Jump to content


Photo

my hijackthis log


  • Please log in to reply
21 replies to this topic

#1 goatfig

goatfig

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 04 February 2007 - 03:01 PM

my computer some times gets slow, and i could never figure out why... another problem i have is that when i try reinstall, uninstall, or shut down zone alarm my computer says it cant find an image and asks me to insert a disk in to the drive... but after i get through the errors i can't open any files (it says the files are not a valid win32 application);by files i mean IE, firefox, my documents / computer .... lastly when i go to try to restart my computer it only gives me the option of loging off.(the log off never completes and i end up just pulling the power)


thanks for the help,
i really appreciate it

here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 2:47:17 PM, on 2/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ali\My Documents\hjt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:0/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 07 February 2007 - 05:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Scorpex

Scorpex

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,386 posts

Posted 13 February 2007 - 09:42 PM

Hi goatfig – Welcome to SpywareInfo!

Sorry for the delayed response. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like.


Please run HijackThis and click "Do a system scan only" Place a check next to the following entry:

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

Close all browser and other windows except for HijackThis, and click "Fix Checked".



Open Task Manager by pressing Ctrl Alt Delete
Click on the Processes Tab and look in the Image Name column for these two processes

cisvc.exe
cidaemon.exe


Let me know what it says under the CPU and Memory Usage columns for each process (mentioned above).


Post a new HijackThis log


Scorpex

#4 goatfig

goatfig

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 February 2007 - 03:35 PM

cisvc.exe cpu:00 mem usage:500k-2000k

cidaemon.exe cpu:00 mem usage: 600-2000k

the memory was changing now and then, for both programs, however the cpu stay very consistent at 0

my new log file looks like this :
Logfile of HijackThis v1.99.1
Scan saved at 3:34:16 PM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\iFinger\iFinger.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ali\My Documents\hjt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:0/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



p.s. thanks for the help

#5 Scorpex

Scorpex

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,386 posts

Posted 23 February 2007 - 07:35 PM

Hi goatfig,

I apologize for the delay!


I just want to make sure I understand what’s going on.
Is this correct? - Your system runs OK although a little slow at times. The other issues you describe (see quote below) only happens when you stop/uninstall/ reinstall Zone Alarm

another problem i have is that when i try reinstall, uninstall, or shut down zone alarm my computer says it cant find an image and asks me to insert a disk in to the drive... but after i get through the errors i can't open any files (it says the files are not a valid win32 application);by files i mean IE, firefox, my documents / computer .... lastly when i go to try to restart my computer it only gives me the option of loging off.(the log off never completes and i end up just pulling the power)


Which version of Zone Alarm are you using?


Also, since the original HijackThis log you posted contained traces of Malware, please do the following:

Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes, The Current Status will show "Update successful"
AVG Anti-Spyware Scan
  • Click on the Scanner tab at the top.
  • Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan.
  • Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left-hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Download ComboScan to your Desktop.
  • Close all applications and windows.
  • Double-click on comboscan.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - ComboScan.txt
  • Copy (Ctrl A then Ctrl C) and paste (Ctrl V) the contents of ComboScan.txt in your next reply.
  • A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
  • In a separate reply, Please post the contents of C:\ComboScan\Supplementary.txt
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.


Post the AVG Anti-Spyware Scan results and the contents of ComboScan.txt

Then

Post the contents of C:\ComboScan\Supplementary.txt in a separate reply (in this topic)


Scorpex

#6 Scorpex

Scorpex

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,386 posts

Posted 23 March 2007 - 11:07 PM

Due to the lack of feedback this Topic is closed.

[Reopened]

Everyone else please begin a New Topic.

#7 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 24 March 2007 - 09:26 PM

Reopened at request of topic owner.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#8 goatfig

goatfig

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 24 March 2007 - 09:51 PM

sorry for not replying, i was outa town...
the zone alarm version i have is:
ZoneAlarm version:6.5.722.000
TrueVector version:6.5.722.000
Driver version:6.5.722.000

i know they are out dated but i can not up date them...
the avg scan report is :
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:53:57 PM 3/24/2007

+ Scan result:



C:\WINDOWS\SYSTEM32\k404SearchSetup_MS28.exe -> Adware.404Search : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
C:\Documents and Settings\Ali\My Documents\learning to type\MavisBeacon16-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Ali\Local Settings\Temp\temp.fr89F6 -> Adware.WinAD : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\in10b6s.dll -> Dropper.Mudrop.v : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\gsda.dll -> Not-A-Virus.Downloader.Win32.SpyGame : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.102:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.103:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.104:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.179:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Marya\Cookies\marya@ad.admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.121:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.122:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.123:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.124:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.125:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.26:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Marya\Cookies\marya@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Marya\Cookies\marya@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Fatima\Cookies\fatima@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Marya\Cookies\marya@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned.
:mozilla.28:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.30:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.31:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.32:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.232:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.233:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.234:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Ali\Local Settings\Temp\Cookies\ali@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.180:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.46:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.47:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.48:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.49:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.50:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Marya\Cookies\marya@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.86:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.87:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.88:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.89:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.90:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.91:C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.


::Report end










the combo scan .txt had this :

ComboScan v20070306.20 run by Ali on 2007-03-24 at 20:56:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created ComboScan Restore Point.


-- Last 5 Restore Point(s) --
30: 2007-03-25 01:56:59 UTC - RP41 - ComboScan Restore Point
29: 2007-03-24 19:43:19 UTC - RP40 - System Checkpoint
28: 2007-03-23 00:37:05 UTC - RP39 - System Checkpoint
27: 2007-03-22 00:25:29 UTC - RP38 - System Checkpoint
26: 2007-03-20 23:57:15 UTC - RP37 - System Checkpoint


-- First Restore Point --
1: 2007-02-24 01:31:47 UTC - RP12 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Ali.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:57:38 PM, on 3/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ali\My Documents\comboscan.exe
C:\DOCUME~1\Ali\MYDOCU~1\hjt\HIJACK~1\Ali.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:0/proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1174096784558
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


