Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Pop ups, slow machine..
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 06-16-2006, 04:54 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 28
OS: 2000/XP


Pop ups, slow machine..
I'm having an issue with Pop ups and system performance.. I have ran Adaware, spybot, and it seemed to help alittle. I appreciate any help..

Logfile of HijackThis v1.99.1
Scan saved at 3:53:48 PM, on 6/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\WINDOWS\System32\aspi161566.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\regsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\wmiprvse32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\umonit.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\WINDOWS\System32\2a0c93d9.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer powered by Verizon Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=userinit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.v2premier.com"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\System32\x3cqp0.dll (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [2a0c93d9.exe] C:\WINDOWS\System32\2a0c93d9.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [2a0c93d9.exe] C:\Documents and Settings\DAWN\Local Settings\Application Data\2a0c93d9.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Capture Links - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCaptureLinks.js
O8 - Extra context menu item: Capture Page - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCapturePage.js
O9 - Extra button: Insight NetKnowledge Tools - {102910D3-CF07-4BED-ACDC-D165385B9B66} - C:\Program Files\Insight Development\Net Knowledge Tools\common\Insight NetKnowledge Tools.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/en...ach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8DD733A8-353A-4E93-AB85-93CA8DC96F6A} (ActivatorControl1 Class) - https://objects.aol.com/activator/en-us/Activator.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://portal.verizon.net/checkmypc/...ivePreQual.cab
O18 - Protocol: iwd - {EA5F5649-A6C7-11D4-9E3C-0020AF0FFB56} - C:\Program Files\Insight Development\Net Knowledge Tools\common\IwdProtocol.dll
O20 - AppInit_DLLs: repairs303169587.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi161566.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: wmiprvse - Unknown owner - C:\WINDOWS\wmiprvse32.exe
dirtmcgirt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 06-16-2006, 08:46 PM   #2 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


I reccommend you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Downloads(make sure to save these in a permanent location)
combofix.exe-Save it to your Desktop, we will need this later.

Cleanup!- Install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

Ewido Anti-Malware
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Tools
Please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it’s checked.
Click OK
Press the CleanUp! button to start the program. If prompted to reboot, click No.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC.

Reboot your system in Normal Mode.

Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually.
  • At the end of the scan click on see report. Then click Save report
Please post that log in your next reply.

In your next post please include:
  • Ewido Log
  • Combofix.txt
  • Panda Activescan Log
  • A new Hijackthis! Log
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-19-2006, 08:15 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 28
OS: 2000/XP


Sorry it took so long for my reply.. I was out of town this weekend.

Here are the logs in order..

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:51:26 PM, 6/19/2006
+ Report-Checksum: 49841285

+ Scan result:

HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\DAWN\Cookies\dawn@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.6:C:\Documents and Settings\DAWN\Application Data\Mozilla\Firefox\Profiles\3rn26d44.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.7:C:\Documents and Settings\DAWN\Application Data\Mozilla\Firefox\Profiles\3rn26d44.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.8:C:\Documents and Settings\DAWN\Application Data\Mozilla\Firefox\Profiles\3rn26d44.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP724\A0054796.exe -> Proxy.Small.bo : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP724\A0056767.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0057767.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0058767.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0058958.exe -> Not-A-Virus.Hoax.Win32.Renos.dn : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0058970.exe -> Downloader.Adload.bq : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0058971.exe -> Downloader.Adload.bu : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0058976.exe -> Trojan.LdPinch.sh : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0059767.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0059802.exe -> Proxy.Agent.ji : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0059803.exe -> Downloader.Small.cxz : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0059813.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0059814.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061546.dll -> Adware.Surfside : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061547.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061548.exe -> Adware.Surfside : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061550.dll -> Adware.Surfside : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\snapshot\MFEX-3.DAT -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\snapshot\MFEX-4.DAT -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\snapshot\MFEX-5.DAT -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052132.exe -> Dropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052147.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052150.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052151.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052152.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052153.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052154.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052155.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052156.EXE -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052174.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\snapshot\MFEX-1.DAT -> Adware.Surfside : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\snapshot\MFEX-2.DAT -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\snapshot\MFEX-3.DAT -> Adware.Surfside : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\snapshot\MFEX-6.DAT -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\snapshot\MFEX-7.DAT -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\snapshot\MFEX-8.DAT -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052287.exe -> Downloader.Adload.bq : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052288.exe -> Downloader.Adload.bt : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052296.exe -> Downloader.Adload.bq : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052484.dll -> Adware.Surfside : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052485.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052486.exe -> Adware.Surfside : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052490.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052535.exe -> Downloader.Adload.bq : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052537.exe -> Downloader.Adload.bu : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052679.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052680.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052681.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052682.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052683.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052684.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052697.exe -> Downloader.Adload.bq : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052698.exe -> Downloader.Adload.bu : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052727.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052738.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052744.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP712\A0052787.dll -> Downloader.Agent.agw : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP723\A0054793.exe -> Proxy.Small.bo : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP647\A0043919.exe -> Adware.SurfAcc : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP649\A0043952.exe -> Adware.SurfAccuracy : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059855.exe -> Hijacker.VB.ij : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059863.DLL -> Downloader.IstBar : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059883.exe -> Dropper.Small.aps : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059884.exe -> Downloader.Small.ctk : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059885.exe -> Proxy.Agent.ji : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059886.exe -> Downloader.Adload.bo : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059887.exe -> Downloader.Adload.bq : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059888.exe -> Downloader.Adload.bv : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059889.exe -> Downloader.Adload.bq : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059891.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059896.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059897.exe -> Trojan.Small : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059898.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059899.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059900.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059901.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059902.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059903.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059904.exe -> Not-A-Virus.Hoax.Win32.Renos.dn : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059905.exe -> Downloader.Tibs.eo : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059906.exe -> Downloader.Tibs.eo : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059907.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059908.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059909.exe -> Adware.SearchAssistant : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059910.exe -> Adware.SearchAssistant : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059911.dll -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059912.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059913.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059914.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059915.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059916.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059917.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059918.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059919.exe -> Trojan.Dialer.pw : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059920.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059921.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059922.exe -> Dropper.Agent.aie : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059923.exe -> Not-A-Virus.Hoax.Win32.Renos.dn : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059924.exe -> Downloader.Adload.bq : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059925.exe -> Downloader.Adload.bq : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059926.exe -> Trojan.Qoologic : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059927.exe -> Adware.SearchAssistant : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059928.exe -> Downloader.Adload.bq : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059929.exe -> Adware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059930.exe -> Downloader.VB.nw : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059931.exe -> Hijacker.VB.ij : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059932.exe -> Adware.AdURL : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059933.exe -> Downloader.Adload.bo : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059934.dll -> Adware.Zango : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059937.exe -> Trojan.Spambot : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0060065.exe -> Backdoor.VB.ary : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0060066.exe -> Backdoor.VB.ary : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0060067.exe -> Downloader.VB.adw : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0060068.exe -> Downloader.VB.adw : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0060069.exe -> Downloader.VB.adw : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0060070.exe -> Downloader.VB.adw : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0060071.exe -> Hijacker.VB.ly : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0060072.exe -> Hijacker.VB.ly : Cleaned with backup
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0060073.exe -> Downloader.Small.cpu : Cleaned with backup
C:\configdll.pif -> Downloader.Adload.bq : Cleaned with backup
C:\ZIGID003.exe -> Adware.ZenoSearch : Cleaned with backup
C:\lsass.exe -> Downloader.Adload.bq : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\svchost.exe/booterror.exe -> Downloader.Adload.bo : Cleaned with backup
C:\webnexmk.exe -> Dropper.Agent.hl : Cleaned with backup
C:\t.inx -> Trojan.Small : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\wd7gi8n.exe -> Downloader.Agent.ala : Cleaned with backup
C:\pi1_59.exe -> Downloader.Small.cqy : Cleaned with backup
C:\stub_sca3.exe -> Adware.BookedSpace : Cleaned with backup
C:\526_620.exe -> Dropper.Mudrop.bq : Cleaned with backup
C:\bintheredunthat\comscore.exe -> Dropper.Agent.hl : Cleaned with backup
C:\bintheredunthat\numbsoft.exe -> Dropper.Agent.hl : Cleaned with backup


