Same issue with iexplore.exe

glaz3 · 11-27-2006, 07:54 PM

I've been having problems with iexplore.exe It keeps poping back up and starts to freez my pc, even when i open Fire fox it comes back up. Glaswegian told me to come here and post what i have for hijackthis. I really need help.

Logfile of HijackThis v1.99.1
Scan saved at 6:47:26 PM, on 11/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Ried · 11-27-2006, 08:30 PM

Hello glaz3,

The infection you have, a variant of vundo, recognizes HijackThis and prevents HJT from reading the registry locations where it resides as well as hiding other infections in those locations.

I'd like you to rename HijackThis.exe to glaz.exe.

Navigate to C:\Documents and Settings\abde\Desktop\hijackthis\HijackThis.exe
Right click on HijackThis.exe
Select 'Rename'
Type in glaz.exe
Press Enter.

Run a new scan with glaz.exe and post the log here please.

glaz3 · 11-27-2006, 08:45 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:44:39 PM, on 11/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Administrator\Desktop\glaz.exe.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C111456-A957-42A5-8BE4-F60645417351} - C:\WINDOWS\system32\jkhfd.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Ried · 11-27-2006, 08:57 PM

Hello glaz3,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

-------------------------------------

Close any open browsers.

-------------------------------------

Go to <<Start>> then <<Run>> then paste in the single line command then click OK

"%userprofile%\desktop\combofix.exe" /v jkhfd

When finished, it shall produce a log for you. We'll need that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

VSAdd-in

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Using My Computer, navigate to and delete the following Folder if it still exists.

C:\Program Files\ VSAdd-in

-----------------------------------

Reboot your system.

-----------------------------------

I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware.

Please download and install this excellent and FREE anti-virus program:

Please download Active Virus Shield (powered by Kaspersky) and save it to your desktop.

Please remember to register for your Activation Code using a legitimate email address.
Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process:
Then please update the program and run a systemwide scan by selecting My Computer. Allow it to neutralize all that it finds.
When done, launch Active Virus Shield's main window.
Click the Scan button on the left, and then click Detected.
In the ensuing window, click the Save As button to save a copy of the log.
Copy and paste that log in your next reply.

Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.

-----------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

-----------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------

Create an Uninstall List:
Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
The list will automatically be saved in your HijackThis folder.

Please copy and paste the uninstall_list.txt here.

-----------------------------------

Run a new scan with glaz.exe and save the log.

-----------------------------------

Please include the following in your next reply:

ComboFix2.txt
Panda results
ComboFix.txt
uninstall_list.txt
New HijackThis log (glaz.exe)

glaz3 · 11-27-2006, 10:22 PM

Sorry for taking so long. My pc is in critical condition.. I'll try to respond with everything as soon as i'm done.

glaz3 · 11-27-2006, 10:24 PM

99% - Scan My Computer
----------------------
Scanned: 48399
Detected: 6
Untreated: 6
Start time: 06-11-27 21:21
Duration: 00:02:42
Finish time: 06-11-27 21:23

Detected
--------
Status Object
------ ------
detected: adware not-a-virus:AdWare.Win32.180Solutions.ao File: C:\Documents and Settings\Administrator\Desktop\unused\BSINSTALL(2).exe/WiseSFX Dropper
detected: adware not-a-virus:AdWare.Win32.180Solutions.ao File: C:\Documents and Settings\Administrator\Desktop\unused\BSINSTALL(2).exe/WiseSFX Dropper/WISE0023.BIN/clientax.dll
detected: adware not-a-virus:AdWare.Win32.SaveNow.ca File: C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe
detected: adware not-a-virus:AdWare.Win32.HotBar.bq File: C:\WINDOWS\system32\xuaiaqri.exe
detected: adware not-a-virus:AdWare.Win32.HotBar.bi File: C:\WINDOWS\system32\zrozspsd.exe/data0018/data0003/UPX
detected: adware not-a-virus:AdWare.Win32.HotBar.bi File: C:\WINDOWS\system32\zrozspsd.exe/data0018/data0004

Events
------
Time Name Status Reason
---- ---- ------ ------

Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archived Compressed Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ---------- ------------------ ---------
All Hard Drives 48399 5 5 0 0 115 5 265 0

Settings
--------
Name Value
---- -----
Security Level Recommended
Action Prompt for action when the scan is complete
File types All
Scan new and changed files only No
Scan archives All
Scan embedded OLE objects All
Skip if object is greater than No
Skip if scan takes longer than No
Parse e-mail formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Show detected threats on "Detected" tab Yes

Ried · 11-28-2006, 06:25 AM

Hi,

Have you completed the other steps? I really need to see these reports in order to continue:

ComboFix2.txt
ComboFix.txt
uninstall_list.txt
New HijackThis log

glaz3 · 11-28-2006, 10:01 AM

Administrator - 06-11-28 8:56:52.35 Service Pack 2
ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\components
C:\Program Files\Common Files\{80AC8B4F-07DA-1033-0614-050709040001}

((((((((((((((((((((((((((((((( Files Created from 2006-10-27 to 2006-11-27 ))))))))))))))))))))))))))))))))))