-- HijackThis Fixed Entries (C:\DOCUME~1\Ali\MYDOCU~1\hjt\HIJACK~1\backups\) ---

backup-20070218-152523-974 O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3R A3AB (D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB)) - C:\WINDOWS\SYSTEM32\DRIVERS\A3AB.sys
4S agpCPQ (Compaq AGP Bus Filter) - C:\WINDOWS\SYSTEM32\DRIVERS\agpcpq.sys
4S alim1541 (ALI AGP Bus Filter) - C:\WINDOWS\SYSTEM32\DRIVERS\alim1541.sys
4S amdagp (AMD AGP Bus Filter Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\amdagp.sys
2R ANIO (ANIO Service) - C:\WINDOWS\SYSTEM32\ANIO.sys
3R Arp1394 (1394 ARP Client Protocol) - C:\WINDOWS\SYSTEM32\DRIVERS\arp1394.sys
3R ati2mtag - C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys
3R bcm4sbxp (Broadcom 440x 10/100 Integrated Controller XP Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\bcm4sbxp.sys
4S cbidf - C:\WINDOWS\SYSTEM32\DRIVERS\cbidf2k.sys
1R Cdr4_xp - C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
1R Cdralw2k - C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys
1R cdudf_xp - C:\WINDOWS\SYSTEM32\DRIVERS\Cdudf_xp.sys
4S dac2w2k - C:\WINDOWS\SYSTEM32\DRIVERS\dac2w2k.sys
3S DSXUSB (DSXUSB Device) - C:\WINDOWS\SYSTEM32\DRIVERS\DSXUSB.sys
1R DVDVRRdr_xp - C:\WINDOWS\SYSTEM32\DRIVERS\DVDVRRdr_xp.sys
3S dvd_2K - C:\WINDOWS\SYSTEM32\DRIVERS\dvd_2k.sys
3S EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - C:\WINDOWS\system32\DRIVERS\el90xbc5.sys (not found)
3S HidUsb (Microsoft HID Class Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
3S i81x - C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys
3S iAimFP0 - C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys
3S iAimFP1 - C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys
3S iAimFP2 - C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys
3S iAimFP3 - C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys
3S iAimFP4 - C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys
3S iAimTV0 - C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys
3S iAimTV1 - C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys
3S iAimTV2 - C:\WINDOWS\system32\DRIVERS\wATV03nt.sys (not found)
3S iAimTV3 - C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys
3S iAimTV4 - C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\intelppm.sys
3S mmc_2K - C:\WINDOWS\SYSTEM32\DRIVERS\mmc_2k.sys
3S mouhid (Mouse HID Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2R MxlW2k - C:\WINDOWS\SYSTEM32\DRIVERS\MxlW2k.sys
3R NaiAvFilter1 - C:\WINDOWS\SYSTEM32\DRIVERS\naiavf5x.sys
1R NaiAvTdi1 - C:\WINDOWS\SYSTEM32\DRIVERS\mvstdi5x.sys
3R NIC1394 (1394 Net Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\nic1394.sys
1R NPPTNT2 - C:\WINDOWS\SYSTEM32\npptNT2.sys
3S nv - C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys
2R NwlnkIpx (NWLink IPX/SPX/NetBIOS Compatible Transport Protocol) - C:\WINDOWS\SYSTEM32\DRIVERS\nwlnkipx.sys
2R NwlnkNb (NWLink NetBIOS) - C:\WINDOWS\SYSTEM32\DRIVERS\nwlnknb.sys
2R NwlnkSpx (NWLink SPX/SPXII Protocol) - C:\WINDOWS\SYSTEM32\DRIVERS\nwlnkspx.sys
0R ohci1394 (Texas Instruments OHCI Compliant IEEE 1394 Host Controller) - C:\WINDOWS\SYSTEM32\DRIVERS\ohci1394.sys
1R omci (OMCI WDM Device Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys
1S P3 (Intel PentiumIII Processor Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\p3.sys
3S PalmUSBD - C:\WINDOWS\SYSTEM32\DRIVERS\PalmUSBD.sys
3R Ptserial (W2K Pctel Serial Device Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\ptserial.sys
1R pwd_2k - C:\WINDOWS\SYSTEM32\DRIVERS\Pwd_2k.sys
0R PxHelp20 - C:\WINDOWS\SYSTEM32\DRIVERS\pxhelp20.sys
3S SDDMI2 - C:\WINDOWS\SYSTEM32\DDMI2.sys
4S sisagp (SIS AGP Bus Filter) - C:\WINDOWS\SYSTEM32\DRIVERS\sisagp.sys
0R srescan - C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.sys
3R STAC97 (Audio Driver (WDM) - SigmaTel CODEC) - C:\WINDOWS\SYSTEM32\DRIVERS\STAC97.sys
3S StMp3Rec (Player Recovery Device Control Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\StMp3Rec.sys
3R SynTP (Synaptics TouchPad Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\SynTP.sys
1R Tcpip6 (Microsoft IPv6 Protocol Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\tcpip6.sys
3S TIEHDUSB - C:\WINDOWS\SYSTEM32\DRIVERS\tiehdusb.sys
3R tunmp (Microsoft Tun Miniport Adapter Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\tunmp.sys
1R UDFReadr - C:\WINDOWS\SYSTEM32\DRIVERS\Udfreadr.sys
3S usbaudio (USB Audio Driver (WDM)) - C:\WINDOWS\SYSTEM32\DRIVERS\usbaudio.sys
3S usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\usbehci.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\usbstor.sys
4S viaagp (VIA AGP Bus Filter) - C:\WINDOWS\SYSTEM32\DRIVERS\viaagp.sys
0R Vmodem (W2k Vmodem) - C:\WINDOWS\SYSTEM32\DRIVERS\vmodem.sys
0R Vpctcom (W2k Vpctcom) - C:\WINDOWS\SYSTEM32\DRIVERS\vpctcom.sys
1R vsdatant - C:\WINDOWS\SYSTEM32\vsdatant.sys
0R Vvoice (W2k Vvoice) - C:\WINDOWS\SYSTEM32\DRIVERS\vvoice.sys
1R WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - C:\WINDOWS\SYSTEM32\DRIVERS\ws2ifsl.sys
3S WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\WudfPf.sys
3S WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - C:\WINDOWS\SYSTEM32\DRIVERS\WudfRd.sys
3R EntDrv51 - C:\WINDOWS\SYSTEM32\DRIVERS\entdrv51.sys
1S AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
2R Ati HotKey Poller - C:\WINDOWS\System32\Ati2evxx.exe
3S clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
2R McAfeeFramework (McAfee Framework Service) - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart
2R McShield (Network Associates McShield) - "C:\Program Files\Network Associates\VirusScan\mcshield.exe"
2R McTaskManager (Network Associates Task Manager) - "C:\Program Files\Network Associates\VirusScan\vstskmgr.exe"
3S MSCSPTISRV - "C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe"
2R NwSapAgent (SAP Agent) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S PACSPTISVR - "C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe"
3S SPTISRV (Sony SPTI Service) - "C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe"
3S usprserv (User Privilege Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R vsmon (TrueVector Internet Monitor) - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service
2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-03-24 18:00:01 392 --ah----- C:\WINDOWS\Tasks\{17B1741E-5BE5-47EC-9F50-E4C703AEE0AE}_ALIUNWALA_Ali.job<{17B17~1.JOB>
2007-03-24 17:20:33 396 --ah----- C:\WINDOWS\Tasks\{906CB1B0-C718-42BB-B35D-D4E172C3AEB2}_ALIUNWALA_Ishaq.job<{906CB~1.JOB>
2007-03-24 17:20:31 398 --ah----- C:\WINDOWS\Tasks\{8779B961-6AA0-4EE7-9AE4-39E03DC8ABC9}_ALIUNWALA_Fatima.job<{8779B~1.JOB>