::Report End


Combofix log

Start Time= Mon 06/19/2006 21:54:45.42

(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

21:55:29.31

* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-05-24 18:47:48 8,464 "C:\WINDOWS\system32\sporder.dll"
2102-12-31 21:14:20 0 "C:\WINDOWS\system32\PTPTT.dat"
2006-05-29 07:22:46 34 "C:\WINDOWS\shcyi.dll"
2006-05-29 07:26:40 142 "C:\WINDOWS\cyctn.dll"
2006-06-15 18:41:28 11,554 "C:\WINDOWS\mozver.dat"
2006-05-29 07:22:40 53 "C:\WINDOWS\wlwpon.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


05/29/2006 07:26 AM 142 cyctn.dll.vir
05/29/2006 07:22 AM 53 wlwpon.dat.vir
05/29/2006 07:22 AM 34 shcyi.dll.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-05-24 18:47:48 8,464 "C:\WINDOWS\system32\sporder.dll"
2102-12-31 21:14:20 0 "C:\WINDOWS\system32\PTPTT.dat"
2006-06-15 18:41:28 11,554 "C:\WINDOWS\mozver.dat"


((((((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\DAWN\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\DAWN\Application Data\Sskknwrd.dll
C:\Documents and Settings\JESSICA\Application Data\Sskknwrd.dll
C:\Documents and Settings\MIKE\Application Data\Sskknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