2006-11-28 08:54 616 --a------ C:\Combo.bat

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-28 08:56 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Xfire
2006-11-28 08:53 -------- d-------- C:\Program Files\Common Files
2006-11-27 21:56 -------- d---s---- C:\Program Files\Xfire
2006-11-27 21:51 -------- d-------- C:\Program Files\Internet Explorer
2006-11-27 21:44 -------- d-------- C:\Program Files\DaemonTools_WhenUSaveNow_Installer
2006-11-27 19:58 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll
2006-11-27 18:04 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-11-27 17:41 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2006-11-27 17:01 -------- d-------- C:\Program Files\Steam
2006-11-27 16:39 -------- d-------- C:\Program Files\mIRC
2006-11-26 21:54 1007344 ---hs---- C:\WINDOWS\system32\dfhkj.bak2
2006-11-26 21:20 -------- d-------- C:\Program Files\Movie Maker
2006-11-26 21:20 -------- d-------- C:\Program Files\DivX
2006-11-26 20:47 -------- d-------- C:\Program Files\Trillian
2006-11-14 21:03 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-11 00:44 -------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2006-11-08 19:56 -------- d-------- C:\Program Files\HLSW
2006-10-19 16:14 67604 --a------ C:\WINDOWS\system32\bltjlhci.exe
2006-10-03 11:28 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2006-10-03 10:13 -------- dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2006-09-28 14:49 -------- d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2006-09-28 14:27 73748 --a------ C:\WINDOWS\system32\fusxnywh.dll
2006-09-25 12:14 143380 --a------ C:\WINDOWS\system32\ilfxsymw.exe
2006-09-25 12:13 820157 ---hs---- C:\WINDOWS\system32\dfhkj.bak1
2006-09-20 10:50 94720 --a------ C:\WINDOWS\system32\lhnjsrk.dll
2006-09-20 05:58 577588 ---hs---- C:\WINDOWS\system32\jkhfd.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"aol"="\"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe\""
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Fantastic Flame Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Fantastic Flame Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\Fantastic Flame Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\FANTAS~1\\FANTAS~2.EXE "
"item"="Fantastic Flame Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WarpSpeeder Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WarpSpeeder Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\WarpSpeeder Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WARPSP~1\\BSTRAY~1.EXE "
"item"="WarpSpeeder Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog305]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VM305_STI"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DaemonTools_WhenUSaveNow_Installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DaemonTools_WhenUSaveNow_Installer"
"hkey"="HKLM"
"command"="C:\\Program Files\\DaemonTools_WhenUSaveNow_Installer\\DaemonTools_WhenUSaveNow_Installer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb10"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lhnjsrk.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lhnjsrk"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\lhnjsrk.dll,tbtytxe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"command"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="smc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam Blocker for Outlook Express]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SBInst"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SPAMBL~1\\Bin\\480~1.0\\SBInst.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SbOEAddOn"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpamBlockerUtility\\Bin\\4.8.0.0\\SbOEAddOn.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="spydoctor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Spyware Doctor\\spydoctor.exe\" /Q"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvaqhgck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xuaiaqri"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\xuaiaqri.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uhvjsul.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uhvjsul"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\uhvjsul.dll,mrpmvyf"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdS7_0_7 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -u"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -u"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SbWeatherOnTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpamBlockerUtility\\Bin\\4.8.0.0\\SbWeatherOnTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Save"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Save\\Save.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winexes]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="server"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\server.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zango"
"hkey"="HKLM"
"command"="\"c:\\program files\\zango\\zango.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

Completion time: 06-11-28 9:00:49.18
C:\ComboFix.txt ... 06-11-28 09:00
C:\ComboFix2.txt ... 06-11-28 08:53

glaz3 · 11-28-2006, 10:07 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:07:44 AM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\glaz.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - G:\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {DF5C3FF2-C151-4A7F-9787-DC67A6D7183C} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\macoejhg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: Download all links using BitComet - res://G:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://G:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://G:\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

glaz3 · 11-28-2006, 10:08 AM

Active Virus Shield
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.8
Adobe Stock Photos 1.0
Belarc Advisor 7.1
BitComet 0.77
Client Fix 1.9.2
CMN3
Dawn
DivX
DivX Converter
DivX Player
DivX Web Player
DVC305
DVD Decrypter (Remove Only)
Fantastic Flame Screensaver
ffdshow
FLV Player 1.3.3
Fraps (remove only)
Guild Wars
HijackThis 1.99.1
HLSW v1.0.0.50
HP Deskjet 6500
HP Software Update
Huffyuv AVI lossless video codec (Remove Only)
iTunes
J2SE Runtime Environment 5.0 Update 6
Lavasoft VX2 Cleaner
LimeWire 4.10.9
MAIET entertainment - Gunz
MaxBlast 4
Microsoft .NET Framework 1.1
mIRC
Mozilla Firefox (2.0)
Nero Suite
NVIDIA Drivers
Oblivion
Panda ActiveScan
PowerDVD
PowerISO
QuickTime
RealPlayer
Realtek AC'97 Audio
Security Task Manager 1.7
Skype 2.5
Smart Guardian
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
Sony DVD Architect 3.0
Sony Vegas 6.0
Spybot - Search & Destroy 1.4
Spyware Doctor 2.1
Steam
Sygate Personal Firewall
Trillian
UltraISO 8.0 Premium Edition
Ventrilo Client
Ventrilo Server
VideoLAN VLC media player 0.8.5
VIMICRO USB PC Camera V
VobSub v2.23 (Remove Only)
WarpSpeeder
Winamp (remove only)
WinAVIVideoConverter
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 2
WinRAR archiver
WinZip
World of Warcraft
XBC 5.1
Xfire (remove only)
XviD MPEG-4 Video Codec

glaz3 · 11-28-2006, 10:15 AM

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[adserver.filefront.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[c5.zedo.com/]
Spyware:Cookie/Dbbsrv Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[dbbsrv.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt
Possible Virus. Not disinfected C:\Documents and Settings\Administrator\Desktop\oldoblivion\oldblivion.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\hfivfssk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lctlmkdu.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\mxpiiywh.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\pltnupah.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\tbfevlwy.dll
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.advertising.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.sextracker.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter3.sextracker.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter4.sextracker.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter7.sextracker.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter2.sextracker.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.overture.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.sexlist.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.com.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.did-it.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.perf.overture.com/]
Adware:Adware/SaveNow Not disinfected C:\Program Files\DAEMON Tools\SetupDTSB.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\bltjlhci.exe
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\fusxnywh.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\ilfxsymw.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\jkhfd.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\srybqetk.exe

Ried · 11-28-2006, 10:20 AM

Hi,

Can you please post ComboFix2.txt as well--you'll find it at C:\Combofix2.txt I need to see that report as I still see that file present on the system that the first instruction should have taken out.

glaz3 · 11-28-2006, 10:33 AM

Administrator - 06-11-28 8:49:39.14 Service Pack 2
ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\components
C:\Program Files\Common Files\{80AC8B4F-07DA-1033-0614-050709040001}

((((((((((((((((((((((((((((((( Files Created from 2006-10-27 to 2006-11-27 ))))))))))))))))))))))))))))))))))

