1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Hjt Log

Discussion in 'Malware and Virus Removal Archive' started by NELLEBL, 2006/09/20.

Page 3 of 3
  1. 2006/09/23
    NELLEBL

    NELLEBL Inactive Thread Starter

    Joined:
    2006/09/19
    Messages:
    35
    Likes Received:
    0
    NEDZAD - 06-09-23 14:49:38.20 Service Pack 2
    ComboFix 06.09.21 - Running from: "C:\Documents and Settings\NEDZAD\Desktop\New Folder (2) "

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\windows\Duce6.exe

    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    Folders Quarantined:

    C:\QooBox\Purity\Documents and Settings\NEDZAD\Application Data\ICROSO~1
    C:\QooBox\Purity\Documents and Settings\NEDZAD\Application Data\ICROSO~1\nslookup.exe
    C:\QooBox\Purity\Documents and Settings\NEDZAD\Application Data\ICROSO~1\?icrosoft
    C:\QooBox\Purity\Program Files\SMANTE~1


    ((((((((((((((((((((((((((((((( Files Created from 2006-08-23 to 2006-09-23 ))))))))))))))))))))))))))))))))))


    2006-09-23 01:13 163,840 --a------ C:\WINDOWS\sys09403303096.exe
    2006-09-21 01:24 46,592 --a------ C:\WINDOWS\system32\zlbw.dll
    2006-09-21 01:23 54,484 --a------ C:\WINDOWS\system32\image.gif.exe
    2006-09-16 21:36 163,840 --a------ C:\WINDOWS\sys033030964032006.exe
    2006-09-14 00:58 69,616 --a------ C:\WINDOWS\system32\lzx32.sys
    2006-09-14 00:39 126,976 --ah----- C:\WINDOWS\system32\tbhogt.dll
    2006-09-13 00:46 76,288 --a--c--- C:\owodkr.exe
    2006-09-13 00:36 4,786 --a------ C:\WINDOWS\system32\sachosts.exe
    2006-09-13 00:35 9,906 --a------ C:\WINDOWS\system32\sachostp.exe
    2006-09-13 00:35 16,404 --a--c--- C:\tvlc.exe
    2006-09-13 00:34 3,749 --a------ C:\WINDOWS\sysldr32.exe
    2006-09-13 00:34 1,233 --a------ C:\WINDOWS\system32\urj59dfa.sys
    2006-09-13 00:34 1,233 --a------ C:\WINDOWS\system32\jrj59def.sys
    2006-09-13 00:33 186,219 --a------ C:\WINDOWS\srviqkckwn.exe
    2006-09-13 00:33 16,404 --a------ C:\WINDOWS\9129837.exe
    2006-09-13 00:31 76,288 --a--c--- C:\vowvv.exe
    2006-08-29 02:36 53,248 --------- C:\WINDOWS\system32\RemFarStone.exe