-- Files created between 2007-02-24 and 2007-03-24 -----------------------------

2007-03-24 17:33:48 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-24 17:33:27 0 d-------- C:\Program Files\Grisoft
2007-03-18 23:59:21 127208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-11 16:45:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Broderbund<BRODER~1>
2007-03-11 16:43:58 0 d-------- C:\Program Files\Broderbund<BRODER~1>
2007-03-11 16:22:32 0 d-------- C:\Downloads<DOWNLO~1>
2007-03-06 21:52:11 0 d-------- C:\Documents and Settings\Ali\Application Data\TypingMaster7<TYPING~1>
2007-03-06 21:51:54 0 dr------- C:\Program Files\TypingMaster<TYPING~1>
2007-03-05 22:53:33 0 d-------- C:\Documents and Settings\Ali\Application Data\OpenOffice.org2<OPENOF~1.ORG>
2007-03-05 22:49:17 0 d-------- C:\Program Files\OpenOffice.org 2.1<OPENOF~1.1>


-- Find3M Report ---------------------------------------------------------------

2007-03-21 23:36:44 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-03-20 23:26:58 71304 --a----c- C:\Documents and Settings\Ali\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT>
2007-03-05 00:23:54 0 d-------- C:\Documents and Settings\Ali\Application Data\Adobe
2007-02-24 18:29:36 107134 --a------ C:\WINDOWS\UninstallFirefox.exe<UNINST~1.EXE>
2007-02-24 18:29:34 4343 --a----c- C:\WINDOWS\mozver.dat
2007-02-22 23:28:21 0 d-------- C:\Program Files\Common Files\Adobe
2007-02-22 23:17:44 0 d-------- C:\Program Files\ExtractNow<EXTRAC~1>
2007-02-22 23:12:35 0 d-------- C:\Documents and Settings\Ali\Application Data\AdobeUM
2007-02-22 19:04:06 4272 --a------ C:\Documents and Settings\Ali\Application Data\.googlewebacchosts<GOOGLE~1>
2007-02-03 22:46:07 0 d-------- C:\Program Files\Windows Media Connect 2<WINDOW~4>
2007-01-29 19:39:53 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-01-29 19:29:34 0 d-------- C:\Program Files\Napster
2007-01-29 19:29:09 0 d-------- C:\Program Files\Common Files\Roxio Shared<ROXIOS~1>
2007-01-29 03:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"D-Link AirPlus Xtreme G"="C:\\Program Files\\D-Link\\AirPlus Xtreme G\\AirPlusCFG.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ali^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
"path"="C:\\Documents and Settings\\Ali\\Start Menu\\Programs\\Startup\\SDK Tray Menu.lnk"
"backup"="C:\\WINDOWS\\pss\\SDK Tray Menu.lnkStartup"
"location"="Startup"
"command"="C:\\Sun\\SDK\\jdk\\bin\\javaw.exe -Xms2m -Dadmin.port=4848 -cp \"C:\\Sun\\SDK\\lib\\jdic\\jdic.jar;C:\\Sun\\SDK\\lib\\install\\tray\\tray.jar;C:\\Sun\\SDK\\lib\\appserv-rt.jar;.\" Tray"
"item"="SDK Tray Menu"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Synchronizer.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Synchronizer.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\ADOBEC~1.EXE "
"item"="Adobe Reader Synchronizer"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Device Detector 2.lnk"
"backup"="C:\\WINDOWS\\pss\\Device Detector 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Olympus\\DEVICE~1\\DevDtct2.exe "
"item"="Device Detector 2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Run Google Web Accelerator.lnk"
"backup"="C:\\WINDOWS\\pss\\Run Google Web Accelerator.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Google\\WEBACC~1\\GOOGLE~2.EXE "
"item"="Run Google Web Accelerator"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aapp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="adprot"
"hkey"="HKLM"
"command"="C:\\windows\\system32\\adprot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCSService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WZCSLDR"
"hkey"="HKLM"
"command"="C:\\Program Files\\Alpha Networks\\ANIWZCS Service\\WZCSLDR.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ati2mdxx"
"hkey"="HKLM"
"command"="Ati2mdxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dadapp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QuickSet"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\QuickSet\\QuickSet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHost"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\kdx\\KHost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pctspk"
"hkey"="HKLM"
"command"="pctspk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rb32 ml710e]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rb32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\RapidBlaster\\rb32.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHSTAT"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SsAAD"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WMPNSCFG"
"hkey"="HKCU"
"command"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zlclient"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SSScsiSV"=dword:00000003
"vsmon"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktop"=dword:00000000
"NoActiveDesktop"=dword:00000000
"HideClock"=dword:00000000
"NoManageMyComputerVerb"=dword:00000000
"NoLowDiskSpaceChecks"=dword:00000000
"NoCDBurning"=dword:00000000
"NoStartMenuPinnedList"=dword:00000000
"NoStartMenuMFUprogramsList"=dword:00000000
"NoUserNameInStartMenu"=dword:00000000
"StartmenuLogoff"=dword:00000000
"NoStartMenuSubFolders"=dword:00000000
"NoCommonGroups"=dword:00000000
"NoRecentDocsMenu"=dword:00000000
"ClearRecentDocsOnExit"=dword:00000000
"NoPrinterTabs"=dword:00000000
"NoDeletePrinter"=dword:00000000
"NoAddPrinter"=dword:00000000
"NoPrinters"=dword:00000000
"NoNetworkConnections"=dword:00000000
"NoFavoritesMenu"=dword:00000000
"NoRun"=dword:00000000
"NoFind"=dword:00000000
"NoClose"=dword:00000000
"NoSetFolders"=dword:00000000
"NoSMHelp"=dword:00000000
"NoChangeStartMenu"=dword:00000000
"NoViewContextMenu"=dword:00000000
"NoFileMenu"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoToolbarCustomize"=dword:00000000
"NoRecentDocsNetHood"=dword:00000000
"NoChangeAnimation"=dword:00000000
"NoChangeKeyboardNavigationIndicators"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ http://active.ieplug...ctive/?17337507

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c1de019b-a9b2-11da-beb1-000f3daa1a5f}]
Shell\AutoRun\command E:\setupSNK.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_DRIVER
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_GUARD


-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.doubleclick.net
127.0.0.1 ad.preferances.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.washingtonpost.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.enliven.com

683 more entries in hosts file.