21:58:13.75
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2102-12-31 21:53:00 ( .D... ) "C:\Program Files\WinPortrait"
2102-12-31 21:52:58 16384 ( A.... ) "C:\WINDOWS\system32\WINKRNME.DLL"
2102-12-31 21:35:18 ( .D... ) "C:\Program Files\v2 Premier"
2102-12-31 21:32:38 ( .D... ) "C:\Program Files\3DMouse"
2102-12-31 21:31:06 ( .D... ) "C:\Program Files\NetMedia"
2102-12-31 21:28:56 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2102-12-31 21:27:56 ( .D... ) "C:\Program Files\VideoProfessor"
2102-12-31 21:26:16 ( .D... ) "C:\Program Files\lesson"
2102-12-31 21:09:06 ( .D... ) "C:\Program Files\SiSLan"
2102-12-31 2138 ( .D... ) "C:\Program Files\C-Media 3D Audio"
2102-12-31 21:00:48 ( .D... ) "C:\Program Files\SiSVGA"
2102-12-31 21:00:12 ( .D... ) "C:\Program Files\SiS Compatible VGA V2.16a"
2102-12-31 20:59:30 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2102-12-31 20:56:38 ( .D.H. ) "C:\Program Files\Uninstall Information"
2102-12-31 20:53:18 ( .D... ) "C:\Program Files\xerox"
2102-12-31 20:53:16 ( .D... ) "C:\Program Files\microsoft frontpage"
2102-12-31 20:53:08 0 ( A.... ) "C:\AUTOEXEC.BAT"
2102-12-31 20:51:36 ( .D... ) "C:\Program Files\Movie Maker"
2102-12-31 20:51:26 ( .D... ) "C:\Program Files\Windows Media Player"
2102-12-31 20:51:26 ( .D... ) "C:\Program Files\NetMeeting"
2102-12-31 20:51:26 ( .D... ) "C:\Program Files\Common Files\Services"
2102-12-31 20:51:24 ( .D... ) "C:\Program Files\Outlook Express"
2102-12-31 20:51:22 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2102-12-31 20:51:20 ( .D... ) "C:\Program Files\Internet Explorer"
2102-12-31 20:51:20 ( .D... ) "C:\Program Files\Common Files\System"
2102-12-31 20:50:58 ( .D... ) "C:\Program Files\ComPlus Applications"
2102-12-31 20:50:26 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2102-12-31 20:50:26 ( .D... ) "C:\Program Files\Online Services"
2102-12-31 20:50:20 ( .D... ) "C:\Program Files\Messenger"
2102-12-31 20:50:16 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2102-12-31 20:50:12 ( .D... ) "C:\Program Files\Windows NT"
2102-12-31 20:47:12 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2102-12-31 20:47:12 ( .D... ) "C:\Program Files\Common Files\ODBC"
2102-12-31 20:47:10 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2102-12-31 20:47:10 ( .D... ) "C:\Program Files\Common Files"
2102-12-31 20:47:00 62 ( A.SH. ) "C:\Documents and Settings\DAWN\Application Data\desktop.ini"
2102-12-31 20:46:44 ( .DS.. ) "C:\Documents and Settings\DAWN\Application Data\Microsoft"
2006-06-17 01:27:40 ( .D... ) "C:\Program Files\CleanUp!"
2006-06-16 15:30:22 ( .D... ) "C:\Documents and Settings\DAWN\Application Data\Lavasoft"
2006-06-16 13:12:08 39424 ( A.... ) "C:\WINDOWS\system32\aspi161566.exe"
2006-06-16 13:11:42 ( .D... ) "C:\Program Files\ewido anti-malware"
2006-06-16 03:33:50 ( .D... ) "C:\Program Files\Hijack this"
2006-06-15 18:52:50 418445 ( A.... ) "C:\Mendoza1.exe"
2006-06-15 18:49:28 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-06-15 18:48:38 20992 ( A.... ) "C:\WINDOWS\system32\2a0c93d9.exe"
2006-06-15 18:41:24 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-06-15 18:39:34 ( .D... ) "C:\Program Files\Lavasoft"
2006-06-15 18:37:44 0 ( A.... ) "C:\Documents and Settings\DAWN\Application Data\Install.dat"
2006-06-14 22:18:50 154 ( A.... ) "C:\WINDOWS\comfix.bat"
2006-06-14 21:03:46 114174 ( A.... ) "C:\WINDOWS\hostsmgr.exe"
2006-06-14 20:52:14 29251 ( A.... ) "C:\WINDOWS\mc-110-12-0000488.exe"
2006-06-12 11:48:16 174669 ( A.... ) "C:\WINDOWS\srvqxexyef.exe"
2006-06-12 11:45:00 2518 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq1.exe"
2006-06-12 11:44:58 16 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq8.exe"
2006-06-10 11:26:20 3072 ( ..SHR ) "C:\WINDOWS\system32\vxgame6.exe3072.exe"
2006-06-10 11:10:14 28672 ( A.... ) "C:\WINDOWS\System32ftuninst.exe"
2006-06-10 11:10:12 28672 ( A.... ) "C:\WINDOWS\system32\ftuninst.exe"
2006-05-29 07:01:00 6064 ( A.... ) "C:\PPCleanDeleteAtReboot.bat"
2006-05-24 18:48:22 380104 ( A.... ) "C:\516_618.exe"
2006-05-24 18:47:48 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-05-24 18:47:14 ( .D... ) "C:\Program Files\Common Files\owim"
2006-04-17 06:42:10 1176576 ( ..SHR ) "C:\WINDOWS\wmiprvse32.exe"
2006-04-06 10:54:38 73728 ( A.... ) "C:\WINDOWS\system32\asuninst.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"UMonit"="C:\\WINDOWS\\System32\\umonit.exe"
"PivotSoftware"="\"C:\\Program Files\\WinPortrait\\wpctrl.exe\""
"2a0c93d9.exe"="C:\\WINDOWS\\System32\\2a0c93d9.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"0mcamcap"="C:\\WINDOWS\\System32\\0mcamcap.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"2a0c93d9.exe"="C:\\Documents and Settings\\DAWN\\Local Settings\\Application Data\\2a0c93d9.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"owim"="C:\\PROGRA~1\\COMMON~1\\owim\\owimm.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"owim"="C:\\PROGRA~1\\COMMON~1\\owim\\owimm.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Billminder.lnk"
"backup"="C:\\WINDOWS\\pss\\Billminder.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\billmind.exe -startup"
"item"="Billminder"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Support Center.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Broadband Support Center.lnk"
"backup"="C:\\WINDOWS\\pss\\Broadband Support Center.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\VERIZO~1\\SUPPOR~1\\bin\\matcli.exe -boot"
"item"="Broadband Support Center"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Lifeline.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Lifeline.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Lifeline.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\bin\\mpbtn.exe -boot"
"item"="Digital Lifeline"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Event Planner Reminders Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\Event Planner Reminders Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Sierra\\Planner\\PLNRnote.exe "
"item"="Event Planner Reminders Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinScheduler.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinScheduler.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinScheduler.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\WinDVR\\WINSCH~1.EXE "
"item"="InterVideo WinScheduler"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iSchedule-it.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\iSchedule-it.lnk"
"backup"="C:\\WINDOWS\\pss\\iSchedule-it.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INSIGH~1\\NETKNO~1\\Common\\ISCHED~1.EXE /Silent"
"item"="iSchedule-it"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Lotus Organizer EasyClip.lnk"
"backup"="C:\\WINDOWS\\pss\\Lotus Organizer EasyClip.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\lotus\\organize\\easyclip.exe "
"item"="Lotus Organizer EasyClip"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Lotus QuickStart.lnk"
"backup"="C:\\WINDOWS\\pss\\Lotus QuickStart.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\lotus\\wordpro\\ltsstart.exe "
"item"="Lotus QuickStart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SmartCenter.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Lotus SmartCenter.lnk"
"backup"="C:\\WINDOWS\\pss\\Lotus SmartCenter.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\lotus\\smartctr\\SMARTCTR.EXE "
"item"="Lotus SmartCenter"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus SuiteStart.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Lotus SuiteStart.lnk"
"backup"="C:\\WINDOWS\\pss\\Lotus SuiteStart.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\lotus\\smartctr\\SUITEST.EXE "
"item"="Lotus SuiteStart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk"
"backup"="C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\MWSOEMON.EXE "
"item"="MyWebSearch Email Plugin"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetMedia.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\NetMedia.lnk"
"backup"="C:\\WINDOWS\\pss\\NetMedia.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\NetMedia\\Versato.exe "
"item"="NetMedia"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NovaDisk+ Schedule Service Controller.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\NovaDisk+ Schedule Service Controller.lnk"
"backup"="C:\\WINDOWS\\pss\\NovaDisk+ Schedule Service Controller.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\NOVADI~1\\SCHEDU~1\\schengd.exe -app"
"item"="NovaDisk+ Schedule Service Controller"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NovaDisk+ Scheduler Tray Control.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\NovaDisk+ Scheduler Tray Control.lnk"
"backup"="C:\\WINDOWS\\pss\\NovaDisk+ Scheduler Tray Control.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\NOVADI~1\\schtrayd.exe "
"item"="NovaDisk+ Scheduler Tray Control"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Scheduled Updates.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Scheduled Updates.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\bagent.exe "
"item"="Quicken Scheduled Updates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Startup.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\QWDLLS.EXE "
"item"="Quicken Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Video Professor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Video Professor.lnk"
"backup"="C:\\WINDOWS\\pss\\Video Professor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\lesson\\FREELE~1.EXE "
"item"="Video Professor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^DAWN^Start Menu^Programs^Startup^OpenOffice.org 1.0.lnk]
"path"="C:\\Documents and Settings\\DAWN\\Start Menu\\Programs\\Startup\\OpenOffice.org 1.0.lnk"
"backup"="C:\\WINDOWS\\pss\\OpenOffice.org 1.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\OPENOF~1.0\\program\\QUICKS~1.EXE "
"item"="OpenOffice.org 1.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^DAWN^Start Menu^Programs^Startup^Registration-INSDVD.lnk]
"path"="C:\\Documents and Settings\\DAWN\\Start Menu\\Programs\\Startup\\Registration-INSDVD.lnk"
"backup"="C:\\WINDOWS\\pss\\Registration-INSDVD.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Pinnacle\\INSTAN~1\\SHARED~1\\Pixie\\RegTool.exe INSDVD,INSDVD,register,EN,0,serial=ABDPG-AADFP-PVYPV-WYAFA-AAAAA"
"item"="Registration-INSDVD"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^DAWN^Start Menu^Programs^Startup^Zeno.lnk]
"path"="C:\\Documents and Settings\\DAWN\\Start Menu\\Programs\\Startup\\Zeno.lnk"
"backup"="C:\\WINDOWS\\pss\\Zeno.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\pwinqqez.exe GID003"
"item"="Zeno"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^MIKE^Start Menu^Programs^Startup^OpenOffice.org 1.0.lnk]
"path"="C:\\Documents and Settings\\MIKE\\Start Menu\\Programs\\Startup\\OpenOffice.org 1.0.lnk"
"backup"="C:\\WINDOWS\\pss\\OpenOffice.org 1.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\OPENOF~1.0\\program\\QUICKS~1.EXE "
"item"="OpenOffice.org 1.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^MIKE^Start Menu^Programs^Startup^Registration-INSDVD.lnk]
"path"="C:\\Documents and Settings\\MIKE\\Start Menu\\Programs\\Startup\\Registration-INSDVD.lnk"
"backup"="C:\\WINDOWS\\pss\\Registration-INSDVD.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Pinnacle\\INSTAN~1\\SHARED~1\\Pixie\\RegTool.exe INSDVD,INSDVD,register,EN,0,serial=ABDPG-AADFP-PVYPV-WYAFA-AAAAA"
"item"="Registration-INSDVD"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0mcamcap]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="0mcamcap"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\0mcamcap.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0PaAbB9]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rkncx"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\rkncx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3DMouse]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="3DMouse"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\3DMouse\\3DMouse.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOL"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\America Online 9.0a\\AOL.EXE\" -b"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLSPScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSP Scheduler"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1107721595\\ee\\services\\sscAntiSpywarePlugin\\ver1_10_3_1\\AOLSP Scheduler.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pwinqqez"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\pwinqqez.exe GID003"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDll32 cmicnfg"
"hkey"="HKLM"
"command"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DataLayer"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DCOM Server]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dxvwgqyt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\dxvwgqyt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="defender23a"
"hkey"="HKLM"
"command"="C:\\\\defender23a.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmailScan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsescn"
"hkey"="HKLM"
"command"="C:\\Program Files\\mcafee.com\\antivirus\\mcvsescn.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftexc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mptft"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\mptft.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hhl7RfpJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ssn6tuu"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\ssn6tuu.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1107721595\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IW ControlCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iwctrl"
"hkey"="HKLM"
"command"="C:\\Program Files\\Pinnacle\\InstantCDDVD\\InstantWrite\\iwctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyboard25"
"hkey"="HKLM"
"command"="C:\\\\keyboard25.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LapLink Scheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LLSCHED"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\LapLink\\Scheduler\\LLSCHED.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 3100 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxbrbmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark 3100 Series\\lxbrbmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MotiveSB"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\VERIZO~1\\SUPPOR~1\\SMARTB~1\\MotiveSB.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MPfTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\mcafee.com\\personal firewall\\MPfTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=" "
"hkey"="HKLM"
"command"=" "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="newname25"
"hkey"="HKLM"
"command"="C:\\\\newname25.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NclTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Nokia\\Tools\\NclTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nsdajwp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nsdajwp"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\nsdajwp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oasclnt"
"hkey"="HKLM"
"command"="C:\\Program Files\\mcafee.com\\antivirus\\oasclnt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pctspk"
"hkey"="HKLM"
"command"="pctspk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSDrvCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\PSDrvCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS KHooker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="khooker"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\khooker.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Tray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sistray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\sistray.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscRun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SSCRun"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1107721595\\ee\\services\\sscFirewallPlugin\\ver1_10_3_1\\SSCRun.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kernels8"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\kernels8.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whagent"
"hkey"="HKLM"
"command"="C:\\Program Files\\webHancer\\Programs\\whagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whsurvey"
"hkey"="HKLM"
"command"="C:\\Program Files\\webHancer\\Programs\\whsurvey.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B1-1B-BD-DD-ZN}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ppdsregp"
"hkey"="HKLM"
"command"="C:\\windows\\system32\\ppdsregp.exe GID003"
"inimapping"="0"