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-09-23 14:48 -------- d-------- C:\Program Files\whInstall
    2006-09-23 14:30 -------- d-------- C:\Program Files\hijackthis
    2006-09-23 12:32 -------- d-------- C:\Program Files\SBC Self Support Tool
    2006-09-23 12:29 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
    2006-09-23 11:55 -------- d-------- C:\Program Files\Common Files
    2006-09-22 14:15 -------- d-------- C:\Program Files\Common Files\ofiu
    2006-09-22 13:36 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
    2006-09-22 13:36 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
    2006-09-22 13:36 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
    2006-09-22 13:36 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
    2006-09-22 13:36 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
    2006-09-22 13:36 -------- d---sc--- C:\Documents and Settings\NEDZAD\Application Data\Microsoft
    2006-09-22 13:36 -------- d----c--- C:\Documents and Settings\NEDZAD\Application Data\AVG7
    2006-09-22 13:36 -------- d-------- C:\Program Files\Grisoft
    2006-09-22 02:02 -------- d-------- C:\Program Files\Yahoo!
    2006-09-21 02:20 93633 --ahs---- C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
    2006-09-21 00:44 -------- d--h----- C:\Program Files\Common Files\cloader
    2006-09-21 00:36 -------- d-------- C:\Program Files\PSDream
    2006-09-21 00:36 -------- d-------- C:\Program Files\PSCloner
    2006-09-20 02:11 -------- d-------- C:\Program Files\DC++
    2006-09-20 01:50 -------- d-------- C:\Program Files\RegistrySmart
    2006-09-20 01:35 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
    2006-09-19 10:52 -------- d-------- C:\Program Files\Call of Duty Game of the Year Edition
    2006-09-16 12:11 -------- d----c--- C:\Documents and Settings\NEDZAD\Application Data\Roxio
    2006-09-11 10:23 -------- d-------- C:\Program Files\Registry Mechanic
    2006-09-05 09:02 -------- d-------- C:\Program Files\Symantec
    2006-09-05 09:02 -------- d-------- C:\Program Files\Common Files\Symantec Shared
    2006-09-05 09:02 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
    2006-09-05 08:50 -------- d-------- C:\Program Files\Winamp
    2006-09-04 20:13 -------- d-------- C:\Program Files\tgtsoft
    2006-09-04 19:56 -------- d-------- C:\Program Files\GameHouse
    2006-09-03 00:52 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-08-29 03:02 -------- d----c--- C:\Documents and Settings\NEDZAD\Application Data\Skype
    2006-08-29 02:42 -------- d----c--- C:\Documents and Settings\NEDZAD\Application Data\FarStone
    2006-08-29 02:20 -------- d-------- C:\Program Files\Mozilla Firefox
    2006-08-29 01:05 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
    2006-08-29 01:05 -------- d-------- C:\Program Files\DAEMON Tools
    2006-08-29 01:02 96256 --a------ C:\WINDOWS\system32\drivers\sptd7245.sys
    2006-08-29 01:02 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
    2006-08-27 02:54 -------- d-------- C:\Program Files\Elaborate Bytes
    2006-08-27 02:31 -------- d-------- C:\Program Files\CloneDVD
    2006-08-25 03:25 -------- d-------- C:\Program Files\Activision
    2006-08-25 02:57 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
    2006-08-25 02:40 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
    2006-08-25 02:40 -------- d-------- C:\Program Files\AutoCAD 2006
    2006-08-25 02:39 -------- d-------- C:\Program Files\Common Files\Designer
    2006-08-25 02:39 -------- d-------- C:\Program Files\AnswerWorks 4.0
    2006-08-25 02:37 -------- d----c--- C:\Documents and Settings\NEDZAD\Application Data\Autodesk
    2006-08-25 02:27 -------- d-------- C:\Program Files\Autodesk
    2006-08-25 02:12 -------- d-------- C:\Program Files\Smart Projects
    2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
    2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
    2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
    2006-08-16 03:01 -------- d-------- C:\Program Files\Internet Explorer
    2006-08-16 01:55 674636 --a------ C:\WINDOWS\Zabranjeno Pusenje Screensaver.scr
    2006-07-31 17:16 26787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
    2006-07-28 00:24 -------- d-------- C:\Program Files\PopCap Games
    2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-07-27 01:14 -------- d-------- C:\Program Files\Trymedia
    2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "RUNDLL32.EXE C:\\windows\\system32\\NvCpl.dll,NvStartup "
    "Lexmark X74-X75 "= "\ "C:\\Program Files\\Lexmark X74-X75\\lxbbbmgr.exe\" "
    "BJCFD "= "C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe "
    "SystemLoader "= "C:\\windows\\sysldr32.exe "
    "IPInSightMonitor 02 "= "\ "C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\" "
    "CaAvTray "= "\ "C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\" "
    "IPInSightLAN 02 "= "\ "C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l "
    "BootSkin Startup Jobs "= "\ "C:\\PROGRA~1\\Stardock\\WINCUS~1\\BootSkin\\BootSkin.exe\" /StartupJobs "
    "WinampAgent "= "C:\\Program Files\\Winamp\\winampa.exe "
    "UpdReg "= "C:\\WINDOWS\\UpdReg.EXE "
    "BCMSMMSG "= "BCMSMMSG.exe "
    "YBrowser "= "C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe "
    "CAVRID "= "\ "C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\" "
    "CloneCDElbyCDFL "= "\ "C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL "
    "Microsoft Works Update Detection "= "C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe "
    "Motive SmartBridge "= "C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe "
    "nwiz "= "nwiz.exe /install "
    "YOP "= "C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart "
    "AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP "
    "!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed "= "1 "
    "NoChange "= "1 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed "= "1 "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
    "DeskHtmlVersion "=dword:00000110
    "DeskHtmlMinorVersion "=dword:00000005
    "Settings "=dword:00000001
    "GeneralFlags "=dword:00000002

