Thread: HJT Log, Trojan found, web pages not connecting or slow and computer freezing!
View Single Post
Old 04-30-2006, 07:13 PM   #24 (permalink)
disco20
Registered User
 
Join Date: Apr 2006
Posts: 35
OS: XP


Ried,

Once again, thanks for the enourmous amount of help! I truly appreciate it.

1.) I downloaded Avenger and it is currently sitting on my desktop unzipped and waiting.


2.) I disabled Avast and Prex1.


3.) I ran SilentRunners.vbs the results are below

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"type32" = ""C:\Program Files\Microsoft IntelliType Pro\type32.exe"" [MS]
"IntelliPoint" = ""C:\Program Files\Microsoft IntelliPoint\point32.exe"" [MS]
"DU Meter" = "C:\Program Files\DU Meter\DUMeter.exe" ["Hagel Technologies"]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data]
"PrevxOne" = "C:\Program Files\Prevx1\PXConsole.exe" ["Prevx"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
"RoxioDragToDisc" = ""C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"" ["Roxio"]
"RoxioAudioCentral" = ""C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"" ["Roxio, Inc."]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"hppwrsav" = "C:\SCANJET\PrecisionScanLT\hppwrsav.exe" [null data]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"Dit" = "Dit.exe" [null data]
"BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"AHQInit" = "C:\Program Files\Creative\SBLive\Program\AHQInit.exe" ["Creative Technology Ltd"]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP\SmartHook.dll" ["SmartFTP"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"
-> {HKLM...CLSID} = "My Media"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{00020000-0000-1011-8004-0000C06B5161}" = "WIBU-SYSTEMS Shell Extension"
-> {HKLM...CLSID} = "WIBU-SYSTEMS Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Zooming Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Wireless Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Wheel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Activities Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Buttons Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{00020000-0000-1011-8004-0000C06B5161}\(Default) = (no title provided)
-> {HKLM...CLSID} = "WIBU-SYSTEMS Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
{FED7043D-346A-414D-ACD7-550D052499A7}\(Default) = "dBpowerAMP Column Handler"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Desktop Background.bmp"


Startup items in "Scott Strickler" & "All Users" startup folders:
-----------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"HotSync Manager" -> shortcut to: "C:\Palm\HOTSYNC.EXE" ["Palm, Inc."]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
"Disk Defragmenter" -> launches: "C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 21
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4D5C8C2A-D075-11D0-B416-00C04FB90376}"
-> {HKLM...CLSID} = "Microsoft CommBand"
\InProcServer32\(Default) = "C:\WINDOWS\System32\browseui.dll" [MS]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{D6A116E7-5906-42E4-87F6-E7E15936415E}\(Default) = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{DD6687B5-CB43-4211-BFC9-2942CCBDCB3E}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.citcom.net

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
MSSQL$NR2005, MSSQL$NR2005, "C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe -sNR2005" [MS]
NeatReceipts Auto Backup, NeatReceipts Auto Backup, "C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe" [null data]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]
hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 50 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 20 seconds.
---------- (total run time: 277 seconds)


4.) I then ran StartDreck . The log is below.

StartDreck (build 2.1.7 public stable) - 2006-04-30 @ 21:10:03 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Scott Strickler at STRICKLERS