2006-11-28 08:47 60,436 --a------ C:\WINDOWS\system32\macoejhg.dll
2006-11-27 21:34 951,460 ---hs---- C:\WINDOWS\system32\dfhkj.ini2
2006-11-27 21:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-27 20:21 <DIR> d-------- C:\Program Files\AOL
2006-11-27 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2006-11-27 19:58 <DIR> d-------- C:\Downloads
2006-11-26 21:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2006-11-26 21:32 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-11-26 20:57 <DIR> d--hs---- C:\WINDOWS\CSC
2006-11-26 20:21 73,728 --a------ C:\WINDOWS\system32\pv_c3.exe
2006-11-26 20:21 119,056 --a------ C:\WINDOWS\system32\reg_c3.exe
2006-11-26 20:21 <DIR> d-------- C:\Program Files\CEVO
2006-11-21 12:55 <DIR> d-------- C:\Program Files\Security Task Manager
2006-11-21 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2006-11-14 21:03 <DIR> d-------- C:\Program Files\Maxtor
2006-11-11 00:44 <DIR> d-------- C:\Program Files\World of Warcraft
2006-11-03 15:42 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2006-11-01 16:01 110,612 --a------ C:\WINDOWS\system32\srybqetk.exe
2006-10-30 06:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2006-10-29 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-10-29 17:46 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2006-10-29 17:46 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2006-10-29 17:46 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2006-10-29 17:46 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2006-10-29 17:46 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2006-10-29 17:46 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2006-10-29 17:46 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2006-10-29 17:46 <DIR> d-------- C:\Program Files\Sygate
2006-10-29 15:59 118,804 --a------ C:\WINDOWS\system32\tgoysbcu.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-28 08:53 -------- d-------- C:\Program Files\Common Files
2006-11-28 08:47 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Xfire
2006-11-27 21:56 -------- d---s---- C:\Program Files\Xfire
2006-11-27 21:51 -------- d-------- C:\Program Files\Internet Explorer
2006-11-27 21:44 -------- d-------- C:\Program Files\DaemonTools_WhenUSaveNow_Installer
2006-11-27 19:58 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll
2006-11-27 18:04 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-11-27 17:41 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2006-11-27 17:01 -------- d-------- C:\Program Files\Steam
2006-11-27 16:39 -------- d-------- C:\Program Files\mIRC
2006-11-26 21:54 1007344 ---hs---- C:\WINDOWS\system32\dfhkj.bak2
2006-11-26 21:20 -------- d-------- C:\Program Files\Movie Maker
2006-11-26 21:20 -------- d-------- C:\Program Files\DivX
2006-11-26 20:47 -------- d-------- C:\Program Files\Trillian
2006-11-14 21:03 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-11 00:44 -------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2006-11-08 19:56 -------- d-------- C:\Program Files\HLSW
2006-10-19 16:14 67604 --a------ C:\WINDOWS\system32\bltjlhci.exe
2006-10-03 11:28 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2006-10-03 10:13 -------- dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2006-09-28 14:49 -------- d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2006-09-28 14:27 73748 --a------ C:\WINDOWS\system32\fusxnywh.dll
2006-09-25 12:14 143380 --a------ C:\WINDOWS\system32\ilfxsymw.exe
2006-09-25 12:13 820157 ---hs---- C:\WINDOWS\system32\dfhkj.bak1
2006-09-20 10:50 94720 --a------ C:\WINDOWS\system32\lhnjsrk.dll
2006-09-20 05:58 577588 ---hs---- C:\WINDOWS\system32\jkhfd.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"aol"="\"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe\""
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Fantastic Flame Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Fantastic Flame Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\Fantastic Flame Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\FANTAS~1\\FANTAS~2.EXE "
"item"="Fantastic Flame Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WarpSpeeder Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WarpSpeeder Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\WarpSpeeder Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WARPSP~1\\BSTRAY~1.EXE "
"item"="WarpSpeeder Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog305]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VM305_STI"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DaemonTools_WhenUSaveNow_Installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DaemonTools_WhenUSaveNow_Installer"
"hkey"="HKLM"
"command"="C:\\Program Files\\DaemonTools_WhenUSaveNow_Installer\\DaemonTools_WhenUSaveNow_Installer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb10"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lhnjsrk.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lhnjsrk"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\lhnjsrk.dll,tbtytxe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"command"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="smc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam Blocker for Outlook Express]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SBInst"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SPAMBL~1\\Bin\\480~1.0\\SBInst.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SbOEAddOn"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpamBlockerUtility\\Bin\\4.8.0.0\\SbOEAddOn.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="spydoctor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Spyware Doctor\\spydoctor.exe\" /Q"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvaqhgck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xuaiaqri"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\xuaiaqri.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uhvjsul.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uhvjsul"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\uhvjsul.dll,mrpmvyf"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdS7_0_7 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -u"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -u"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SbWeatherOnTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpamBlockerUtility\\Bin\\4.8.0.0\\SbWeatherOnTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Save"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Save\\Save.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winexes]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="server"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\server.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zango"
"hkey"="HKLM"
"command"="\"c:\\program files\\zango\\zango.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

Completion time: 06-11-28 8:53:28.31
C:\ComboFix.txt ... 06-11-28 08:53

Ried · 11-28-2006, 10:42 AM

Thank you.

It's going to take me a bit of time to go through all these reports and prepare the next set of fixes for you. I expect to have a reply ready for you within the hour.

Ried · 11-28-2006, 11:23 AM

Ok, here we go with round 2.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download KillBox. (it's important that you get version v2.0.0.175)

------------

Download the attached glaze.zip file to your desktop. Do not run it just yet.

-------------------------------------

Close any open browsers.

-------------------------------------

Double click on the glaze.zip folder, then double click on the .reg file within. Click yes to allow it to merge into your registry.

-------------------------------------

Launch KillBox.exe & select the following options:

delete on Reboot

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\system32\xuaiaqri.exe
C:\WINDOWS\system32\zrozspsd.exe
C:\WINDOWS\system32\bltjlhci.exe
C:\WINDOWS\system32\ilfxsymw.exe
C:\WINDOWS\system32\srybqetk.exe
C:\WINDOWS\system32\server.exe
C:\Documents and Settings\Administrator\Desktop\unused\BSINSTALL(2).exe

Go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there

Select/tick the following:

* Delete on Reboot
* End Explorer Shell While Killing File

Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click No at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run [b]missingfilesetup.exe[/color]. Then try Killbox again.