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source "= "C:\\windows\\warnhp.html "
    "SubscribedURL "=" "
    "FriendlyName "= "Desktop Uninstall "
    "Flags "=dword:00002002
    "Position "=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,e2,02,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState "=dword:40000002
    "OriginalStateInfo "=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,02,00,00,00
    "RestoredStateInfo "=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,01,00,00,00

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit "
    "AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit "
    "AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "Wallpaper "=" "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091
    "NoActiveDesktop "=dword:00000000
    "ClassicShell "=dword:00000000
    "ForceActiveDesktopOn "=dword:00000001

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "dontdisplaylastusername "=dword:00000000
    "legalnoticecaption "=" "
    "legalnoticetext "=" "
    "shutdownwithoutlogon "=dword:00000001
    "undockwithoutlogon "=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    @=" "
    "NoDriveTypeAutoRun "=dword:00000000
    "NoDriveAutoRun "=dword:00001f00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091
    "CDRAutoRun "=dword:00000000

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091
    "CDRAutoRun "=dword:00000000

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
    "CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
    "WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
    "SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
    "UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    "location "= "Common Startup "
    "command "= "C:\\PROGRA~1\\MICROS~4\\Office10\\OSA.EXE -b -l "
    "item "= "Microsoft Office "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    "location "= "Common Startup "
    "command "= "C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
    "item "= "Microsoft Works Calendar Reminders "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinMXDownloadWinMX3.exe]
    "location "= "Common Startup "
    "item "= "WinMXDownloadWinMX3 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AdaptecDirectCD]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "DirectCD "
    "hkey "= "HKLM "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CursorXP]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "CursorXP "
    "hkey "= "HKCU "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\diagent]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "diagent "
    "hkey "= "HKLM "
    "command "= "\ "C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DiskeeperSystray]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "DkIcon "
    "hkey "= "HKLM "
    "command "= "\ "C:\\Program Files\\Executive Software\\Diskeeper\\DkIcon.exe\" "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Works Portfolio]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "WksSb "
    "hkey "= "HKLM "
    "command "= "C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "msmsgs "
    "hkey "= "HKCU "
    "command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "qttask "
    "hkey "= "HKLM "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealTray]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "RealPlay "
    "hkey "= "HKLM "
    "command "= "C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RoxioAudioCentral]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "RxMon "
    "hkey "= "HKLM "
    "command "= "\ "C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\" "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RoxioDragToDisc]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "DrgToDsc "
    "hkey "= "HKLM "
    "command "= "\ "C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\" "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RoxioEngineUtility]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "EngUtil "
    "hkey "= "HKLM "
    "command "= "\ "C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\" "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "winampa "
    "hkey "= "HKLM "
    "command "= "C:\\Program Files\\Winamp\\winampa.exe "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WorksFUD]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "wkfud "
    "hkey "= "HKLM "
    "command "= "C:\\Program Files\\Microsoft Works\\wkfud.exe "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "ypager "
    "hkey "= "HKCU "
    "command "= "\ "C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet "
    "inimapping "= "0 "