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
*cnkdsk=C:\WINDOWS\System32\cnkdsk.exe
*Windows installer=C:\winstall.exe
*pro=c:\tool2.exe
»RunOnce
»Local Machine
»Run
*type32="C:\Program Files\Microsoft IntelliType Pro\type32.exe"
*IntelliPoint="C:\Program Files\Microsoft IntelliPoint\point32.exe"
*DU Meter=C:\Program Files\DU Meter\DUMeter.exe
*WinampAgent=C:\Program Files\Winamp\winampa.exe
*Google Desktop Search="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
*PrevxOne=C:\Program Files\Prevx1\PXConsole.exe
*avast!=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
*UpdReg=C:\WINDOWS\Updreg.exe
*SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
*RoxioDragToDisc="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
*RoxioAudioCentral="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
*NeroCheck=C:\WINDOWS\system32\NeroCheck.exe
*hppwrsav=C:\SCANJET\PrecisionScanLT\hppwrsav.exe
*HPDJ Taskbar Utility=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
*Dit=Dit.exe
*BJCFD=C:\Program Files\BroadJump\Client Foundation\CFD.exe
*BCMSMMSG=BCMSMMSG.exe
*AHQInit=C:\Program Files\Creative\SBLive\Program\AHQInit.exe
*Zone Labs Client=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=Notepad.exe %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=
*MoneySide.BrowserHelperObject.11/{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
`InprocServer32=C:\Program Files\Microsoft Money\System\mnyside.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
*{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
`InprocServer32=
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\System32\blank.htm
*Start Page=http://www.phishhook.com/
+SearchUrl
*provider=gogl
*=http://www.google.com/keyword/%s
»Default User
*Default_Page_URL=http://www.dellnet.com
*First Home Page=http://start.earthlink.net
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
»Local Machine
*Default_Page_URL=http://www.citcom.net
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Search Page=http://www.google.com
*Start Page=http://www.dellnet.com
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://www.google.com/ie
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Scott Strickler\Start Menu\Programs\Startup\DESKTOP.INI
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\DESKTOP.INI
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /TUTag=IBWQMW
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
`device=C:\PROGRA~1\ALWILS~1\Avast4\aswmonds.sys
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\wininit.ini
`[Rename]
`NUL=C:\WINDOWS\System32\atl.dll
`C:\WINDOWS\System32\atl.dll=C:\WINDOWS\System32\atl.tmp
*C:\WINDOWS\hosts
`127.0.0.5 makethemcry.com
`127.0.0.5 loudcash.com
`127.0.0.5 iframestat.com
`127.0.0.5 toolbarpartner.com
`127.0.0.5 hqcash.com
`127.0.0.5 verybigcash.com
`127.0.0.5 makethemcry.com
`127.0.0.5 moviepartnership.com
`127.0.0.5 callmachine.com
`127.0.0.5 regcash.com
`127.0.0.5 toolbarpartner.com
`127.0.0.5 klikrevenue.com
`127.0.0.5 p2dll.com
`127.0.0.5 t73.com
`127.0.0.5 www.makethemcry.com
`127.0.0.5 www.loudcash.com
`127.0.0.5 www.iframestat.com
`127.0.0.5 www.toolbarpartner.com
`127.0.0.5 www.hqcash.com
`127.0.0.5 www.verybigcash.com
`127.0.0.5 www.makethemcry.com
`127.0.0.5 www.moviepartnership.com
`127.0.0.5 www.callmachine.com
`127.0.0.5 www.regcash.com
`127.0.0.5 www.toolbarpartner.com
`127.0.0.5 www.klikrevenue.com
`127.0.0.5 www.p2dll.com
`127.0.0.5 www.t73.com
*C:\WINDOWS\System32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\NOTEPAD.EXE
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\System32\TASKMAN.EXE
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\WINHLP32.EXE
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+420=\SystemRoot\System32\smss.exe
+476=\??\C:\WINDOWS\system32\csrss.exe
+504=\??\C:\WINDOWS\system32\winlogon.exe
+548=C:\WINDOWS\system32\services.exe
+560=C:\WINDOWS\system32\lsass.exe
+736=C:\WINDOWS\system32\svchost.exe
+780=C:\WINDOWS\System32\svchost.exe
+896=C:\WINDOWS\System32\svchost.exe
+920=C:\WINDOWS\System32\svchost.exe
+1020=C:\WINDOWS\system32\spoolsv.exe
+1152=C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
+1168=C:\Program Files\Alwil Software\Avast4\ashServ.exe
+1196=C:\WINDOWS\System32\cisvc.exe
+1208=C:\WINDOWS\System32\CTsvcCDA.EXE
+1264=C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
+1556=C:\WINDOWS\System32\svchost.exe
+1572=C:\WINDOWS\System32\wdfmgr.exe
+1608=C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
+1736=C:\WINDOWS\System32\MsPMSPSv.exe
+1772=C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
+2148=C:\WINDOWS\System32\cidaemon.exe
+2616=C:\WINDOWS\Explorer.EXE
+2728=C:\Program Files\Microsoft IntelliType Pro\type32.exe
+2784=C:\WINDOWS\System32\devldr32.exe
+2804=C:\Program Files\Microsoft IntelliPoint\point32.exe
+2816=C:\Program Files\DU Meter\DUMeter.exe
+2860=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
+2888=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+2936=C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
+2964=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
+2996=C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
+3036=C:\SCANJET\PrecisionScanLT\hppwrsav.exe
+3064=C:\WINDOWS\Dit.exe
+3080=C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
+3092=C:\Program Files\BroadJump\Client Foundation\CFD.exe
+3100=C:\WINDOWS\DitExp.exe
+3108=C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
+3136=C:\WINDOWS\BCMSMMSG.exe
+3276=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
+3360=C:\Palm\HOTSYNC.EXE
+3852=C:\Program Files\Mozilla Firefox\firefox.exe
+348=C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
+1792=C:\WINDOWS\Notepad.exe
+2064=C:\Documents and Settings\Scott Strickler\Desktop\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User


5.) Here are the eraseme file names:

eraseme_63381.exe

and

eraseme_70088.exe
disco20 is offline