-- End of ComboScan: finished at 2007-03-24 at 20:58:41 ------------------------









the next post will be the supplementary.txt

#9 goatfig

goatfig

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 24 March 2007 - 09:53 PM

ComboScan v20070306.20 run by Ali on 2007-03-24 at 20:56:43
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 67%
Physical Memory (total/avail): 383.33 MiB / 126.23 MiB
Pagefile Memory (total/avail): 2343.89 MiB / 1964.36 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1996.23 MiB

C: is Fixed (NTFS) - 37.21 GiB total, 8.05 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: ZoneAlarm Firewall v6.5.722.000 (Zone Labs, Inc.)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ali\Application Data
CLASSPATH="C:\WINDOWS\System32\QTJava.zip"
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ALI
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ali
LOGONSERVER=\\ALI
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Roxio Shared\DLLShared;xe2\WindowsNativ
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA="C:\WINDOWS\System32\QTJava.zip"
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ali\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ali\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=ALI
USERNAME=Ali
USERPROFILE=C:\Documents and Settings\Ali
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Ali (admin)
Marya (admin)
Ishaq (admin)
Fatima (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45893FEB-30FD-4034-8661-3BA4238FE67A}\SETUP.EXE" -l0x9 -uninst -y -a -f"b2003ce.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AccessDirect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{417B79C9-CDB4-477F-952D-840CEFC57A6C}\setup.exe" -l0x9
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
AirPlus Xtreme G --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{79B92240-9C65-4DD7-B1AD-59910D2C1353}
ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74FCFEA6-7447-4BDB-BFEC-FF195AA62A13}\Setup.exe"
AOL Instant Messenger --> C:\PROGRA~1\AIM\uninstll.exe -LOG= C:\PROGRA~1\AIM\install.log -OEM=
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BitTornado 0.3.7 --> C:\Program Files\BitTornado\uninst.exe
Britannica Ready Reference --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45893FEB-30FD-4034-8661-3BA4238FE67A}\SETUP.EXE" -l0x9 -uninst
Broadcom Advanced Control Suite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
CNET Download Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchiSetup -ether"C:\Program Files\InstallShield Installation Information\{0B4686AE-A1A7-4477-B8EA-65033218474E}" -l0x9 /ku /kp /kc
Combined Community Codec Pack 2005-12-21 (Remove Only) --> C:\Program Files\Combined Community Codec Pack\Uninstall.exe
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support 5.0.0 (766) --> rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Google Web Accelerator --> MsiExec.exe /X{FF2D46CF-122C-47D8-9846-037C59E7144D}
Haali Media Splitter --> "C:\Program Files\Matroska Pack\haali\uninstall.exe"
HijackThis 1.99.1 --> C:\Documents and Settings\Ali\My Documents\hjt\hijackthis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
iFinger 2.0 --> C:\PROGRA~1\iFinger\UNWISE.EXE C:\PROGRA~1\iFinger\INSTALL.LOG
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
JCreator LE 3.50 --> "C:\Program Files\Xinox Software\JCreatorV3LE\unins000.exe"
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Matroska Pack --> C:\Program Files\Matroska Pack\uninstall.exe
Mavis Beacon Teaches Typing 16 --> C:\PROGRA~1\BRODER~1\MAVISB~1\UNWISE.EXE C:\PROGRA~1\BRODER~1\MAVISB~1\INSTALL.LOG
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
Musicnotes Player V1.22.3 --> "C:\Program Files\Musicnotes\Player\unins000.exe"
Olympus DSS Player 2002 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E6BBAA-25E6-4BFC-9613-75A5CACE2940}\setup.exe" -l0x9 UNINSTALL
OpenMG AAC Add-on Module 1.0.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3} UNINSTALL
OpenMG Limited Patch 4.5-06-05-12-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.5-06-05-12-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.5.01 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{3633BA28-67CE-4AC8-A677-3406CA84C3D8} UNINSTALL
OpenOffice.org 2.1 --> MsiExec.exe /I{43983EB4-43DC-4C3D-9712-1EF592A31CA8}
Paint Shop Pro 7 --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Palm --> MsiExec.exe /X{0030188A-533E-42EE-9837-E044F10E4369}
PCTEL 2304WT V.92 MDC Modem Drivers --> ptuninst.exe
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL
QuickSync --> MsiExec.exe /I{137BBE0A-E9F9-4B7E-BC11-D52E037EF896}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
QuickTime 3.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\QuickTime\DeIsL1.isu" -c"C:\WINDOWS\System32\QTUninst.dll
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Roxio Easy Media Creator 7 Basic DVD Edition --> MsiExec.exe /I{747D1B34-A1FC-4EF3-A6AE-E86F39CEFDE5}
Secure Delivery --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\kdx\kdx.inf,DefaultUninstall,5
Security Task Manager 1.7 --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
SplashPhoto --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A96D3ED0-E7B3-41F6-8BB5-F3C63D80901D}\setup.exe" -l0x9
Spybot - Search & Destroy 1.2 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TI Connect 1.6 --> MsiExec.exe /I{A8B94669-8654-4126-BD28-D0D2412CDED6}
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
TypingMaster Pro --> "C:\Program Files\TypingMaster\unins000.exe"
TypingMaster TypingTest --> "C:\Program Files\TypingMaster\TypingTest\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WordPerfect Office 11 --> MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Messenger Explorer Bar --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\YHEXBM~1.DLL
YP-MT6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{958B4AE2-66A7-4709-AB0D-5EAB812D66AE}\setup.exe" -l0x9
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- End of ComboScan: finished at 2007-03-24 at 20:58:41 ------------------------

#10 Scorpex

Scorpex

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,386 posts

Posted 24 March 2007 - 11:51 PM

Hi goatfig,

I was notified that this topic was reopened. I’ll look over the logs you posted (takes a little bit of time).

Is that the Free version of Zone Alarm?