-----------------------------------

Using My Computer, navigate to and delete the following Folders if they still exist.

C:\Program Files\ DaemonTools_WhenUSaveNow_Installer
C:\Program Files\ Save
c:\program files\ zango

-----------------------------------

Clear Mozilla Firefox cookies:
Open the Mozilla Browser, (you do not need to be online to do this) Click Tools>Options>Privacy>Cookies>Clear

-----------------------------------

Clear Internet Explorer Cookies: (you do not need to be connected to the internet to perform this)
Launch Internet Explorer>Tools>Internet Options>Delete Cookies

-----------------------------------

Click Start then Run then copy/paste the entire text below into the Run box then click OK

"%userprofile%\desktop\combofix.exe" /v jkhfd macoejhg lhnjsrk uhvjsul fusxnywh

When finished, it shall produce a log for you. We'll need that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------

After the reboot, run another online scan at Panda and save the report.

-----------------------------------

Run another scan with glaze.exe and save the log.

-----------------------------------

Please include the following in your next reply:

ComboFix.txt
Panda results
New HijackThis log (glaze.exe)

How is your system behaving now?

glaz3 · 11-28-2006, 11:46 AM

Administrator - 06-11-28 8:49:39.14 Service Pack 2
ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\components
C:\Program Files\Common Files\{80AC8B4F-07DA-1033-0614-050709040001}

((((((((((((((((((((((((((((((( Files Created from 2006-10-27 to 2006-11-27 ))))))))))))))))))))))))))))))))))

2006-11-28 08:47 60,436 --a------ C:\WINDOWS\system32\macoejhg.dll
2006-11-27 21:34 951,460 ---hs---- C:\WINDOWS\system32\dfhkj.ini2
2006-11-27 21:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-27 20:21 <DIR> d-------- C:\Program Files\AOL
2006-11-27 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2006-11-27 19:58 <DIR> d-------- C:\Downloads
2006-11-26 21:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2006-11-26 21:32 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-11-26 20:57 <DIR> d--hs---- C:\WINDOWS\CSC
2006-11-26 20:21 73,728 --a------ C:\WINDOWS\system32\pv_c3.exe
2006-11-26 20:21 119,056 --a------ C:\WINDOWS\system32\reg_c3.exe
2006-11-26 20:21 <DIR> d-------- C:\Program Files\CEVO
2006-11-21 12:55 <DIR> d-------- C:\Program Files\Security Task Manager
2006-11-21 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2006-11-14 21:03 <DIR> d-------- C:\Program Files\Maxtor
2006-11-11 00:44 <DIR> d-------- C:\Program Files\World of Warcraft
2006-11-03 15:42 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2006-11-01 16:01 110,612 --a------ C:\WINDOWS\system32\srybqetk.exe
2006-10-30 06:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2006-10-29 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-10-29 17:46 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2006-10-29 17:46 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2006-10-29 17:46 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2006-10-29 17:46 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2006-10-29 17:46 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2006-10-29 17:46 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2006-10-29 17:46 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2006-10-29 17:46 <DIR> d-------- C:\Program Files\Sygate
2006-10-29 15:59 118,804 --a------ C:\WINDOWS\system32\tgoysbcu.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-28 08:53 -------- d-------- C:\Program Files\Common Files
2006-11-28 08:47 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Xfire
2006-11-27 21:56 -------- d---s---- C:\Program Files\Xfire
2006-11-27 21:51 -------- d-------- C:\Program Files\Internet Explorer
2006-11-27 21:44 -------- d-------- C:\Program Files\DaemonTools_WhenUSaveNow_Installer
2006-11-27 19:58 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll
2006-11-27 18:04 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-11-27 17:41 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2006-11-27 17:01 -------- d-------- C:\Program Files\Steam
2006-11-27 16:39 -------- d-------- C:\Program Files\mIRC
2006-11-26 21:54 1007344 ---hs---- C:\WINDOWS\system32\dfhkj.bak2
2006-11-26 21:20 -------- d-------- C:\Program Files\Movie Maker
2006-11-26 21:20 -------- d-------- C:\Program Files\DivX
2006-11-26 20:47 -------- d-------- C:\Program Files\Trillian
2006-11-14 21:03 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-11 00:44 -------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2006-11-08 19:56 -------- d-------- C:\Program Files\HLSW
2006-10-19 16:14 67604 --a------ C:\WINDOWS\system32\bltjlhci.exe
2006-10-03 11:28 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2006-10-03 10:13 -------- dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2006-09-28 14:49 -------- d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2006-09-28 14:27 73748 --a------ C:\WINDOWS\system32\fusxnywh.dll
2006-09-25 12:14 143380 --a------ C:\WINDOWS\system32\ilfxsymw.exe
2006-09-25 12:13 820157 ---hs---- C:\WINDOWS\system32\dfhkj.bak1
2006-09-20 10:50 94720 --a------ C:\WINDOWS\system32\lhnjsrk.dll
2006-09-20 05:58 577588 ---hs---- C:\WINDOWS\system32\jkhfd.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"aol"="\"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe\""
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Fantastic Flame Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Fantastic Flame Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\Fantastic Flame Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\FANTAS~1\\FANTAS~2.EXE "
"item"="Fantastic Flame Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WarpSpeeder Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WarpSpeeder Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\WarpSpeeder Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WARPSP~1\\BSTRAY~1.EXE "
"item"="WarpSpeeder Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog305]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VM305_STI"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DaemonTools_WhenUSaveNow_Installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DaemonTools_WhenUSaveNow_Installer"
"hkey"="HKLM"
"command"="C:\\Program Files\\DaemonTools_WhenUSaveNow_Installer\\DaemonTools_WhenUSaveNow_Installer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb10"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lhnjsrk.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lhnjsrk"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\lhnjsrk.dll,tbtytxe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"command"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="smc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam Blocker for Outlook Express]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SBInst"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SPAMBL~1\\Bin\\480~1.0\\SBInst.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SbOEAddOn"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpamBlockerUtility\\Bin\\4.8.0.0\\SbOEAddOn.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="spydoctor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Spyware Doctor\\spydoctor.exe\" /Q"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvaqhgck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xuaiaqri"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\xuaiaqri.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uhvjsul.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uhvjsul"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\uhvjsul.dll,mrpmvyf"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdS7_0_7 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -u"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -u"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SbWeatherOnTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpamBlockerUtility\\Bin\\4.8.0.0\\SbWeatherOnTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Save"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Save\\Save.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winexes]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="server"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\server.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zango"
"hkey"="HKLM"
"command"="\"c:\\program files\\zango\\zango.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

Completion time: 06-11-28 8:53:28.31
C:\ComboFix.txt ... 06-11-28 08:53

Ried · 11-28-2006, 11:50 AM

It appears you are double clicking combofix.exe to run it--that is not how we need to use it at this moment.