Contents of the 'Scheduled Tasks' folder

Completion time: Mon 06/19/2006 21:58:16.40
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt


Panda Activescan


Incident Status Location

Adware:Adware/SystemDoctor Not disinfected c:\windows\system32\2a0c93d9.exe
Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3PSSavr.scr
Adware:adware/adsmart Not disinfected c:\windows\system32\dlh9jkdq8.exe
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\owner@atwola[1].txt
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\system32\Tools\Restart.exe
Adware:Adware/Tibs Not disinfected C:\WINDOWS\system32\vxgame6.exe3072.exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\dlh9jkdq1.exe
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.inf
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\LastGood\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
Adware:Adware/CommAd Not disinfected C:\WINDOWS\REFXTg\lHIrn0.vbs
Adware:Adware/FCHelp Not disinfected C:\WINDOWS\srvqxexyef.exe[PECarlin.exe]
Adware:Adware/NewAds Not disinfected C:\WINDOWS\mc-110-12-0000488.exe
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\DAWN\Local Settings\Application Data\2a0c93d9.exe
Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 10:14:13 PM, on 6/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\WINDOWS\System32\aspi161566.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\wmiprvse32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\umonit.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\WINDOWS\System32\2a0c93d9.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer powered by Verizon Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.v2premier.com"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\System32\x3cqp0.dll (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [2a0c93d9.exe] C:\WINDOWS\System32\2a0c93d9.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [2a0c93d9.exe] C:\Documents and Settings\DAWN\Local Settings\Application Data\2a0c93d9.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Capture Links - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCaptureLinks.js
O8 - Extra context menu item: Capture Page - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCapturePage.js
O9 - Extra button: Insight NetKnowledge Tools - {102910D3-CF07-4BED-ACDC-D165385B9B66} - C:\Program Files\Insight Development\Net Knowledge Tools\common\Insight NetKnowledge Tools.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/en...ach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8DD733A8-353A-4E93-AB85-93CA8DC96F6A} (ActivatorControl1 Class) - https://objects.aol.com/activator/en-us/Activator.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://portal.verizon.net/checkmypc/...ivePreQual.cab
O18 - Protocol: iwd - {EA5F5649-A6C7-11D4-9E3C-0020AF0FFB56} - C:\Program Files\Insight Development\Net Knowledge Tools\common\IwdProtocol.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi161566.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe (file missing)
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: wmiprvse - Unknown owner - C:\WINDOWS\wmiprvse32.exe
dirtmcgirt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-19-2006, 08:55 PM   #4 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

I see you have disabled some startup entries using MSConfig. This makes it diffcult for us to see all the infections present on your system because they are hidden from Hijackthis.
  • Please click Start>Run and type "msconfig".
  • On the "General" tab please click "Normal Startup- load all device drivers and services" and click OK.
  • Do not restart when prompted.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames below & then right-click & select Copy
  • C:\Mendoza1.exe
    C:\WINDOWS\system32\2a0c93d9.exe
    C:\WINDOWS\mc-110-12-0000488.exe
    C:\WINDOWS\srvqxexyef.exe
    C:\WINDOWS\system32\dlh9jkdq1.exe
    C:\WINDOWS\system32\dlh9jkdq8.exe
    C:\WINDOWS\system32\vxgame6.exe3072.exe
    C:\WINDOWS\System32ftuninst.exe
    C:\WINDOWS\system32\ftuninst.exe
    C:\WINDOWS\system32\WINKRNME.DLL
    C:\Documents and Settings\DAWN\Local Settings\Application Data\2a0c93d9.exe
    C:\WINDOWS\System32\0mcamcap.exe
    C:\PROGRA~1\COMMON~1\owim\owimm.exe
    C:\Documents and Settings\DAWN\Start Menu\Programs\Startup\Zeno.lnk
    C:\WINDOWS\system32\pwinqqez.exe
    C:\WINDOWS\rkncx.exe
    C:\WINDOWS\System32\dxvwgqyt.exe
    C:\WINDOWS\System32\mptft.exe
    C:\WINDOWS\System32\ssn6tuu.exe
    C:\WINDOWS\nsdajwp.exe
    C:\WINDOWS\System32\kernels8.exe
    C:\windows\system32\ppdsregp.exe
    c:\windows\system32\f3PSSavr.scr
    C:\WINDOWS\LastGood\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
    C:\WINDOWS\REFXTg\lHIrn0.vbs
    C:\WINDOWS\srvqxexyef.exe
    C:\WINDOWS\mc-110-12-0000488.exe
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Run a new scan with hijackthis and post the log here.
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-20-2006, 04:16 AM   #5 (permalink)
Registered User
 
Join Date: Jun 2006
Location: South London
Posts: 7
OS: Windows XP Professional


Send a message via MSN to clearskycompLTD
Background processes and disable unnecessary popup blockers
POST DELETED.