If at any time you notice your system suddenly bogs down, go into Task Manager and see if you can determine which process is using a significant amount of memory (also check CPU%)


I'll look over your logs and get back to you

Scorpex

#11 goatfig

goatfig

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 25 March 2007 - 11:11 AM

that is the free version of zone alarm.

occasionally i the process in windows that creates error reports would take up 99% of the cpu, so i would go in and just "end process" but that has not happened in a while. another error i occasionally get is "Driver IRQL NOT LESS OR EQUAL" which give me an blue screen and then shuts down the computer(it may restart ...i can't remember)

thanks for the help

#12 Scorpex

Scorpex

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,386 posts

Posted 26 March 2007 - 11:48 PM

Hi goatfig,

Click Start > Run > and type in notepad and click OK
Copy and paste the text in the quote box into the Notepad window (including the REGEDIT4):
(Note: copy and paste from REGEDIT4 down – Don’t include the word quote from the quote box)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aapp]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rb32 ml710e]


Click File and then select Save As
In the ‘Save in’ box - Save it to your Desktop
In the ‘File name’ box – type in fix.reg
In the ‘Save as type’ box - use the drop down arrow and select All Files
Click Save
Close Notepad

The fix.reg file on your Desktop should look like this: Posted Image

Double Click fix.reg on your Desktop
When it asks you if you want to merge the contents to the registry, click yes/ok.
A window saying “Information in fix.reg has been successfully entered into the registry” should come up – Click OK.


In Windows Explorer, Delete the following Folders (if present)
C:\Program Files\RapidBlaster


In Windows Explorer, Delete the following Files (if present)
C:\windows\system32\adprot.exe



Click Start > Control Panel. When the Control Panel Window opens – Double-click Scheduled Tasks
When the Scheduled Tasks Window opens, click Advanced from the menu up top and make sure there’s a check mark next to View Hidden Tasks – If not, then click View Hidden Tasks

Look for _ALIUNWALA_Ali.job. – Right-click it and select properties
When the properties Window opens, the text next to Run: will be highlighted.
Right-click the highlighted text and select copy
Paste that info here on the forums



Perform an online scan with Panda ActiveScan Here

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.



Run ComboScan again
  • Close all applications and windows.
  • Double-click on comboscan.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - ComboScan.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your next reply.
(you don’t need to post the Supplementary.txt this time)

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.


Post the contents of the Activescan, ComboScan.txt, and the information about _ALIUNWALA_Ali.job


Scorpex

#13 goatfig

goatfig

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 March 2007 - 07:46 PM

under _ALIUNWALA_Ali.job from the run under properties:"(i had some trouble finding the file because it looked like "{17B1741E-5BE5-47EC-9F50-E4C703AEE0AE}_ALIUNWALA_Ali"--i assumed that this was the file you were looking for, the file was under scheduled tasks)
C:\WINDOWS\system32\MOBSYNC.EXE /Schedule="{17B1741E-5BE5-47EC-9F50-E4C703AEE0AE}_ALIUNWALA_Ali"


the panda scan said**i will attach the panda scan as an attachment as well (it is easier to read on note pad...)** :

Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ali\Application Data\Mozilla\Firefox\Profiles\rrsz690u.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Ali\Cookies\ali@apmebf[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Fatima\Application Data\Mozilla\Firefox\Profiles\yl2kjumb.default\cookies.txt[.offeroptimizer.com/]
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Fatima\Cookies\fatima@offeroptimizer[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Fatima\Cookies\fatima@rn11[1].txt
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Marya\Local Settings\Temporary Internet Files\Content.IE5\ZBJCFROV\auto_update[1]
Adware:Adware/IST.YourSiteBar Not disinfected C:\Documents and Settings\Marya\Local Settings\Temporary Internet Files\Content.IE5\ZBJCFROV\CAAK8ODS.HTM
Adware:adware/ncase Not disinfected C:\WINDOWS\msbbi.exe



the comboscan included:

ComboScan v20070306.20 run by Ali on 2007-03-28 at 20:39:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Ali.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:39:42 PM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ali\My Documents\comboscan.exe
C:\DOCUME~1\Ali\MYDOCU~1\hjt\HIJACK~1\Ali.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:0/proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1174096784558
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


-- Files created between 2007-02-28 and 2007-03-28 -----------------------------

2007-03-28 07:18:11 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-24 21:11:57 0 d-------- C:\Program Files\Java
2007-03-24 21:11:12 0 d-------- C:\Program Files\Common Files\Java
2007-03-24 17:33:48 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-24 17:33:27 0 d-------- C:\Program Files\Grisoft
2007-03-18 23:59:21 127208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-11 16:45:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Broderbund<BRODER~1>
2007-03-11 16:43:58 0 d-------- C:\Program Files\Broderbund<BRODER~1>
2007-03-11 16:22:32 0 d-------- C:\Downloads<DOWNLO~1>
2007-03-06 21:52:11 0 d-------- C:\Documents and Settings\Ali\Application Data\TypingMaster7<TYPING~1>
2007-03-06 21:51:54 0 dr------- C:\Program Files\TypingMaster<TYPING~1>
2007-03-05 22:53:33 0 d-------- C:\Documents and Settings\Ali\Application Data\OpenOffice.org2<OPENOF~1.ORG>
2007-03-05 22:49:17 0 d-------- C:\Program Files\OpenOffice.org 2.1<OPENOF~1.1>