It needs to be run like this:

Click Start then Run then copy/paste the entire text below into the Run box then click OK:

"%userprofile%\desktop\combofix.exe" /v jkhfd macoejhg lhnjsrk uhvjsul fusxnywh

When finished, it shall produce a log for you. We'll need that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

glaz3 · 11-28-2006, 12:20 PM

Incident Status Location

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt
Possible Virus. Not disinfected C:\Documents and Settings\Administrator\Desktop\oldoblivion\oldblivion.exe
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.advertising.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.sextracker.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter3.sextracker.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter4.sextracker.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter7.sextracker.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter2.sextracker.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.overture.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.sexlist.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.com.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.did-it.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.perf.overture.com/]
Adware:Adware/SaveNow Not disinfected C:\Program Files\DAEMON Tools\SetupDTSB.exe

glaz3 · 11-28-2006, 02:36 PM

I'm trying to use combofix but it freezes and when i go to add remove program I get the "blue screen"

Ried · 11-28-2006, 04:40 PM

Hi,

I need more detail--as much as you can provide:

1. Are you copy/pasting this command--exactly as shown in the bold red text--into the Run box?

"%userprofile%\desktop\combofix.exe" /v jkhfd macoejhg lhnjsrk uhvjsul fusxnywh

2. What do you mean by combofix is freezing? What does it say in the combofix screen?

3. I have not sent you into the Add/Remove panel yet--what are you trying to uninstall?

4. Have you run Killbox yet? Did you have any difficulties with that step?

11-27-2006, 07:54 PM	#1 (permalink)
glaz3 Registered User Join Date: Apr 2006 Posts: 43 OS: Vista Home	Same issue with iexplore.exe I've been having problems with iexplore.exe It keeps poping back up and starts to freez my pc, even when i open Fire fox it comes back up. Glaswegian told me to come here and post what i have for hijackthis. I really need help. Logfile of HijackThis v1.99.1 Scan saved at 6:47:26 PM, on 11/27/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Xfire\Xfire.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing) O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe Last edited by glaz3; 11-27-2006 at 07:57 PM.

11-27-2006, 08:30 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,979 OS: WinXP and Vista	Hello glaz3, The infection you have, a variant of vundo, recognizes HijackThis and prevents HJT from reading the registry locations where it resides as well as hiding other infections in those locations. I'd like you to rename HijackThis.exe to glaz.exe. Navigate to C:\Documents and Settings\abde\Desktop\hijackthis\HijackThis.exe Right click on HijackThis.exe Select 'Rename' Type in glaz.exe Press Enter. Run a new scan with glaz.exe and post the log here please. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-27-2006, 08:57 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,979 OS: WinXP and Vista	Hello glaz3, Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ************************************************* Download Combofix and save it to your desktop. Note: It is important that it is saved directly to your desktop ------------------------------------- Close any open browsers. ------------------------------------- Go to <<Start>> then <<Run>> then paste in the single line command then click OK "%userprofile%\desktop\combofix.exe" /v jkhfd When finished, it shall produce a log for you. We'll need that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ----------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) VSAdd-in ----------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist: R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing) Click 'Fix Checked' and close HijackThis. ----------------------------------- Go to My Computer->Tools->Folder Options->View** tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. ----------------------------------- Using My Computer, navigate to and delete the following Folder if it still exists. C:\Program Files\ VSAdd-in ----------------------------------- Reboot your system. ----------------------------------- I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. Please download and install this excellent and FREE anti-virus program: Please download Active Virus Shield (powered by Kaspersky) and save it to your desktop. Please remember to register for your Activation Code using a legitimate email address. Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process: Then please update the program and run a systemwide scan by selecting My Computer. Allow it to neutralize all that it finds. When done, launch Active Virus Shield's main window. Click the Scan button on the left, and then click Detected. In the ensuing window, click the Save As button to save a copy of the log. Copy and paste that log in your next reply. Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable. ----------------------------------- Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan ----------------------------------- Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post the ComboFix.txt in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ----------------------------------- Create an Uninstall List: Open HijackThis Click on the "Configure" button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" The list will automatically be saved in your HijackThis folder. Please copy and paste the uninstall_list.txt here. ----------------------------------- Run a new scan with glaz.exe and save the log. ----------------------------------- Please include the following in your next reply: ComboFix2.txt Panda results ComboFix.txt uninstall_list.txt New HijackThis log (glaz.exe) __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-28-2006, 06:25 AM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,979 OS: WinXP and Vista	Hi, Have you completed the other steps? I really need to see these reports in order to continue: ComboFix2.txt ComboFix.txt uninstall_list.txt New HijackThis log __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-28-2006, 10:20 AM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,979 OS: WinXP and Vista	Hi, Can you please post ComboFix2.txt as well--you'll find it at C:\Combofix2.txt I need to see that report as I still see that file present on the system that the first instruction should have taken out. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-27-2006, 08:45 PM	#3 (permalink)
glaz3 Registered User Join Date: Apr 2006 Posts: 43 OS: Vista Home	Logfile of HijackThis v1.99.1 Scan saved at 7:44:39 PM, on 11/27/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Xfire\Xfire.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\explorer.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Administrator\Desktop\glaz.exe.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2C111456-A957-42A5-8BE4-F60645417351} - C:\WINDOWS\system32\jkhfd.dll O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing) O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

11-27-2006, 10:22 PM	#5 (permalink)
glaz3 Registered User Join Date: Apr 2006 Posts: 43 OS: Vista Home	Sorry for taking so long. My pc is in critical condition.. I'll try to respond with everything as soon as i'm done.