ONLY SECURITY TEAM STAFF MAY POST ADVICE TO USERS IN THIS FORUM.
__________________
Lee Steadman
Last edited by Glaswegian; 06-20-2006 at 05:40 AM. Reason: Unauthorised post
clearskycompLTD is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-20-2006, 02:10 PM   #6 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 28
OS: 2000/XP


Logfile of HijackThis v1.99.1
Scan saved at 4:08:41 PM, on 6/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\WINDOWS\System32\aspi161566.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\wmiprvse32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\umonit.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1107721595\ee\aolsoftware.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\Program Files\lesson\Free Lesson From VP.exe
C:\Program Files\Quicken\QWDLLS.EXE
C:\Program Files\NovaDisk+\schtrayd.exe
C:\Program Files\NovaDisk+\Scheduler\schengd.exe
C:\Program Files\NetMedia\Versato.exe
C:\lotus\smartctr\SUITEST.EXE
C:\lotus\smartctr\SMARTCTR.EXE
c:\program files\common files\aol\1107721595\ee\aolssc.exe
C:\lotus\organize\easyclip.exe
C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NetMedia\VsPlayer.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Digital Lifeline\bin\mpbtn.exe
C:\Program Files\NetMedia\OSD.EXE
C:\Program Files\Hijack this\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer powered by Verizon Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.v2premier.com"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\System32\x3cqp0.dll (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [2a0c93d9.exe] C:\WINDOWS\System32\2a0c93d9.exe
O4 - HKLM\..\Run: [{B1-1B-BD-DD-ZN}] C:\windows\system32\ppdsregp.exe GID003
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [nsdajwp] C:\WINDOWS\nsdajwp.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LapLink Scheduler] "C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107721595\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\System32\ssn6tuu.exe"
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [defender] C:\\defender23a.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwgqyt.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\pwinqqez.exe GID003
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1107721595\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [0PaAbB9] C:\WINDOWS\rkncx.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [2a0c93d9.exe] C:\Documents and Settings\DAWN\Local Settings\Application Data\2a0c93d9.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Video Professor.lnk = C:\Program Files\lesson\Free Lesson From VP.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: NovaDisk+ Scheduler Tray Control.lnk = C:\Program Files\NovaDisk+\schtrayd.exe
O4 - Global Startup: NovaDisk+ Schedule Service Controller.lnk = C:\Program Files\NovaDisk+\Scheduler\schengd.exe
O4 - Global Startup: NetMedia.lnk = C:\Program Files\NetMedia\Versato.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\SMARTCTR.EXE
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: iSchedule-it.lnk = C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: Broadband Support Center.lnk = C:\Program Files\Verizon Online\Support Center\bin\matcli.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Capture Links - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCaptureLinks.js
O8 - Extra context menu item: Capture Page - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCapturePage.js
O9 - Extra button: Insight NetKnowledge Tools - {102910D3-CF07-4BED-ACDC-D165385B9B66} - C:\Program Files\Insight Development\Net Knowledge Tools\common\Insight NetKnowledge Tools.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8DD733A8-353A-4E93-AB85-93CA8DC96F6A} (ActivatorControl1 Class) - https://objects.aol.com/activator/en-us/Activator.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://portal.verizon.net/checkmypc/includes/MotivePreQual.cab
O18 - Protocol: iwd - {EA5F5649-A6C7-11D4-9E3C-0020AF0FFB56} - C:\Program Files\Insight Development\Net Knowledge Tools\common\IwdProtocol.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi161566.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe (file missing)
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: wmiprvse - Unknown owner - C:\WINDOWS\wmiprvse32.exe
dirtmcgirt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-20-2006, 03:44 PM   #7 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\System32\x3cqp0.dll (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [2a0c93d9.exe] C:\WINDOWS\System32\2a0c93d9.exe
O4 - HKLM\..\Run: [{B1-1B-BD-DD-ZN}] C:\windows\system32\ppdsregp.exe GID003
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [nsdajwp] C:\WINDOWS\nsdajwp.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\System32\ssn6tuu.exe"
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [defender] C:\\defender23a.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwgqyt.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\pwinqqez.exe GID003
O4 - HKLM\..\Run: [0PaAbB9] C:\WINDOWS\rkncx.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [2a0c93d9.exe] C:\Documents and Settings\DAWN\Local Settings\Application Data\2a0c93d9.exe

Please remember to close all other windows, including browsers then click Fix checked.

Services
Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Microsoft ASPI Manager
  2. Double-click on it to open the Properties dialog.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in aspi113210 & then click on the OK button

Reboot your computer

Delete the following file:
C:\WINDOWS\System32\aspi161566.exe

Then run a new scan with Hijackthis and post the log here.
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-20-2006, 03:59 PM   #8 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 28
OS: 2000/XP


Logfile of HijackThis v1.99.1
Scan saved at 5:57:55 PM, on 6/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\wmiprvse32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\umonit.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1107721595\ee\aolsoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\program files\common files\aol\1107721595\ee\aolssc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\program files\common files\aol\1107721595\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\lesson\Free Lesson From VP.exe
C:\Program Files\NovaDisk+\schtrayd.exe
C:\Program Files\NovaDisk+\Scheduler\schengd.exe
C:\Program Files\NetMedia\Versato.exe
C:\lotus\smartctr\SUITEST.EXE
C:\lotus\organize\easyclip.exe
C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Digital Lifeline\bin\mpbtn.exe
C:\Program Files\NetMedia\OSD.EXE
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer powered by Verizon Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.v2premier.com"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LapLink Scheduler] "C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107721595\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\System32\ssn6tuu.exe"
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [defender] C:\\defender23a.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwgqyt.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1107721595\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [0PaAbB9] C:\WINDOWS\rkncx.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [2a0c93d9.exe] C:\Documents and Settings\DAWN\Local Settings\Application Data\2a0c93d9.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Video Professor.lnk = C:\Program Files\lesson\Free Lesson From VP.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: NovaDisk+ Scheduler Tray Control.lnk = C:\Program Files\NovaDisk+\schtrayd.exe
O4 - Global Startup: NovaDisk+ Schedule Service Controller.lnk = C:\Program Files\NovaDisk+\Scheduler\schengd.exe
O4 - Global Startup: NetMedia.lnk = C:\Program Files\NetMedia\Versato.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\SMARTCTR.EXE
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: iSchedule-it.lnk = C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: Broadband Support Center.lnk = C:\Program Files\Verizon Online\Support Center\bin\matcli.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Capture Links - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCaptureLinks.js
O8 - Extra context menu item: Capture Page - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCapturePage.js
O9 - Extra button: Insight NetKnowledge Tools - {102910D3-CF07-4BED-ACDC-D165385B9B66} - C:\Program Files\Insight Development\Net Knowledge Tools\common\Insight NetKnowledge Tools.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8DD733A8-353A-4E93-AB85-93CA8DC96F6A} (ActivatorControl1 Class) - https://objects.aol.com/activator/en-us/Activator.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://portal.verizon.net/checkmypc/includes/MotivePreQual.cab
O18 - Protocol: iwd - {EA5F5649-A6C7-11D4-9E3C-0020AF0FFB56} - C:\Program Files\Insight Development\Net Knowledge Tools\common\IwdProtocol.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe (file missing)
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: wmiprvse - Unknown owner - C:\WINDOWS\wmiprvse32.exe
dirtmcgirt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-20-2006, 04:11 PM   #9 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Some of those entries returned and they shouldn;t have, let's see if there is anything holding them in place.