-- Find3M Report ---------------------------------------------------------------

2007-03-28 19:47:45 0 d-------- C:\Program Files\Palm
2007-03-28 19:40:56 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-03-28 19:35:20 0 d-------- C:\Program Files\iFinger
2007-03-24 21:18:29 4343 --a----c- C:\WINDOWS\mozver.dat
2007-03-20 23:26:58 71304 --a----c- C:\Documents and Settings\Ali\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT>
2007-03-05 00:23:54 0 d-------- C:\Documents and Settings\Ali\Application Data\Adobe
2007-02-24 18:29:36 107134 --a------ C:\WINDOWS\UninstallFirefox.exe<UNINST~1.EXE>
2007-02-22 23:28:21 0 d-------- C:\Program Files\Common Files\Adobe
2007-02-22 23:17:44 0 d-------- C:\Program Files\ExtractNow<EXTRAC~1>
2007-02-22 23:12:35 0 d-------- C:\Documents and Settings\Ali\Application Data\AdobeUM
2007-02-22 19:04:06 4272 --a------ C:\Documents and Settings\Ali\Application Data\.googlewebacchosts<GOOGLE~1>
2007-02-03 22:46:07 0 d-------- C:\Program Files\Windows Media Connect 2<WINDOW~4>
2007-01-29 19:39:53 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-01-29 19:29:34 0 d-------- C:\Program Files\Napster
2007-01-29 19:29:09 0 d-------- C:\Program Files\Common Files\Roxio Shared<ROXIOS~1>
2007-01-29 03:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"D-Link AirPlus Xtreme G"="C:\\Program Files\\D-Link\\AirPlus Xtreme G\\AirPlusCFG.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ali^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
"path"="C:\\Documents and Settings\\Ali\\Start Menu\\Programs\\Startup\\SDK Tray Menu.lnk"
"backup"="C:\\WINDOWS\\pss\\SDK Tray Menu.lnkStartup"
"location"="Startup"
"command"="C:\\Sun\\SDK\\jdk\\bin\\javaw.exe -Xms2m -Dadmin.port=4848 -cp \"C:\\Sun\\SDK\\lib\\jdic\\jdic.jar;C:\\Sun\\SDK\\lib\\install\\tray\\tray.jar;C:\\Sun\\SDK\\lib\\appserv-rt.jar;.\" Tray"
"item"="SDK Tray Menu"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Synchronizer.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Synchronizer.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\ADOBEC~1.EXE "
"item"="Adobe Reader Synchronizer"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Device Detector 2.lnk"
"backup"="C:\\WINDOWS\\pss\\Device Detector 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Olympus\\DEVICE~1\\DevDtct2.exe "
"item"="Device Detector 2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Run Google Web Accelerator.lnk"
"backup"="C:\\WINDOWS\\pss\\Run Google Web Accelerator.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Google\\WEBACC~1\\GOOGLE~2.EXE "
"item"="Run Google Web Accelerator"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCSService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WZCSLDR"
"hkey"="HKLM"
"command"="C:\\Program Files\\Alpha Networks\\ANIWZCS Service\\WZCSLDR.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ati2mdxx"
"hkey"="HKLM"
"command"="Ati2mdxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dadapp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QuickSet"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\QuickSet\\QuickSet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHost"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\kdx\\KHost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pctspk"
"hkey"="HKLM"
"command"="pctspk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHSTAT"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SsAAD"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WMPNSCFG"
"hkey"="HKCU"
"command"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zlclient"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SSScsiSV"=dword:00000003
"vsmon"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktop"=dword:00000000
"NoActiveDesktop"=dword:00000000
"HideClock"=dword:00000000
"NoManageMyComputerVerb"=dword:00000000
"NoLowDiskSpaceChecks"=dword:00000000
"NoCDBurning"=dword:00000000
"NoStartMenuPinnedList"=dword:00000000
"NoStartMenuMFUprogramsList"=dword:00000000
"NoUserNameInStartMenu"=dword:00000000
"StartmenuLogoff"=dword:00000000
"NoStartMenuSubFolders"=dword:00000000
"NoCommonGroups"=dword:00000000
"NoRecentDocsMenu"=dword:00000000
"ClearRecentDocsOnExit"=dword:00000000
"NoPrinterTabs"=dword:00000000
"NoDeletePrinter"=dword:00000000
"NoAddPrinter"=dword:00000000
"NoPrinters"=dword:00000000
"NoNetworkConnections"=dword:00000000
"NoFavoritesMenu"=dword:00000000
"NoRun"=dword:00000000
"NoFind"=dword:00000000
"NoClose"=dword:00000000
"NoSetFolders"=dword:00000000
"NoSMHelp"=dword:00000000
"NoChangeStartMenu"=dword:00000000
"NoViewContextMenu"=dword:00000000
"NoFileMenu"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoToolbarCustomize"=dword:00000000
"NoRecentDocsNetHood"=dword:00000000
"NoChangeAnimation"=dword:00000000
"NoChangeKeyboardNavigationIndicators"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ http://active.ieplug...ctive/?17337507

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c1de019b-a9b2-11da-beb1-000f3daa1a5f}]
Shell\AutoRun\command E:\setupSNK.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51


-- End of ComboScan: finished at 2007-03-28 at 20:40:12 ------------------------

Attached Files



#14 goatfig

goatfig

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 March 2007 - 09:24 PM

one other thing (in case you were wondering...)
i did not find RapidBlaster or adprot.exe

#15 Scorpex

Scorpex

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,386 posts

Posted 30 March 2007 - 12:59 AM

Hi goatfig,

Want to get rid of all the malware before digging into this deeper

In Windows Explorer, Delete the following File (if present):
C:\WINDOWS\msbbi.exe


Kind of curious – Do you see (or ever see) an Active Desktop component with the name Intelligentdesktop.com?

Go to Start > Control Panel > Display
In the Display Properties Window, click the Desktop tab and then the Customize Desktop… button
In the Desktop Item Window, click the Web tab

Select "hxxp://active.ieplugin.com/active/?17337507" you find in there and press the delete button on the right.
Hit ok below > apply in previous window.


Please download Ccleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the Windows tab.
  • Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  • Then, click the Applications tab:
    • UNCHECK everything there.
  • Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.
CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


Reboot your PC


Run ComboScan again
  • Close all applications and windows.
  • Double-click on comboscan.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - ComboScan.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your next reply.
(you don’t need to post the Supplementary.txt this time)

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.



Scorpex

#16 goatfig

goatfig

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 30 March 2007 - 04:43 PM

hi.
i was able to find and delete msbbi.exe
i could not find "hxxp://active.ieplugin.com/active/?17337507" under the web tab however i found two other things there... they were "my current home page" and "intelligent explorer [ieplugin.com] OnScreen Portal" the "intelligent explorer" had an url of "http://active.ieplug...com/active.cdf" under its properties. i also completed the ccleaner scan.

the combo scan said:
ComboScan v20070306.20 run by Ali on 2007-03-30 at 17:36:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Ali.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:39:42 PM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\iFinger\iFinger.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ali\My Documents\comboscan.exe
C:\DOCUME~1\Ali\MYDOCU~1\hjt\HIJACK~1\Ali.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:0/proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1174096784558
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


-- Files created between 2007-02-28 and 2007-03-30 -----------------------------

2007-03-30 17:30:09 0 d-------- C:\Program Files\CCleaner
2007-03-28 07:18:11 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-24 21:11:57 0 d-------- C:\Program Files\Java
2007-03-24 21:11:12 0 d-------- C:\Program Files\Common Files\Java
2007-03-24 17:33:48 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-24 17:33:27 0 d-------- C:\Program Files\Grisoft
2007-03-18 23:59:21 127208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-11 16:45:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Broderbund<BRODER~1>
2007-03-11 16:43:58 0 d-------- C:\Program Files\Broderbund<BRODER~1>
2007-03-11 16:22:32 0 d-------- C:\Downloads<DOWNLO~1>
2007-03-06 21:52:11 0 d-------- C:\Documents and Settings\Ali\Application Data\TypingMaster7<TYPING~1>
2007-03-06 21:51:54 0 dr------- C:\Program Files\TypingMaster<TYPING~1>
2007-03-05 22:53:33 0 d-------- C:\Documents and Settings\Ali\Application Data\OpenOffice.org2<OPENOF~1.ORG>
2007-03-05 22:49:17 0 d-------- C:\Program Files\OpenOffice.org 2.1<OPENOF~1.1>