    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
    securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


    Contents of the 'Scheduled Tasks' folder
    C:\windows\tasks\Symantec NetDetect.job

    Completion time: Sat 09/23/2006 14:52:38.48
    ComboFix.txt
    ComboFix2.txt
    ComboFix3.txt
     
    NELLEBL,
    #41
  2. 2006/09/23
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    OK, well the HJT log file looks pretty good. But it seems some of the files we tried to eliminate are still hanging on.

    Lets run Killbox again but in safe mode, using the same instructions as in my previous post, but lets be sure we don't have any rogue processes running.

    Reboot, into safe mode, this way:
    Turn on the computer
    Immediately begin tapping the <F8> key.
    Use the arrow keys to highlight Safe Mode and press the <Enter> key.

    Also, enable the 'Show Hidden Folders' option, like this:
    Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.

    Please hit Hit 'Ctrl' + 'Alt' + 'Delete' to bring up running processes and 'End Task' on the following process(es) if present:
    C:\windows\sysldr32.exe

    Open Killbox and insert the following files for deletion:
    C:\WINDOWS\sys09403303096.exe
    C:\WINDOWS\system32\zlbw.dll
    C:\WINDOWS\system32\image.gif.exe
    C:\WINDOWS\sys033030964032006.exe
    C:\WINDOWS\system32\lzx32.sys
    C:\WINDOWS\system32\tbhogt.dll
    C:\owodkr.exe
    C:\WINDOWS\system32\sachosts.exe
    C:\WINDOWS\system32\sachostp.exe
    C:\tvlc.exe
    C:\WINDOWS\sysldr32.exe
    C:\WINDOWS\system32\urj59dfa.sys
    C:\WINDOWS\system32\jrj59def.sys
    C:\WINDOWS\srviqkckwn.exe
    C:\WINDOWS\9129837.exe
    C:\vowvv.exe
    C:\Program Files\Common Files\ofiu
    C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
    C:\Program Files\Common Files\cloader
    C:\Program Files\PSDream
    C:\Program Files\PSCloner
    C:\Program Files\DC++

    Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

    O4 - HKLM\..\Run: [SystemLoader] C:\windows\sysldr32.exe

    Reboot and run ComboFix first, then HJT and post both logs back into this thread.
     
    TeMerc,
    #42


  3. to hide this advert.

  4. 2006/09/23
    NELLEBL

    NELLEBL Inactive Thread Starter

    Joined:
    2006/09/19
    Messages:
    35
    Likes Received:
    0
    NEDZAD - 06-09-23 17:14:47.70 Service Pack 2
    ComboFix 06.09.21 - Running from: "C:\Documents and Settings\NEDZAD\Desktop\New Folder (2) "

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    Folders Quarantined:

    C:\QooBox\Purity\Documents and Settings\NEDZAD\Application Data\ICROSO~1
    C:\QooBox\Purity\Documents and Settings\NEDZAD\Application Data\ICROSO~1\nslookup.exe
    C:\QooBox\Purity\Documents and Settings\NEDZAD\Application Data\ICROSO~1\?icrosoft
    C:\QooBox\Purity\Program Files\SMANTE~1


    ((((((((((((((((((((((((((((((( Files Created from 2006-08-23 to 2006-09-23 ))))))))))))))))))))))))))))))))))