11-27-2006, 10:24 PM	#6 (permalink)
glaz3 Registered User Join Date: Apr 2006 Posts: 43 OS: Vista Home	99% - Scan My Computer ---------------------- Scanned: 48399 Detected: 6 Untreated: 6 Start time: 06-11-27 21:21 Duration: 00:02:42 Finish time: 06-11-27 21:23 Detected -------- Status Object ------ ------ detected: adware not-a-virus:AdWare.Win32.180Solutions.ao File: C:\Documents and Settings\Administrator\Desktop\unused\BSINSTALL(2).exe/WiseSFX Dropper detected: adware not-a-virus:AdWare.Win32.180Solutions.ao File: C:\Documents and Settings\Administrator\Desktop\unused\BSINSTALL(2).exe/WiseSFX Dropper/WISE0023.BIN/clientax.dll detected: adware not-a-virus:AdWare.Win32.SaveNow.ca File: C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe detected: adware not-a-virus:AdWare.Win32.HotBar.bq File: C:\WINDOWS\system32\xuaiaqri.exe detected: adware not-a-virus:AdWare.Win32.HotBar.bi File: C:\WINDOWS\system32\zrozspsd.exe/data0018/data0003/UPX detected: adware not-a-virus:AdWare.Win32.HotBar.bi File: C:\WINDOWS\system32\zrozspsd.exe/data0018/data0004 Events ------ Time Name Status Reason ---- ---- ------ ------ Statistics ---------- Object Scanned Detected Untreated Deleted Moved to Quarantine Archived Compressed Password protected Corrupted ------ ------- -------- --------- ------- ------------------- -------- ---------- ------------------ --------- All Hard Drives 48399 5 5 0 0 115 5 265 0 Settings -------- Name Value ---- ----- Security Level Recommended Action Prompt for action when the scan is complete File types All Scan new and changed files only No Scan archives All Scan embedded OLE objects All Skip if object is greater than No Skip if scan takes longer than No Parse e-mail formats No Scan password-protected archives No Enable iChecker technology Yes Enable iSwift technology Yes Show detected threats on "Detected" tab Yes

11-28-2006, 10:01 AM	#8 (permalink)
glaz3 Registered User Join Date: Apr 2006 Posts: 43 OS: Vista Home	Administrator - 06-11-28 8:56:52.35 Service Pack 2 ComboFix 06.11.28W - Running from: "C:\Documents and Settings\Administrator\Desktop" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\components C:\Program Files\Common Files\{80AC8B4F-07DA-1033-0614-050709040001} ((((((((((((((((((((((((((((((( Files Created from 2006-10-27 to 2006-11-27 )))))))))))))))))))))))))))))))))) 2006-11-28 08:54 616 --a------ C:\Combo.bat (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-11-28 08:56 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Xfire 2006-11-28 08:53 -------- d-------- C:\Program Files\Common Files 2006-11-27 21:56 -------- d---s---- C:\Program Files\Xfire 2006-11-27 21:51 -------- d-------- C:\Program Files\Internet Explorer 2006-11-27 21:44 -------- d-------- C:\Program Files\DaemonTools_WhenUSaveNow_Installer 2006-11-27 19:58 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll 2006-11-27 18:04 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2006-11-27 17:41 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Skype 2006-11-27 17:01 -------- d-------- C:\Program Files\Steam 2006-11-27 16:39 -------- d-------- C:\Program Files\mIRC 2006-11-26 21:54 1007344 ---hs---- C:\WINDOWS\system32\dfhkj.bak2 2006-11-26 21:20 -------- d-------- C:\Program Files\Movie Maker 2006-11-26 21:20 -------- d-------- C:\Program Files\DivX 2006-11-26 20:47 -------- d-------- C:\Program Files\Trillian 2006-11-14 21:03 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-11-11 00:44 -------- d-------- C:\Program Files\Common Files\Blizzard Entertainment 2006-11-08 19:56 -------- d-------- C:\Program Files\HLSW 2006-10-19 16:14 67604 --a------ C:\WINDOWS\system32\bltjlhci.exe 2006-10-03 11:28 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Media Player Classic 2006-10-03 10:13 -------- dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo! 2006-09-28 14:49 -------- d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire 2006-09-28 14:27 73748 --a------ C:\WINDOWS\system32\fusxnywh.dll 2006-09-25 12:14 143380 --a------ C:\WINDOWS\system32\ilfxsymw.exe 2006-09-25 12:13 820157 ---hs---- C:\WINDOWS\system32\dfhkj.bak1 2006-09-20 10:50 94720 --a------ C:\WINDOWS\system32\lhnjsrk.dll 2006-09-20 05:58 577588 ---hs---- C:\WINDOWS\system32\jkhfd.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "aol"="\"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe\"" @="" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk] "path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup" "location"="Startup" "command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE " "item"="Adobe Gamma" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE " "item"="Adobe Reader Speed Launch" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Fantastic Flame Agent.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Fantastic Flame Agent.lnk" "backup"="C:\\WINDOWS\\pss\\Fantastic Flame Agent.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\FANTAS~1\\FANTAS~2.EXE " "item"="Fantastic Flame Agent" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WarpSpeeder Tray Icon.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WarpSpeeder Tray Icon.lnk" "backup"="C:\\WINDOWS\\pss\\WarpSpeeder Tray Icon.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\WARPSP~1\\BSTRAY~1.EXE " "item"="WarpSpeeder Tray Icon" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk" "backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE " "item"="WinZip Quick Pick" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="avgcc" "hkey"="HKLM" "command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog305] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="VM305_STI" "hkey"="HKLM" "command"="C:\\WINDOWS\\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="daemon" "hkey"="HKLM" "command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DaemonTools_WhenUSaveNow_Installer] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DaemonTools_WhenUSaveNow_Installer" "hkey"="HKLM" "command"="C:\\Program Files\\DaemonTools_WhenUSaveNow_Installer\\DaemonTools_WhenUSaveNow_Installer.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="hpcmpmgr" "hkey"="HKLM" "command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="HPWuSchd2" "hkey"="HKLM" "command"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="hpztsb10" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="InCD" "hkey"="HKLM" "command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="dumprep 0 -k" "hkey"="HKLM" "command"="%systemroot%\\system32\\dumprep 0 -k" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lhnjsrk.dll] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="lhnjsrk" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\lhnjsrk.dll,tbtytxe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msmsgs" "hkey"="HKCU" "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NvCpl" "hkey"="HKLM" "command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NvMcTray" "hkey"="HKLM" "command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /install" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PWRISOVM" "hkey"="HKLM" "command"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PDVDServ" "hkey"="HKLM" "command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Skype" "hkey"="HKCU" "command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="smc" "hkey"="HKLM" "command"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SOUNDMAN" "hkey"="HKLM" "command"="SOUNDMAN.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam Blocker for Outlook Express] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SBInst" "hkey"="HKLM" "command"="C:\\PROGRA~1\\SPAMBL~1\\Bin\\480~1.0\\SBInst.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SbOEAddOn" "hkey"="HKLM" "command"="C:\\Program Files\\SpamBlockerUtility\\Bin\\4.8.0.0\\SbOEAddOn.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="spydoctor" "hkey"="HKCU" "command"="\"C:\\Program Files\\Spyware Doctor\\spydoctor.exe\" /Q" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Steam" "hkey"="HKCU" "command"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvaqhgck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="xuaiaqri" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\xuaiaqri.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uhvjsul.dll] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="uhvjsul" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\uhvjsul.dll,mrpmvyf" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AdobeUpdateManager" "hkey"="HKCU" "command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdS7_0_7 -reboot 1" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="dumprep 0 -u" "hkey"="HKLM" "command"="%systemroot%\\system32\\dumprep 0 -u" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SbWeatherOnTray" "hkey"="HKLM" "command"="C:\\Program Files\\SpamBlockerUtility\\Bin\\4.8.0.0\\SbWeatherOnTray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Save" "hkey"="HKCU" "command"="\"C:\\Program Files\\Save\\Save.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="winampa" "hkey"="HKLM" "command"="C:\\Program Files\\Winamp\\winampa.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winexes] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="server" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\server.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="YahooMessenger" "hkey"="HKCU" "command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="zango" "hkey"="HKLM" "command"="\"c:\\program files\\zango\\zango.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 Completion time: 06-11-28 9:00:49.18 C:\ComboFix.txt ... 06-11-28 09:00 C:\ComboFix2.txt ... 06-11-28 08:53