-- Find3M Report ---------------------------------------------------------------

2007-03-28 19:47:45 0 d-------- C:\Program Files\Palm
2007-03-28 19:40:56 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-03-28 19:35:20 0 d-------- C:\Program Files\iFinger
2007-03-24 21:18:29 4343 --a----c- C:\WINDOWS\mozver.dat
2007-03-20 23:26:58 71304 --a----c- C:\Documents and Settings\Ali\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT>
2007-03-05 00:23:54 0 d-------- C:\Documents and Settings\Ali\Application Data\Adobe
2007-02-24 18:29:36 107134 --a------ C:\WINDOWS\UninstallFirefox.exe<UNINST~1.EXE>
2007-02-22 23:28:21 0 d-------- C:\Program Files\Common Files\Adobe
2007-02-22 23:17:44 0 d-------- C:\Program Files\ExtractNow<EXTRAC~1>
2007-02-22 23:12:35 0 d-------- C:\Documents and Settings\Ali\Application Data\AdobeUM
2007-02-22 19:04:06 4272 --a------ C:\Documents and Settings\Ali\Application Data\.googlewebacchosts<GOOGLE~1>
2007-02-03 22:46:07 0 d-------- C:\Program Files\Windows Media Connect 2<WINDOW~4>
2007-01-29 03:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"D-Link AirPlus Xtreme G"="C:\\Program Files\\D-Link\\AirPlus Xtreme G\\AirPlusCFG.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ali^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
"path"="C:\\Documents and Settings\\Ali\\Start Menu\\Programs\\Startup\\SDK Tray Menu.lnk"
"backup"="C:\\WINDOWS\\pss\\SDK Tray Menu.lnkStartup"
"location"="Startup"
"command"="C:\\Sun\\SDK\\jdk\\bin\\javaw.exe -Xms2m -Dadmin.port=4848 -cp \"C:\\Sun\\SDK\\lib\\jdic\\jdic.jar;C:\\Sun\\SDK\\lib\\install\\tray\\tray.jar;C:\\Sun\\SDK\\lib\\appserv-rt.jar;.\" Tray"
"item"="SDK Tray Menu"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Synchronizer.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Synchronizer.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\ADOBEC~1.EXE "
"item"="Adobe Reader Synchronizer"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Device Detector 2.lnk"
"backup"="C:\\WINDOWS\\pss\\Device Detector 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Olympus\\DEVICE~1\\DevDtct2.exe "
"item"="Device Detector 2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Run Google Web Accelerator.lnk"
"backup"="C:\\WINDOWS\\pss\\Run Google Web Accelerator.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Google\\WEBACC~1\\GOOGLE~2.EXE "
"item"="Run Google Web Accelerator"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCSService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WZCSLDR"
"hkey"="HKLM"
"command"="C:\\Program Files\\Alpha Networks\\ANIWZCS Service\\WZCSLDR.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ati2mdxx"
"hkey"="HKLM"
"command"="Ati2mdxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dadapp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QuickSet"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\QuickSet\\QuickSet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHost"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\kdx\\KHost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pctspk"
"hkey"="HKLM"
"command"="pctspk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHSTAT"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SsAAD"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WMPNSCFG"
"hkey"="HKCU"
"command"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zlclient"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SSScsiSV"=dword:00000003
"vsmon"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktop"=dword:00000000
"NoActiveDesktop"=dword:00000000
"HideClock"=dword:00000000
"NoManageMyComputerVerb"=dword:00000000
"NoLowDiskSpaceChecks"=dword:00000000
"NoCDBurning"=dword:00000000
"NoStartMenuPinnedList"=dword:00000000
"NoStartMenuMFUprogramsList"=dword:00000000
"NoUserNameInStartMenu"=dword:00000000
"StartmenuLogoff"=dword:00000000
"NoStartMenuSubFolders"=dword:00000000
"NoCommonGroups"=dword:00000000
"NoRecentDocsMenu"=dword:00000000
"ClearRecentDocsOnExit"=dword:00000000
"NoPrinterTabs"=dword:00000000
"NoDeletePrinter"=dword:00000000
"NoAddPrinter"=dword:00000000
"NoPrinters"=dword:00000000
"NoNetworkConnections"=dword:00000000
"NoFavoritesMenu"=dword:00000000
"NoRun"=dword:00000000
"NoFind"=dword:00000000
"NoClose"=dword:00000000
"NoSetFolders"=dword:00000000
"NoSMHelp"=dword:00000000
"NoChangeStartMenu"=dword:00000000
"NoViewContextMenu"=dword:00000000
"NoFileMenu"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoToolbarCustomize"=dword:00000000
"NoRecentDocsNetHood"=dword:00000000
"NoChangeAnimation"=dword:00000000
"NoChangeKeyboardNavigationIndicators"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ http://active.ieplug...ctive/?17337507

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c1de019b-a9b2-11da-beb1-000f3daa1a5f}]
Shell\AutoRun\command E:\setupSNK.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51


-- End of ComboScan: finished at 2007-03-30 at 17:36:43 ------------------------

#17 Scorpex

Scorpex

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,386 posts

Posted 30 March 2007 - 06:02 PM

Hi goatfig,

You want to remove the "intelligent explorer [ieplugin.com]OnScreen Portal"

Go to Start > Control Panel > Display
In the Display Properties Window, click the Desktop tab and then the Customize Desktop… button
In the Desktop Item Window, click the Web tab

Select intelligent explorer [ieplugin.com]OnScreen Portal and press the delete button on the right.
Hit ok below and then Apply in previous window.


There are quite a few startup programs disabled in MSConfig (the malware ones were removed earlier). To rule out that something that was disabled that shouldn’t have been, go back into MSConfig and select Normal Startup by doing the following:

Click Start > Run and type in msconfig in the Run box. – Click OK
When then System Configuration Utility Window comes up, select Normal Startup
Click Apply and then Close
When it asks if you want to ‘Restart’ or ‘Exit Without Restart’ select Restart



This time instead of running ComboScan run the following tool (very similar)

Please download ComboFix
* Save it to your desktop.
* Double-click combofix.exe and follow the prompts.
* When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: - Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Scorpex

#18 goatfig

goatfig

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 31 March 2007 - 02:11 AM

i disabled all start up entries to make it take less time... i will turn them back on so we can check what malware is there...my concern was rapidblaster was one of the things that i disabled i can't see it any more. should i still enable normal startup? it (rapidblaster =virius, i think )

#19 Scorpex

Scorpex

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,386 posts

Posted 31 March 2007 - 11:14 AM

Go ahead and enable Normal Startup. The Rapidblaster entry in MSConfig was removed earlier.

