\h618
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjvd32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-08-29 8:51:22.39
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
ComboFix4.txt

 

Here is the latest HJT after the combofix report and after I was unable to run gmer successfully.

Logfile of HijackThis v1.99.1
Scan saved at 09:08, on 06-08-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\czuehf.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ha3f.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\CHARLY~1\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.opera.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsek.dll (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\g10158203.dll (file missing)
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xxo4a232] RUNDLL32.EXE w0275b41.dll,n 0034a22f000000110275b41
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RreN4HW] C:\WINDOWS\system32\czuehf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe "
O4 - HKCU\..\Run: [kwui] C:\PROGRA~1\COMMON~1\kwui\kwuim.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\CHARLY~1\MYDOCU~1\DOBE~1\mmc.exe" -vt yax
O4 - HKCU\..\Run: [Oqpnsn] C:\Program Files\Common Files\s?curity\?ti2evxx.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: ddaby - ddaby.dll (file missing)
O20 - Winlogon Notify: h618 - C:\WINDOWS\g587187.dll (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: winjvd32 - C:\WINDOWS\SYSTEM32\winjvd32.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Terminal Connections (terms) - Unknown owner - C:\WINDOWS\system32\terminals.exe (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

OK, well did you get any errors with Gmer or it just blue screened? Let me know so I can pass it on to the developer.

And oddly enough, it looks like the rk is no longer showing up in the Combo log file.

I'll be getting to this later in the day, I have school to get to this morning and then I'll tackle these logs.

 

I ran it three times as the first two ended in the blue screen so I rebooted and ran it again this time no errors and it did not blue screenl.
We are gaining on it as it stays on the internet just fine and I have downloaded a few updates to Ewido and AVG so I thought I would run both of them again. See you when you have a chance. Thanks LarryB

 

One added note: When I reboot I get an error that says

Rundll error
w0275b41.dll module not found.

after the update on ewido I ran it and it found no problems

Thanks Larryb

 

No worries, that's related to the infection.

Lets get on with it!!

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

Please download the Killbox. Save it to the desktop, but do not run it yet.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible


Please go to Add/Remove, and if found, uninstall the following:
Spyware Begone
AWS\Weatherbug


We need to stop Terminal Connections service:
Go to: Start > Run > type " services.msc ", then click OK

Scroll down to the Terminal Connections service.

Click it to highlight it, then <right-click> and select: Properties
Select and set "Service Status" option to "Stop"
Select: "Startup type" and set it to "Disabled ", click Apply, then OK.


Please hit Hit 'Ctrl' + 'Alt' + 'Delete' to bring up running processes and 'End Task' on the following process(es) if present:
C:\WINDOWS\system32\czuehf.exe
C:\WINDOWS\system32\ha3f.exe
C:\WINDOWS\system32\fufudc.exe


1) Now go back to Killbox and run it.
2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32fufudc.exe
C:\WINDOWS\system32ha3f.exe
C:\WINDOWS\system32\fufudc.exe
C:\WINDOWS\system32\ha3f.exe
C:\WINDOWS\system32\ra8pv.exe
C:\WINDOWS\taskmen32.pif
C:\WINDOWS\system32ra8pv.exe
C:\WINDOWS\system32\wcpsvit.exe
C:\WINDOWS\srvejadcjf.exe
C:\814.exe
C:\Setup100.exe
C:\WINDOWS\srvhykkohp.exe
C:\WINDOWS\system32\winjvd32.dll
C:\WINDOWS\system32\xxo4a232.sys
C:\WINDOWS\Setup90.exe
C:\WINDOWS\Eim03.exe
C:\WINDOWS\system32\nsoA5.dll
C:\WINDOWS\system32\ewxcksr.exe
C:\WINDOWS\system32\czuehf.exe
C:\Program Files\Common Files\kwui
C:\\Program Files\Common Files\s?curity
C:\\Program Files\Messenger\howyny.html
C:\WINDOWS\system32\terminals.exe
C:\WINDOWS\g587187.dll
ddaby.dll
C:\WINDOWS\system32\xeymi.dll
C:\WINDOWS\system32\admparsek.dll
C:\WINDOWS\g10158203.dll
C:\WINDOWS\system32\urroxtl.dll


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Do not reboot, instead Run Hijackthis and look over the following entries I have listed, (some may not be present due to previuos steps) check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)


O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsek.dll (file missing)

O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00322} - C:\WINDOWS\g10158203.dll (file missing)

O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)

O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)


O4 - HKLM\..\Run: [xxo4a232] RUNDLL32.EXE w0275b41.dll,n 0034a22f000000110275b41

O4 - HKLM\..\Run: [RreN4HW] C:\WINDOWS\system32\czuehf.exe

O4 - HKCU\..\Run: [kwui] C:\PROGRA~1\COMMON~1\kwui\kwuim.exe

O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\CHARLY~1\MYDOCU~1\DOBE~1\mmc.exe" -vt yax

O4 - HKCU\..\Run: [Oqpnsn] C:\Program Files\Common Files\s?curity\?ti2evxx.exe


O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)


O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing


O15 - Trusted Zone: *.elitemediagroup.net


O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123


O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll


O20 - Winlogon Notify: ddaby - ddaby.dll (file missing)

O20 - Winlogon Notify: h618 - C:\WINDOWS\g587187.dll (file missing)

O20 - Winlogon Notify: winjvd32 - C:\WINDOWS\SYSTEM32\winjvd32.dll


O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing)


O23 - Service: Terminal Connections (terms) - Unknown owner - C:\WINDOWS\system32\terminals.exe (file missing)

Reboot amd run Combo Fix, save the log, then run HJT save that log ad post both back here for me to review.