    2006-08-29 02:36 53,248 --------- C:\WINDOWS\system32\RemFarStone.exe


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-09-23 17:03 -------- d-------- C:\Program Files\hijackthis
    2006-09-23 16:57 -------- d-------- C:\Program Files\Common Files
    2006-09-23 14:48 -------- d-------- C:\Program Files\whInstall
    2006-09-23 12:32 -------- d-------- C:\Program Files\SBC Self Support Tool
    2006-09-23 12:29 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
    2006-09-22 13:36 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
    2006-09-22 13:36 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
    2006-09-22 13:36 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
    2006-09-22 13:36 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
    2006-09-22 13:36 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
    2006-09-22 13:36 -------- d---sc--- C:\Documents and Settings\NEDZAD\Application Data\Microsoft
    2006-09-22 13:36 -------- d----c--- C:\Documents and Settings\NEDZAD\Application Data\AVG7
    2006-09-22 13:36 -------- d-------- C:\Program Files\Grisoft
    2006-09-22 02:02 -------- d-------- C:\Program Files\Yahoo!
    2006-09-20 01:50 -------- d-------- C:\Program Files\RegistrySmart
    2006-09-20 01:35 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
    2006-09-19 10:52 -------- d-------- C:\Program Files\Call of Duty Game of the Year Edition
    2006-09-16 12:11 -------- d----c--- C:\Documents and Settings\NEDZAD\Application Data\Roxio
    2006-09-11 10:23 -------- d-------- C:\Program Files\Registry Mechanic
    2006-09-05 09:02 -------- d-------- C:\Program Files\Symantec
    2006-09-05 09:02 -------- d-------- C:\Program Files\Common Files\Symantec Shared
    2006-09-05 09:02 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
    2006-09-05 08:50 -------- d-------- C:\Program Files\Winamp
    2006-09-04 20:13 -------- d-------- C:\Program Files\tgtsoft
    2006-09-04 19:56 -------- d-------- C:\Program Files\GameHouse
    2006-09-03 00:52 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-08-29 03:02 -------- d----c--- C:\Documents and Settings\NEDZAD\Application Data\Skype
    2006-08-29 02:42 -------- d----c--- C:\Documents and Settings\NEDZAD\Application Data\FarStone
    2006-08-29 02:20 -------- d-------- C:\Program Files\Mozilla Firefox
    2006-08-29 01:05 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
    2006-08-29 01:05 -------- d-------- C:\Program Files\DAEMON Tools
    2006-08-29 01:02 96256 --a------ C:\WINDOWS\system32\drivers\sptd7245.sys
    2006-08-29 01:02 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
    2006-08-27 02:54 -------- d-------- C:\Program Files\Elaborate Bytes
    2006-08-27 02:31 -------- d-------- C:\Program Files\CloneDVD
    2006-08-25 03:25 -------- d-------- C:\Program Files\Activision
    2006-08-25 02:57 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
    2006-08-25 02:40 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
    2006-08-25 02:40 -------- d-------- C:\Program Files\AutoCAD 2006
    2006-08-25 02:39 -------- d-------- C:\Program Files\Common Files\Designer
    2006-08-25 02:39 -------- d-------- C:\Program Files\AnswerWorks 4.0
    2006-08-25 02:37 -------- d----c--- C:\Documents and Settings\NEDZAD\Application Data\Autodesk
    2006-08-25 02:27 -------- d-------- C:\Program Files\Autodesk
    2006-08-25 02:12 -------- d-------- C:\Program Files\Smart Projects
    2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
    2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
    2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
    2006-08-16 03:01 -------- d-------- C:\Program Files\Internet Explorer
    2006-08-16 01:55 674636 --a------ C:\WINDOWS\Zabranjeno Pusenje Screensaver.scr
    2006-07-31 17:16 26787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
    2006-07-28 00:24 -------- d-------- C:\Program Files\PopCap Games
    2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-07-27 01:14 -------- d-------- C:\Program Files\Trymedia
    2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "RUNDLL32.EXE C:\\windows\\system32\\NvCpl.dll,NvStartup "
    "Lexmark X74-X75 "= "\ "C:\\Program Files\\Lexmark X74-X75\\lxbbbmgr.exe\" "
    "BJCFD "= "C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe "
    "IPInSightMonitor 02 "= "\ "C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\" "
    "CaAvTray "= "\ "C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\" "
    "IPInSightLAN 02 "= "\ "C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l "
    "BootSkin Startup Jobs "= "\ "C:\\PROGRA~1\\Stardock\\WINCUS~1\\BootSkin\\BootSkin.exe\" /StartupJobs "
    "WinampAgent "= "C:\\Program Files\\Winamp\\winampa.exe "
    "UpdReg "= "C:\\WINDOWS\\UpdReg.EXE "
    "BCMSMMSG "= "BCMSMMSG.exe "
    "YBrowser "= "C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe "
    "CAVRID "= "\ "C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\" "
    "CloneCDElbyCDFL "= "\ "C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL "
    "Microsoft Works Update Detection "= "C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe "
    "Motive SmartBridge "= "C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe "
    "nwiz "= "nwiz.exe /install "
    "YOP "= "C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart "
    "AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP "
    "!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed "= "1 "
    "NoChange "= "1 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed "= "1 "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
    "DeskHtmlVersion "=dword:00000110
    "DeskHtmlMinorVersion "=dword:00000005
    "Settings "=dword:00000001
    "GeneralFlags "=dword:00000002