Download GMER to your desktop.
  • Right Click the Zip and Select Extract All.
  • Open GMER and Click the Tab labeled RootKit.
  • Now Click Scan, it will take a while for the scan to complete.
  • Once done, Copy the results to Notepad and post them in the next reply.


Please open IE and go to
Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-20-2006, 07:11 PM   #10 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 28
OS: 2000/XP


GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-06-20 19:27:57
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.10 ----

SSDT 845A8109 ZwCreateThread

---- EOF - GMER 1.0.10 ----


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, June 20, 2006 9:10:55 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 21/06/2006
Kaspersky Anti-Virus database records: 201686
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 84674
Number of viruses found: 37
Number of infected objects: 82
Number of suspicious objects: 2
Duration of the scan process: 00:33:29

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\hostsmgr.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\WINDOWS\hostsmgr.exe QuickBatch: infected - 1 skipped
C:\WINDOWS\hostsmgr.exe PECompact: infected - 1 skipped
C:\WINDOWS\hostsmgr.exe PecBundle: infected - 1 skipped
C:\WINDOWS\hostsmgr.exe PE_Patch.PECompact: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MaxSearch.zip/mc-110-12-0000228.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MaxSearch.zip ZIP: suspicious - 1 skipped
C:\Program Files\Screensavers.com\Installer\temp\pltbinst.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Comet.ax skipped
C:\Program Files\Screensavers.com\Installer\temp\pltbinst.exe/stream Infected: not-a-virus:AdWare.Win32.Comet.ax skipped
C:\Program Files\Screensavers.com\Installer\temp\pltbinst.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0058972.exe/hostsmgr.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0058972.exe/hostsmgr.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0058972.exe/mc-110-12-0000488.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0058972.exe/mc-110-12-0000488.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP725\A0058972.exe Instyler: infected - 4 skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061534.EXE Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061581.pif Infected: Trojan-Downloader.Win32.Adload.bq skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061582.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061583.exe Infected: Trojan-Downloader.Win32.Adload.bq skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061584.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061585.exe/data.rar/booterror.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061585.exe/data.rar/cmdmgr.exe/hostsmgr.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061585.exe/data.rar/cmdmgr.exe/hostsmgr.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061585.exe/data.rar/cmdmgr.exe/mc-110-12-0000488.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061585.exe/data.rar/cmdmgr.exe/mc-110-12-0000488.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061585.exe/data.rar/cmdmgr.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061585.exe/data.rar Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061585.exe RarSFX: infected - 7 skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061586.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061587.exe Infected: Trojan-Dropper.Win32.Agent.aie skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061588.exe Infected: Trojan-Downloader.Win32.Agent.ala skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061589.exe Infected: Trojan-Downloader.Win32.Small.cqy skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061590.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061591.exe Infected: Trojan-Dropper.Win32.Mudrop.bq skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061592.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP727\A0061593.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061660.exe/data0004 Infected: Trojan-Downloader.MSIL.Agent.a skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061660.exe/data0010 Infected: Trojan.Win32.Zapchast.bl skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061660.exe/data0011/data0006 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061660.exe/data0011 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061660.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061662.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061662.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061662.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061662.exe PE_Patch.UPX: infected - 1 skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061664.exe Infected: Trojan-Downloader.Win32.Tiny.cl skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061666.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.l skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061666.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP728\A0061672.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP652\A0044038.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052171.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052171.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052171.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ao skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052171.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052171.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP708\A0052171.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052685.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052685.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.at skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052685.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ao skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052685.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052685.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP711\A0052685.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059857.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.p skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059858.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ai skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059859.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059860.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.z skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059861.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059862.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059864.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059865.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059866.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.v skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059867.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059868.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059869.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059870.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059872.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059873.DLL Infected: not-a-virus:AdWare.Win32.IWon.a skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059874.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059875.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.t skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059876.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059878.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059879.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059880.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{9CC45980-3CE7-42AE-8CEE-55865BC21B9A}\RP726\A0059881.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped

Scan process completed.
dirtmcgirt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-20-2006, 07:44 PM   #11 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
Screensavers.com

Delete the following folder:
C:\Program Files\Screensavers.com

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\System32\ssn6tuu.exe"
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [defender] C:\\defender23a.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwgqyt.exe
O4 - HKLM\..\Run: [0PaAbB9] C:\WINDOWS\rkncx.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [2a0c93d9.exe] C:\Documents and Settings\DAWN\Local Settings\Application Data\2a0c93d9.exe

Please remember to close all other windows, including browsers then click Fix checked.

Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot
  • In the popup box that appears, type in C:\WINDOWS\hostsmgr.exe
  • Click the Open button.
  • Click YES when prompted to restart your computer.

Run a new scan with Hijackthis and post the log here. If they come back again we'll have to attack them another way
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-21-2006, 04:39 AM   #12 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 28
OS: 2000/XP


Yep.. I think they came back...

Logfile of HijackThis v1.99.1
Scan saved at 6:37:39 AM, on 6/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\wmiprvse32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\umonit.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1107721595\ee\aolsoftware.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NovaDisk+\schtrayd.exe
C:\Program Files\NovaDisk+\Scheduler\schengd.exe
C:\Program Files\NetMedia\Versato.exe
C:\DOCUME~1\DAWN\LOCALS~1\Temp\PMLSP.exe
C:\lotus\smartctr\SUITEST.EXE
C:\Program Files\NetMedia\VsPlayer.exe
C:\lotus\smartctr\SMARTCTR.EXE
C:\lotus\organize\easyclip.exe
C:\Program Files\NetMedia\OSD.EXE
C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Digital Lifeline\bin\mpbtn.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer powered by Verizon Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.v2premier.com"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LapLink Scheduler] "C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard25.exe
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107721595\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\System32\ssn6tuu.exe"
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [defender] C:\\defender23a.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwgqyt.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1107721595\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [0PaAbB9] C:\WINDOWS\rkncx.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [2a0c93d9.exe] C:\Documents and Settings\DAWN\Local Settings\Application Data\2a0c93d9.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Video Professor.lnk = C:\Program Files\lesson\Free Lesson From VP.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: NovaDisk+ Scheduler Tray Control.lnk = C:\Program Files\NovaDisk+\schtrayd.exe
O4 - Global Startup: NovaDisk+ Schedule Service Controller.lnk = C:\Program Files\NovaDisk+\Scheduler\schengd.exe
O4 - Global Startup: NetMedia.lnk = C:\Program Files\NetMedia\Versato.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\SMARTCTR.EXE
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: iSchedule-it.lnk = C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: Broadband Support Center.lnk = C:\Program Files\Verizon Online\Support Center\bin\matcli.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Capture Links - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCaptureLinks.js
O8 - Extra context menu item: Capture Page - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCapturePage.js
O9 - Extra button: Insight NetKnowledge Tools - {102910D3-CF07-4BED-ACDC-D165385B9B66} - C:\Program Files\Insight Development\Net Knowledge Tools\common\Insight NetKnowledge Tools.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8DD733A8-353A-4E93-AB85-93CA8DC96F6A} (ActivatorControl1 Class) - https://objects.aol.com/activator/en-us/Activator.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://portal.verizon.net/checkmypc/includes/MotivePreQual.cab
O18 - Protocol: iwd - {EA5F5649-A6C7-11D4-9E3C-0020AF0FFB56} - C:\Program Files\Insight Development\Net Knowledge Tools\common\IwdProtocol.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe (file missing)
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: wmiprvse - Unknown owner - C:\WINDOWS\wmiprvse32.exe
dirtmcgirt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-21-2006, 08:46 PM   #13 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Please download the file I have attatched to this post, dirtmcgirt.zip. Unzip it to it's own folder on your desktop.

Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Double click on dirtmcgirt.bat to run it. When finished Notepad will open with a log. This log is saved at C:\vikes.txt. Reboot to normal mode and post that log along with a new Hijackthis log here.
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-22-2006, 04:34 AM   #14 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 28
OS: 2000/XP


Pre-Run Files

Deleting files
Deletions complete

Cleaning registry
Registry Cleaning Complete!

Post-Run Files

Logfile of HijackThis v1.99.1
Scan saved at 6:34:08 AM, on 6/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\wmiprvse32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\umonit.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\AOL\1107721595\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\NovaDisk+\schtrayd.exe
C:\Program Files\NovaDisk+\Scheduler\schengd.exe
C:\lotus\smartctr\SUITEST.EXE
C:\Program Files\WinPortrait\floater.exe
C:\lotus\smartctr\SMARTCTR.EXE
C:\Program Files\NetMedia\VsPlayer.exe
C:\lotus\organize\easyclip.exe
C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NetMedia\OSD.EXE
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Digital Lifeline\bin\mpbtn.exe
C:\Program Files\Verizon Online\Support Center\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer powered by Verizon Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.v2premier.com"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LapLink Scheduler] "C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107721595\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [defender] C:\\defender23a.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1107721595\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - HKLM\..\Run: [0PaAbB9] C:\WINDOWS\rkncx.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [2a0c93d9.exe] C:\Documents and Settings\DAWN\Local Settings\Application Data\2a0c93d9.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Video Professor.lnk = C:\Program Files\lesson\Free Lesson From VP.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: NovaDisk+ Scheduler Tray Control.lnk = C:\Program Files\NovaDisk+\schtrayd.exe
O4 - Global Startup: NovaDisk+ Schedule Service Controller.lnk = C:\Program Files\NovaDisk+\Scheduler\schengd.exe
O4 - Global Startup: NetMedia.lnk = C:\Program Files\NetMedia\Versato.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\SMARTCTR.EXE
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: iSchedule-it.lnk = C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: Broadband Support Center.lnk = C:\Program Files\Verizon Online\Support Center\bin\matcli.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Capture Links - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCaptureLinks.js
O8 - Extra context menu item: Capture Page - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCapturePage.js
O9 - Extra button: Insight NetKnowledge Tools - {102910D3-CF07-4BED-ACDC-D165385B9B66} - C:\Program Files\Insight Development\Net Knowledge Tools\common\Insight NetKnowledge Tools.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8DD733A8-353A-4E93-AB85-93CA8DC96F6A} (ActivatorControl1 Class) - https://objects.aol.com/activator/en-us/Activator.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://portal.verizon.net/checkmypc/includes/MotivePreQual.cab
O18 - Protocol: iwd - {EA5F5649-A6C7-11D4-9E3C-0020AF0FFB56} - C:\Program Files\Insight Development\Net Knowledge Tools\common\IwdProtocol.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe (file missing)
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: wmiprvse - Unknown owner - C:\WINDOWS\wmiprvse32.exe
dirtmcgirt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-22-2006, 11:21 AM   #15 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


There's definitely somehting there protecting them now, we'll have to keep looking until we can find it.

GMER didn't find the rootkit I thought it might, but lets check another way to make sure it isn't there.

Copy everything from the following box into Notepad
Code:
@echo off
echo.REGEDIT4>!reg.reg
echo.>>!reg.reg
echo.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386]>>!reg.reg
regedit.exe /s !reg.reg
regedit /a check.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386"
echo.[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386]>>!reg.reg
regedit.exe /s !reg.reg
del !reg.reg
if not exist check.txt echo pe386 exist's!!!!!!!>report.txt
start notepad report.txt
Save the file as look.bat and double click on it to run it. It should popup with a report in Notepad.

Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

Open HijackThis and Click the "Open Misc Tools Section" tab.

Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to copy the entire contents of that page to the next reply.
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-22-2006, 03:05 PM   #16 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 28
OS: 2000/XP


I ran that bat file, and the txt file that opened up was blank. I downloaded Blacklight and I got an error message trying to run it.

Here is the error. I searched on Blacklight's page for help, but had no luck.

blacklight error.bmp
dirtmcgirt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-22-2006, 10:35 PM   #17 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


The blank notepad page indcates that the rootkit was not present.

Please download and install this prgram to fix the blacklight error:
http://download.bleepingcomputer.com...ug-Restore.exe
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-23-2006, 04:36 AM   #18 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 28
OS: 2000/XP


06/23/06 06:29:58 [Info]: BlackLight Engine 1.0.41 initialized
06/23/06 06:29:58 [Info]: OS: 5.1 build 2600 (Service Pack 1)
06/23/06 06:30:04 [Note]: 7019 4
06/23/06 06:30:04 [Note]: 7005 0
06/23/06 06:32:34 [Note]: 7006 0
06/23/06 06:32:34 [Note]: 7011 1912
06/23/06 06:32:34 [Note]: 7026 0
06/23/06 06:32:35 [Note]: 7026 0
06/23/06 06:32:41 [Note]: FSRAW library version 1.7.1018
06/23/06 06:33:50 [Note]: 7007 0




StartupList report, 6/23/2006, 6:35:19 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijack this\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\wmiprvse32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\umonit.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1107721595\ee\AOLSoftware.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\NovaDisk+\schtrayd.exe
C:\Program Files\NovaDisk+\Scheduler\schengd.exe
C:\Program Files\NetMedia\Versato.exe
C:\lotus\smartctr\SUITEST.EXE
C:\lotus\smartctr\SMARTCTR.EXE
C:\lotus\organize\easyclip.exe
C:\Program Files\NetMedia\VsPlayer.exe
C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NetMedia\OSD.EXE
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack this\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\DAWN\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Video Professor.lnk = C:\Program Files\lesson\Free Lesson From VP.exe
Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
NovaDisk+ Scheduler Tray Control.lnk = C:\Program Files\NovaDisk+\schtrayd.exe
NovaDisk+ Schedule Service Controller.lnk = C:\Program Files\NovaDisk+\Scheduler\schengd.exe
NetMedia.lnk = C:\Program Files\NetMedia\Versato.exe
MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
Lotus SmartCenter.lnk = C:\lotus\smartctr\SMARTCTR.EXE
Lotus QuickStart.lnk = ?
Lotus Organizer EasyClip.lnk = ?
iSchedule-it.lnk = C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
Broadband Support Center.lnk = C:\Program Files\Verizon Online\Support Center\bin\matcli.exe
Billminder.lnk = C:\Program Files\Quicken\billmind.exe
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = c:\windows\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

2a0c93d9.exe = C:\Documents and Settings\DAWN\Local Settings\Application Data\2a0c93d9.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\System32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english...an_unicode.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/downlo...22/wmv9VCM.CAB

[AOL Content Update]
InProcServer32 = C:\Program Files\Common Files\AolCoach\en_en\GTDownAO_106.ocx
CODEBASE = http://esupport.aol.com/help/acp2/en...ach_core_1.cab

[{4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B}]
CODEBASE = http://aolcc.aol.com/computercheckup/qdiagcc.cab