 

I am up to running Killbox and it does not seem to be doing anything. When I selected All Files it just sits there and the All Files blinks.
Larryb

 

I have let Killbox run for better than hour and nothing is happening except the All Files blinks. I do not see the HD access light lighting either. I'll hold off till I hear from you.

 

Opps I see what I am doing incorrectly I did not copy; the file names into Killbox. You do not need to answer these last few posts.
Larryb

 

After the above here is the combofix log

Charly Brantley - 06-08-30 10:54:32.12
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Charly Brantley\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Charly Brantley\My Documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\Charly Brantley\My Documents\DOBE~1\??pPatch
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1\?ti2evxx.exe
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1\w?crtupd.exe


((((((((((((((((((((((((((((((( Files Created from 2006-07-30 to 2006-08-30 ))))))))))))))))))))))))))))))))))


2006-08-29 09:50 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2006-08-29 09:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2006-08-29 09:50 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2006-08-20 16:22 8,464 --a------ C:\WINDOWS\system32\sporder.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-30 08:00 -------- d-------- C:\Documents and Settings\Charly Brantley\Application Data\AVG7
2006-08-29 13:14 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-29 09:59 -------- d-------- C:\Program Files\TrojanHunter 4.2
2006-08-29 09:54 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-29 09:54 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-29 09:50 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-08-27 19:55 -------- d-------- C:\Program Files\SEARCHESSISTANT Toolbar
2006-08-27 17:21 -------- d-------- C:\Program Files\AIM
2006-08-27 15:34 -------- d-------- C:\Program Files\Common Files\AOL
2006-08-27 15:34 -------- d-------- C:\Program Files\AOL
2006-08-27 09:27 -------- d-------- C:\Program Files\Messenger
2006-08-27 08:03 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-08-27 08:03 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-08-27 08:03 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-08-27 08:02 -------- d-------- C:\Program Files\Grisoft
2006-08-27 07:39 -------- d-------- C:\Program Files\XoftSpy
2006-08-27 07:39 -------- d-------- C:\Program Files\Common Files\kwui
2006-08-27 07:38 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-20 17:44 -------- d-------- C:\Program Files\MSN
2006-08-20 16:32 -------- d-------- C:\Program Files\Online Services
2006-08-18 03:01 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 20:52 -------- d-------- C:\Program Files\Super DX-Ball
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-22 11:32 -------- d-------- C:\Documents and Settings\Charly Brantley\Application Data\Yahoo!
2006-07-22 11:31 -------- d-------- C:\Program Files\Yahoo!
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint "= "C:\\Program Files\\Apoint\\Apoint.exe "
"MMTray "= "\ "C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"xxo4a232 "= "RUNDLL32.EXE w0275b41.dll,n 0034a22f000000110275b41 "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"PSLister "= "\ "C:\\Program Files\\PSLister\\PSLister.exe\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\Program Files\\Online Services\\kyze.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "C:\\Program Files\\Messenger\\howyny.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,50,01,00,00,00,00,00,00,40,05,00,00,f8,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk "
"backup "= "C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item "= "Digital Line Detect "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk "
"backup "= "C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item "= "MyWebSearch Email Plugin "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk "
"backup "= "C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item "= "QuickBooks Update Agent "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Charly Brantley^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path "= "C:\\Documents and Settings\\Charly Brantley\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk "
"backup "= "C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup "
"location "= "Startup "
"command "= "C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup "
"item "= "LimeWire On Startup "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Charly Brantley^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path "= "C:\\Documents and Settings\\Charly Brantley\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk "
"backup "= "C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkStartup "
"location "= "Startup "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item "= "MyWebSearch Email Plugin "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "aim "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\AIM\\aim.exe -cnetwait.odl "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATIPTA]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "atiptaxx "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ccApp "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Dell QuickSet]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "quickset "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Dell\\QuickSet\\quickset.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DellSupport]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DSAgnt "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\dla]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "tfswctrl "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\dla\\tfswctrl.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DVDLauncher]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "DVDLauncher "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HostManager]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "AOLHostManager "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Common Files\\AOL\\1125277778\\ee\\AOLHostManager.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IntelWireless]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ifrmewrk "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSPM Startup]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ISUSPM "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSScheduler]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "issch "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MMTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mm_tray "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MyWebSearch Email Plugin]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mwsoemon "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCMService]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "PCMService "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "qttask "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealTray]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "RealPlay "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spyware Begone]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "freescan "
"hkey "= "HKCU "
"command "= "C:\\freescan\\freescan.exe -FastScan "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Spyware Doctor]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "swdoctor "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "jusched "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SNDMon "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\THGuard]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "THGuard "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\TrojanHunter 4.2\\THGuard.exe\" "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjvd32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-08-30 10:55:30.78
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
ComboFix4.txt