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source "= "C:\\windows\\warnhp.html "
    "SubscribedURL "=" "
    "FriendlyName "= "Desktop Uninstall "
    "Flags "=dword:00002002
    "Position "=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState "=dword:40000002
    "OriginalStateInfo "=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,02,00,00,00
    "RestoredStateInfo "=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,01,00,00,00

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit "
    "AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit "
    "AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "Wallpaper "=" "

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091
    "NoActiveDesktop "=dword:00000000
    "ClassicShell "=dword:00000000
    "ForceActiveDesktopOn "=dword:00000001

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "dontdisplaylastusername "=dword:00000000
    "legalnoticecaption "=" "
    "legalnoticetext "=" "
    "shutdownwithoutlogon "=dword:00000001
    "undockwithoutlogon "=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    @=" "
    "NoDriveTypeAutoRun "=dword:00000000
    "NoDriveAutoRun "=dword:00001f00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091
    "CDRAutoRun "=dword:00000000

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091
    "CDRAutoRun "=dword:00000000

    [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
    "CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
    "WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
    "SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
    "UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    "location "= "Common Startup "
    "command "= "C:\\PROGRA~1\\MICROS~4\\Office10\\OSA.EXE -b -l "
    "item "= "Microsoft Office "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    "location "= "Common Startup "
    "command "= "C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
    "item "= "Microsoft Works Calendar Reminders "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinMXDownloadWinMX3.exe]
    "location "= "Common Startup "
    "item "= "WinMXDownloadWinMX3 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AdaptecDirectCD]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "DirectCD "
    "hkey "= "HKLM "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CursorXP]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "CursorXP "
    "hkey "= "HKCU "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\diagent]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "diagent "
    "hkey "= "HKLM "
    "command "= "\ "C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DiskeeperSystray]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "DkIcon "
    "hkey "= "HKLM "
    "command "= "\ "C:\\Program Files\\Executive Software\\Diskeeper\\DkIcon.exe\" "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Works Portfolio]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "WksSb "
    "hkey "= "HKLM "
    "command "= "C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "msmsgs "
    "hkey "= "HKCU "
    "command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "qttask "
    "hkey "= "HKLM "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealTray]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "RealPlay "
    "hkey "= "HKLM "
    "command "= "C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RoxioAudioCentral]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "RxMon "
    "hkey "= "HKLM "
    "command "= "\ "C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\" "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RoxioDragToDisc]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "DrgToDsc "
    "hkey "= "HKLM "
    "command "= "\ "C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\" "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RoxioEngineUtility]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "EngUtil "
    "hkey "= "HKLM "
    "command "= "\ "C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\" "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinampAgent]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "winampa "
    "hkey "= "HKLM "
    "command "= "C:\\Program Files\\Winamp\\winampa.exe "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WorksFUD]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "wkfud "
    "hkey "= "HKLM "
    "command "= "C:\\Program Files\\Microsoft Works\\wkfud.exe "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "ypager "
    "hkey "= "HKCU "
    "command "= "\ "C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet "
    "inimapping "= "0 "