11-28-2006, 10:07 AM	#9 (permalink)
glaz3 Registered User Join Date: Apr 2006 Posts: 43 OS: Vista Home	Logfile of HijackThis v1.99.1 Scan saved at 9:07:44 AM, on 11/28/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Xfire\Xfire.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Administrator\Desktop\glaz.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - G:\BitComet\tools\BitCometBHO.dll O2 - BHO: (no name) - {DF5C3FF2-C151-4A7F-9787-DC67A6D7183C} - C:\WINDOWS\system32\jkhfd.dll O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\macoejhg.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O8 - Extra context menu item: Download all links using BitComet - res://G:\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://G:\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://G:\BitComet\BitComet.exe/AddLink.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing) O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

11-28-2006, 10:08 AM	#10 (permalink)
glaz3 Registered User Join Date: Apr 2006 Posts: 43 OS: Vista Home	Active Virus Shield Ad-Aware SE Personal Adobe Bridge 1.0 Adobe Common File Installer Adobe Flash Player 9 ActiveX Adobe Help Center 1.0 Adobe Photoshop CS2 Adobe Reader 7.0.8 Adobe Stock Photos 1.0 Belarc Advisor 7.1 BitComet 0.77 Client Fix 1.9.2 CMN3 Dawn DivX DivX Converter DivX Player DivX Web Player DVC305 DVD Decrypter (Remove Only) Fantastic Flame Screensaver ffdshow FLV Player 1.3.3 Fraps (remove only) Guild Wars HijackThis 1.99.1 HLSW v1.0.0.50 HP Deskjet 6500 HP Software Update Huffyuv AVI lossless video codec (Remove Only) iTunes J2SE Runtime Environment 5.0 Update 6 Lavasoft VX2 Cleaner LimeWire 4.10.9 MAIET entertainment - Gunz MaxBlast 4 Microsoft .NET Framework 1.1 mIRC Mozilla Firefox (2.0) Nero Suite NVIDIA Drivers Oblivion Panda ActiveScan PowerDVD PowerISO QuickTime RealPlayer Realtek AC'97 Audio Security Task Manager 1.7 Skype 2.5 Smart Guardian SmartFTP Client 2.0 SmartFTP Client 2.0 Setup Files (remove only) Sony DVD Architect 3.0 Sony Vegas 6.0 Spybot - Search & Destroy 1.4 Spyware Doctor 2.1 Steam Sygate Personal Firewall Trillian UltraISO 8.0 Premium Edition Ventrilo Client Ventrilo Server VideoLAN VLC media player 0.8.5 VIMICRO USB PC Camera V VobSub v2.23 (Remove Only) WarpSpeeder Winamp (remove only) WinAVIVideoConverter Windows Media Format Runtime Windows Media Player 10 Windows XP Service Pack 2 WinRAR archiver WinZip World of Warcraft XBC 5.1 Xfire (remove only) XviD MPEG-4 Video Codec