[Facebook Photo Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx
CODEBASE = http://upload.facebook.com/controls/...toUploader.cab

[ActivatorControl1 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Activator.dll
CODEBASE = https://objects.aol.com/activator/en-us/Activator.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/actives...ree/asinst.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.co...921.4239351852

[PreQualifier Class]
InProcServer32 = C:\Program Files\Common Files\Verizon Online\Motive\MotivePreQual.dll
CODEBASE = http://portal.verizon.net/checkmypc/...ivePreQual.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: connwsp.dll (file MISSING)
Protocol #2: connwsp.dll (file MISSING)
Protocol #3: connwsp.dll (file MISSING)
Protocol #4: connwsp.dll (file MISSING)
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\rsvpsp.dll
Protocol #9: C:\WINDOWS\system32\rsvpsp.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll
Protocol #24: C:\WINDOWS\system32\mswsock.dll
Protocol #25: C:\WINDOWS\system32\mswsock.dll
Protocol #26: C:\WINDOWS\system32\mswsock.dll
Protocol #27: C:\WINDOWS\system32\mswsock.dll
Protocol #28: connwsp.dll (file MISSING)

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AOL Connectivity Service: "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" (autostart)
AOL TopSpeed Monitor: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (autostart)
AOL Antivirus Update Service: "C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe" (autostart)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASAPIW2K: System32\Drivers\ASAPIW2K.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CxVCap, WDM Video Capture: system32\drivers\cxvcap.sys (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
Cdrdrv: System32\Drivers\Cdrdrv.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
C-Media WDM Audio Interface: system32\drivers\cmuda.sys (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CxTuner, WDM TvTuner: system32\drivers\CXTUNER.sys (autostart)
CxXBar, WDM Crossbar: system32\drivers\CXXBAR.sys (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
EntDrv51: \??\C:\WINDOWS\System32\drivers\EntDrv51.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido anti-malware\ewidoctrl.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
fixustor: system32\drivers\fixustor.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LexBce Server: C:\WINDOWS\system32\LEXBCES.EXE (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
McAfee McShield: C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
MPFIREWL: System32\Drivers\MpFirewall.sys (system)
McAfee Personal Firewall Service: "C:\Program Files\mcafee.com\personal firewall\MPFService.exe" (autostart)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
NaiAvFilter1: system32\drivers\naiavf5x.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
VIA OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
oreans32: \??\C:\WINDOWS\system32\drivers\oreans32.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
pivot: system32\drivers\pivot.sys (system)
Pivot Mouse/Pointers Filter Driver: \??\C:\WINDOWS\system32\drivers\pivotmou.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
PMEM: \??\C:\WINDOWS\System32\drivers\pmemnt.sys (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
W2K Pctel Serial Device Driver: System32\DRIVERS\ptserial.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
RemoteRegBck: "C:\WINDOWS\regsvc.exe" (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiSide: System32\DRIVERS\siside.sys (system)
sisidex: system32\drivers\sisidex.sys (system)
SiSkp: system32\drivers\srvkp.sys (system)
SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start)
Add Performance Filter Driver: system32\drivers\sisperf.sys (system)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{40A970B9-347F-4429-9E10-FFCA07086B65} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
LapLink Mirror Driver Miniport: System32\Drivers\tsircmir.sys (system)
TSI Remote Control Service: C:\WINDOWS\System32\TSIRCSRV.EXE (autostart)
tsiregmo: \SystemRoot\system32\drivers\tsiregmo.sys (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
W2k Vmodem: System32\DRIVERS\vmodem.sys (system)
W2k Vpctcom: System32\DRIVERS\vpctcom.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
W2k Vvoice: System32\DRIVERS\vvoice.sys (system)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
wmiprvse: "C:\WINDOWS\wmiprvse32.exe" (autostart)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (manual start)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 36,983 bytes
Report generated in 0.172 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
dirtmcgirt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-23-2006, 07:28 PM   #19 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 28
OS: 2000/XP


Hey Vikes.. .I hope that you don't mind, but I went ahead and ran Look2Me-Destroyer, and it seemed to help. I was able to find and delete 2a0c93d9.exe and the others seem to be gone as well.

Here is a new log


Logfile of HijackThis v1.99.1
Scan saved at 9:24:59 PM, on 6/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\wmiprvse32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\umonit.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Common Files\AOL\1107721595\ee\aolsoftware.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE
C:\Program Files\Common Files\LapLink\Scheduler\LLSCHENG.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\3DMouse\3DMouse.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\Program Files\NovaDisk+\schtrayd.exe
C:\Program Files\NovaDisk+\Scheduler\schengd.exe
C:\Program Files\NetMedia\Versato.exe
C:\lotus\smartctr\SUITEST.EXE
C:\lotus\smartctr\SMARTCTR.EXE
C:\Program Files\NetMedia\VsPlayer.exe
C:\lotus\organize\easyclip.exe
C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Digital Lifeline\bin\mpbtn.exe
C:\Program Files\NetMedia\OSD.EXE
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer powered by Verizon Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.v2premier.com"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DAWN\Application Data\Mozilla\Profiles\default\uqr3f2i8.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LapLink Scheduler] "C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107721595\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1107721595\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [3DMouse] C:\PROGRA~1\3DMouse\3DMouse.EXE
O4 - Global Startup: Video Professor.lnk = C:\Program Files\lesson\Free Lesson From VP.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: NovaDisk+ Scheduler Tray Control.lnk = C:\Program Files\NovaDisk+\schtrayd.exe
O4 - Global Startup: NovaDisk+ Schedule Service Controller.lnk = C:\Program Files\NovaDisk+\Scheduler\schengd.exe
O4 - Global Startup: NetMedia.lnk = C:\Program Files\NetMedia\Versato.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\SMARTCTR.EXE
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: iSchedule-it.lnk = C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: Broadband Support Center.lnk = C:\Program Files\Verizon Online\Support Center\bin\matcli.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Capture Links - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCaptureLinks.js
O8 - Extra context menu item: Capture Page - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCapturePage.js
O9 - Extra button: Insight NetKnowledge Tools - {102910D3-CF07-4BED-ACDC-D165385B9B66} - C:\Program Files\Insight Development\Net Knowledge Tools\common\Insight NetKnowledge Tools.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8DD733A8-353A-4E93-AB85-93CA8DC96F6A} (ActivatorControl1 Class) - https://objects.aol.com/activator/en-us/Activator.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://portal.verizon.net/checkmypc/includes/MotivePreQual.cab
O18 - Protocol: iwd - {EA5F5649-A6C7-11D4-9E3C-0020AF0FFB56} - C:\Program Files\Insight Development\Net Knowledge Tools\common\IwdProtocol.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1107721595\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe (file missing)
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: wmiprvse - Unknown owner - C:\WINDOWS\wmiprvse32.exe
dirtmcgirt is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-24-2006, 09:41 PM   #20 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


That's strange, there were no signs of L2Me in any of your previous logs from any other program. I'll have to keep that in mind if I get another stubborn one like yours. Thanks for the information!!

Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Setting a new Restore Point
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter.
  • Tick the checkbox - Turn off System Restore on all drives
  • Click Apply
  • Turn it back 'On' by unticking the same checkbox & click OK

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Sunbelt Kerio Personal Firewall

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
__________________
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 07:00 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84