    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
    securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


    Contents of the 'Scheduled Tasks' folder
    C:\windows\tasks\Symantec NetDetect.job

    Completion time: Sat 09/23/2006 17:17:02.98
    ComboFix.txt
    ComboFix2.txt
    ComboFix3.txt
     
    NELLEBL,
    #43
  5. 2006/09/23
    NELLEBL

    NELLEBL Inactive Thread Starter

    Joined:
    2006/09/19
    Messages:
    35
    Likes Received:
    0
    Logfile of HijackThis v1.99.1
    Scan saved at 5:20:20 PM, on 9/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\SYSTEM32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\windows\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\windows\System32\nvsvc32.exe
    C:\windows\System32\tcpsvcs.exe
    C:\windows\System32\snmp.exe
    C:\windows\System32\PAStiSvc.exe
    C:\windows\System32\svchost.exe
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\YPCSER~1.EXE
    C:\Program Files\Yahoo!\browser\ybrowser.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
    C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    C:\Program Files\Winamp\winampa.exe
    C:\windows\BCMSMMSG.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\windows\system32\NOTEPAD.EXE
    C:\Program Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe "
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe "
    O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe "
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: AT&T Self Support Tool.lnk = bin\matcli.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
    O23 - Service: STI Simulator - Unknown owner - C:\windows\System32\PAStiSvc.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
     
    NELLEBL,
    #44
  6. 2006/09/23
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    S-A-W-E-E-E-T-T!! All clean now, just one minor registry entry to remove and one folder.

    Your system should be running well now, please let me know if it is not.

    Search for, and delete, if found, the following files/folders:
    C:\Program Files\whInstall<<<<---this folder

    Lets back up your registry before we make any changes.

    Click the 'Start' button, select 'Run', hit 'Enter'.

    When box appears, type 'regedit', hit 'Enter'.

    Navigate to the following key, by unticking the '+' next to each subkey:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0

    In the right hand pane of the registry, look for 'source', right-click it, select 'Modify' and delete the value:
    C:\windows\warnhp.html

    Close registry editor and you're done.
     
    TeMerc,
    #45
  7. 2006/09/23
    NELLEBL

    NELLEBL Inactive Thread Starter

    Joined:
    2006/09/19
    Messages:
    35
    Likes Received:
    0
    Thank You Very Much
    Just One More Thing
    My Desktop Background Is White And Can't Get Rid Off.
    Under "display Properties" "desktop" "background "
    I Am Not Able Change Background

    Also Am I Supouse To Disable "show Hidden Folder "
    Or Keep



    Thanks Nellebl
     
    NELLEBL,
    #46
  8. 2006/09/24
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Try this:
    Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK. That should get rid of it.

    We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

    Empty the TIF (Temporary Internet Files)
    Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
    The app below will help with temp files.
    Index.dat Suite

    Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

    This would also be a good time to set a new system restore point for your machine.
    Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

    Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

    Here is a link which describes how security apps work with WIN XP machines.
    XP User Accts Security Apps Operation

    To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

    SpywareBlaster
    With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

    To avoid known malware infested sites from loading in IE install IESPY ADS.
    And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

    And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.1.

    Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

    Links for tutorials for all the apps I mentioned can be found on my site as well.

    Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

    And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
    Calendar of Updates

    Subscribe to update alerts for all the above security apps here.

    You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
    TeMerc Test Box Forum

    Happy surfing!!
    Tom :D
     
    TeMerc,
    #47
Page 3 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...