11-28-2006, 10:15 AM	#11 (permalink)
glaz3 Registered User Join Date: Apr 2006 Posts: 43 OS: Vista Home	Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[.tradedoubler.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[.z1.adserver.com/] Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[adserver.filefront.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[c5.zedo.com/] Spyware:Cookie/Dbbsrv Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\iwxeqv8b.default\cookies.txt[dbbsrv.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt Possible Virus. Not disinfected C:\Documents and Settings\Administrator\Desktop\oldoblivion\oldblivion.exe Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\hfivfssk.dll Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lctlmkdu.dll Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\mxpiiywh.dll Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\pltnupah.dll Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\tbfevlwy.dll Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.tradedoubler.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.advertising.com/] Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.adultfriendfinder.com/] Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.sextracker.com/] Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter3.sextracker.com/] Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.cs.sexcounter.com/] Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter4.sextracker.com/] Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter7.sextracker.com/] Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter2.sextracker.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.overture.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.as-us.falkag.net/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.zedo.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.sexlist.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.com.com/] Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[citi.bridgetrack.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.2o7.net/] Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.bluestreak.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.hitbox.com/] Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.ads.addynamix.com/] Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.did-it.com/] Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.qksrv.net/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.apmebf.com/] Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.qksrv.net/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.maxserving.com/] Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.belnk.com/] Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.z1.adserver.com/] Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.revenue.net/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.as-eu.falkag.net/] Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.toplist.cz/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.perf.overture.com/] Adware:Adware/SaveNow Not disinfected C:\Program Files\DAEMON Tools\SetupDTSB.exe Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\bltjlhci.exe Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\fusxnywh.dll Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\ilfxsymw.exe Possible Virus. Not disinfected C:\WINDOWS\system32\jkhfd.dll Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\srybqetk.exe

11-28-2006, 10:42 AM	#14 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,979 OS: WinXP and Vista	Thank you. It's going to take me a bit of time to go through all these reports and prepare the next set of fixes for you. I expect to have a reply ready for you within the hour. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-28-2006, 11:23 AM	#15 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,979 OS: WinXP and Vista	Ok, here we go with round 2. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ************************************************* Download KillBox. (it's important that you get version v2.0.0.175) ------------ Download the attached glaze.zip file to your desktop. Do not run it just yet. ------------------------------------- Close any open browsers. ------------------------------------- Double click on the glaze.zip folder, then double click on the .reg file within. Click yes to allow it to merge into your registry. ------------------------------------- Launch KillBox.exe & select the following options: delete on Reboot Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C: C:\WINDOWS\system32\xuaiaqri.exe C:\WINDOWS\system32\zrozspsd.exe C:\WINDOWS\system32\bltjlhci.exe C:\WINDOWS\system32\ilfxsymw.exe C:\WINDOWS\system32\srybqetk.exe C:\WINDOWS\system32\server.exe C:\Documents and Settings\Administrator\Desktop\unused\BSINSTALL(2).exe Go to the File menu, and choose Paste from Clipboard** Click on the dropdown menu next to Full Path of File to Delete field. Verify that the filenames you pasted are found there Select/tick the following: * Delete on Reboot * End Explorer Shell While Killing File Click the RED X button. Click Yes at the 'Delete on Reboot' prompt. Click No at the Pending Operations prompt. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run [b]missingfilesetup.exe[/color]. Then try Killbox again. ----------------------------------- Using My Computer, navigate to and delete the following Folders if they still exist. C:\Program Files\ DaemonTools_WhenUSaveNow_Installer C:\Program Files\ Save c:\program files\ zango ----------------------------------- Clear Mozilla Firefox cookies: Open the Mozilla Browser, (you do not need to be online to do this) Click Tools>Options>Privacy>Cookies>Clear ----------------------------------- Clear Internet Explorer Cookies: (you do not need to be connected to the internet to perform this) Launch Internet Explorer>Tools>Internet Options>Delete Cookies ----------------------------------- Click Start then Run then copy/paste the entire text below into the Run box then click OK "%userprofile%\desktop\combofix.exe" /v jkhfd macoejhg lhnjsrk uhvjsul fusxnywh When finished, it shall produce a log for you. We'll need that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ----------------------------------- After the reboot, run another online scan at Panda and save the report. ----------------------------------- Run another scan with glaze.exe and save the log. ----------------------------------- Please include the following in your next reply: ComboFix.txt Panda results New HijackThis log (glaze.exe) How is your system behaving now? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 12-30-2006 at 05:34 PM.

11-28-2006, 11:50 AM	#17 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,979 OS: WinXP and Vista	It appears you are double clicking combofix.exe to run it--that is not how we need to use it at this moment. It needs to be run like this: Click Start then Run then copy/paste the entire text below into the Run box then click OK: "%userprofile%\desktop\combofix.exe" /v jkhfd macoejhg lhnjsrk uhvjsul fusxnywh When finished, it shall produce a log for you. We'll need that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-28-2006, 12:20 PM	#18 (permalink)
glaz3 Registered User Join Date: Apr 2006 Posts: 43 OS: Vista Home	Incident Status Location Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt Possible Virus. Not disinfected C:\Documents and Settings\Administrator\Desktop\oldoblivion\oldblivion.exe Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.tradedoubler.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.advertising.com/] Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.adultfriendfinder.com/] Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.sextracker.com/] Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter3.sextracker.com/] Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.cs.sexcounter.com/] Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter4.sextracker.com/] Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter7.sextracker.com/] Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[counter2.sextracker.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.overture.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.as-us.falkag.net/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.zedo.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.sexlist.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.com.com/] Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[citi.bridgetrack.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.2o7.net/] Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.bluestreak.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.hitbox.com/] Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.ads.addynamix.com/] Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.did-it.com/] Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.qksrv.net/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.apmebf.com/] Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.qksrv.net/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.maxserving.com/] Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.belnk.com/] Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.z1.adserver.com/] Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.revenue.net/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.as-eu.falkag.net/] Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.toplist.cz/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\1ikgh680.default\cookies.txt[.perf.overture.com/] Adware:Adware/SaveNow Not disinfected C:\Program Files\DAEMON Tools\SetupDTSB.exe

11-28-2006, 02:36 PM	#19 (permalink)
glaz3 Registered User Join Date: Apr 2006 Posts: 43 OS: Vista Home	I'm trying to use combofix but it freezes and when i go to add remove program I get the "blue screen"

11-28-2006, 04:40 PM	#20 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,979 OS: WinXP and Vista	Hi, I need more detail--as much as you can provide: 1. Are you copy/pasting this command--exactly as shown in the bold red text--into the Run box? "%userprofile%\desktop\combofix.exe" /v jkhfd macoejhg lhnjsrk uhvjsul fusxnywh 2. What do you mean by combofix is freezing? What does it say in the combofix screen? 3. I have not sent you into the Add/Remove panel yet--what are you trying to uninstall? 4. Have you run Killbox yet? Did you have any difficulties with that step? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."