#20 goatfig

goatfig

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 31 March 2007 - 08:44 PM

"Ali" - 07-03-31 21:29:35 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\Ali\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\fad.sys


((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-31 ))))))))))))))))))))))))))))))))))


2007-03-30 17:30 <DIR> d-------- C:\Program Files\CCleaner
2007-03-28 07:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-03-24 21:11 <DIR> d-------- C:\Program Files\Java
2007-03-24 21:11 <DIR> d-------- C:\Program Files\Common Files\Java
2007-03-24 17:33 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-03-18 23:59 127,208 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-03-11 16:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Broderbund
2007-03-11 16:43 <DIR> d-------- C:\Program Files\Broderbund
2007-03-11 16:22 <DIR> d-------- C:\Downloads
2007-03-06 21:52 <DIR> d-------- C:\DOCUME~1\Ali\APPLIC~1\TypingMaster7
2007-03-06 21:51 <DIR> dr------- C:\Program Files\TypingMaster
2007-03-05 22:53 <DIR> d-------- C:\DOCUME~1\Ali\APPLIC~1\OpenOffice.org2
2007-03-05 22:49 <DIR> d-------- C:\Program Files\OpenOffice.org 2.1


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-31 21:31 4561 --a------ C:\DOCUME~1\Ali\APPLIC~1\.googlewebacchosts
2007-03-28 19:47 -------- d-------- C:\Program Files\palm
2007-03-28 19:35 -------- d-------- C:\Program Files\ifinger
2007-03-24 21:18 4343 --a--c--- C:\WINDOWS\mozver.dat
2007-03-20 23:26 71304 --a--c--- C:\DOCUME~1\Ali\APPLIC~1\gdipfontcachev1.dat
2007-02-24 18:29 107134 --a------ C:\WINDOWS\uninstallfirefox.exe
2007-02-22 23:17 -------- d-------- C:\Program Files\extractnow
2007-02-03 22:46 -------- d-------- C:\Program Files\windows media connect 2
2007-01-29 19:39 -------- d--h----- C:\Program Files\installshield installation information
2007-01-29 19:29 -------- d-------- C:\Program Files\napster
2007-01-29 19:29 -------- d-------- C:\Program Files\Common Files\roxio shared


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"D-Link AirPlus Xtreme G"="C:\\Program Files\\D-Link\\AirPlus Xtreme G\\AirPlusCFG.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PCTVOICE"="pctspk.exe"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"kdx"="C:\\WINDOWS\\kdx\\KHost.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\QuickSet.exe"
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ANIWZCSService"="C:\\Program Files\\Alpha Networks\\ANIWZCS Service\\WZCSLDR.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ali^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
"path"="C:\\Documents and Settings\\Ali\\Start Menu\\Programs\\Startup\\SDK Tray Menu.lnk"
"backup"="C:\\WINDOWS\\pss\\SDK Tray Menu.lnkStartup"
"location"="Startup"
"command"="C:\\Sun\\SDK\\jdk\\bin\\javaw.exe -Xms2m -Dadmin.port=4848 -cp \"C:\\Sun\\SDK\\lib\\jdic\\jdic.jar;C:\\Sun\\SDK\\lib\\install\\tray\\tray.jar;C:\\Sun\\SDK\\lib\\appserv-rt.jar;.\" Tray"
"item"="SDK Tray Menu"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SSScsiSV"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\WEBACC~1\FASTSE~1.DLL"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"=dword:00000000
"NoManageMyComputerVerb"=dword:00000000
"NoLowDiskSpaceChecks"=dword:00000000
"NoCDBurning"=dword:00000000
"NoStartMenuPinnedList"=dword:00000000
"NoStartMenuMFUprogramsList"=dword:00000000
"NoUserNameInStartMenu"=dword:00000000
"StartmenuLogoff"=dword:00000000
"NoStartMenuSubFolders"=dword:00000000
"NoCommonGroups"=dword:00000000
"NoRecentDocsMenu"=dword:00000000
"ClearRecentDocsOnExit"=dword:00000000
"NoPrinterTabs"=dword:00000000
"NoDeletePrinter"=dword:00000000
"NoAddPrinter"=dword:00000000
"NoPrinters"=dword:00000000
"NoNetworkConnections"=dword:00000000
"NoFavoritesMenu"=dword:00000000
"NoRun"=dword:00000000
"NoFind"=dword:00000000
"NoClose"=dword:00000000
"NoSetFolders"=dword:00000000
"NoSMHelp"=dword:00000000
"NoChangeStartMenu"=dword:00000000
"NoViewContextMenu"=dword:00000000
"NoFileMenu"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoToolbarCustomize"=dword:00000000
"NoRecentDocsNetHood"=dword:00000000
"NoChangeAnimation"=dword:00000000
"NoChangeKeyboardNavigationIndicators"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c1de019b-a9b2-11da-beb1-000f3daa1a5f}]
Shell\AutoRun\command E:\setupSNK.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070218-152523-974
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\{17B1741E-5BE5-47EC-9F50-E4C703AEE0AE}_ALIUNWALA_Ali.job
C:\WINDOWS\tasks\{8779B961-6AA0-4EE7-9AE4-39E03DC8ABC9}_ALIUNWALA_Fatima.job
C:\WINDOWS\tasks\{906CB1B0-C718-42BB-B35D-D4E172C3AEB2}_ALIUNWALA_Ishaq.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-31 21:38:54

#21 goatfig

goatfig

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 31 March 2007 - 08:51 PM

one other thing... is kontiki a virus?(because if it is i have it)
thanks

#22 Scorpex

Scorpex

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,386 posts

Posted 03 April 2007 - 01:50 AM

Hi goatfig,

Regarding Kontiki
From liutilities.com - http://www.liutiliti...slibrary/khost/
Description: khost.exe is a secure data delivery application by Kontiki Inc. which delivers data such as images and files to secure servers for sharing. This is a non-essential process. Disabling or enabling it is down to user preference.

From Castlecops: http://www.castlecop...-KHost_exe.html
KonTiki Secure Delivery Plug In related. "The Kontiki Delivery Management System (DMS) is a secure delivery network for distribution of video, software, audio, documents, and other digital media. The Kontiki DMS enables enterprises to efficiently publish, secure, deliver and track digital media to employees, partners, and customers"

That being said if you don’t need it or use it you could always uninstall it.

So where are we at now? Did removing the malware help at all or do you still have the issues?


Scorpex




Member of UNITE
Support SpywareInfo Forum - click the button