I am trying to fix a friends machine that is doing weird things including not allowing me to install programs, shutting down Win explorer when I select a certain directory, etc. Could I post a hijack log for some to look at. I believe I have a virus but it seems there is no scanner on this machine and I am unable so far to install one. I have tried online scanners but I get so far and then get kicked out of IE.

Yes you can post a HJT log and I will try to help
The master with HJT is Jabuck you also could send him a PM

" Please Post back to let us know if we helped "

Logfile of HijackThis v1.99.1
Scan saved at 11:18:27 AM, on 29/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 235.214.107.41 www.virustotal.com
O1 - Hosts: 33.3.169.44 virusscan.jotti.org
O1 - Hosts: 95.95.239.187 sandbox.norman.no
O1 - Hosts: 236.16.252.76 www.symantec.com
O1 - Hosts: 81.237.212.190 securityresponse.symantec.com
O1 - Hosts: 153.77.69.6 symantec.com
O1 - Hosts: 101.81.142.37 www.sophos.com
O1 - Hosts: 51.92.5.83 sophos.com
O1 - Hosts: 22.84.63.236 www.mcafee.com
O1 - Hosts: 204.205.34.167 mcafee.com
O1 - Hosts: 243.212.96.143 liveupdate.symantecliveupdate.com
O1 - Hosts: 61.96.74.78 www.viruslist.com
O1 - Hosts: 104.47.238.203 viruslist.com
O1 - Hosts: 109.147.117.22 f-secure.com
O1 - Hosts: 13.244.51.53 www.f-secure.com
O1 - Hosts: 57.5.230.76 kaspersky.com
O1 - Hosts: 17.115.16.33 www.avp.com
O1 - Hosts: 90.161.208.139 www.kaspersky.com
O1 - Hosts: 50.145.99.80 avp.com
O1 - Hosts: 233.168.246.216 www.networkassociates.com
O1 - Hosts: 64.114.128.249 www.ca.com
O1 - Hosts: 236.121.110.141 ca.com
O1 - Hosts: 54.114.43.161 mast.mcafee.com
O1 - Hosts: 118.182.103.146 my-etrust.com
O1 - Hosts: 221.234.42.53 www.my-etrust.com
O1 - Hosts: 78.49.5.243 download.mcafee.com
O1 - Hosts: 11.207.240.9 dispatch.mcafee.com
O1 - Hosts: 185.176.201.53 secure.nai.com
O1 - Hosts: 219.150.202.149 nai.com
O1 - Hosts: 192.252.18.2 www.nai.com
O1 - Hosts: 21.236.30.16 update.symantec.com
O1 - Hosts: 19.195.32.170 updates.symantec.com
O1 - Hosts: 130.65.67.206 us.mcafee.com
O1 - Hosts: 115.196.49.111 liveupdate.symantec.com
O1 - Hosts: 117.157.101.252 customer.symantec.com
O1 - Hosts: 183.213.47.157 rads.mcafee.com
O1 - Hosts: 68.79.239.155 trendmicro.com
O1 - Hosts: 211.47.228.251 www.trendmicro.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Linksys Modem Drivers] linksys.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\rwinrpem.exe GEN001
O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe
O4 - HKLM\..\RunServices: [Creative Audio Drivers] creative.exe
O4 - HKLM\..\RunServices: [Linksys Modem Drivers] linksys.exe
O4 - HKLM\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\m482lelo1hqc.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\h2n00c5mef.dll (file missing)
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Yes Jabuck helped me with a problem on a different machine. Let me know if you want me to contact him and how I PM him.

Just go to my computing.net link/private message center and type in Jabuck and send him a PM if you'd like. He's pretty prompt at replying...make sure to give him your post number and what forum it is located in.
Good Luck

Hopefully my advice will help you...Please post back with your results....thanks

Okay I have sent a PM to jabuck. Thanks.

Download SDfix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum.

Please download ComboFix to the Desktop from this link:

http://download.bleepingcomputer.com/sUBs/combofix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the combofix.txt log and a new hijack This log.

jabuck, I can't seem to find sdfix. Where can I download it from?

Jabuck I found it.

Stage Two...

Checking For Malware:
--------------------

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y40FZQWW\drsmartload152a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y40FZQWW\drsmartload46a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y40FZQWW\drsmartload[2].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EJQBY7U9\drsmartload849a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I9WPY12L\drsmartload45a[1].exe
C:\WINDOWS\Prefetch\DRSMARTLOAD.EXE-113D05CC.pf
C:\WINDOWS\Prefetch\DRSMARTLOAD1.EXE-04DD9FC7.pf
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\asus.exe
C:\WINDOWS\system32\bootini.exe
C:\WINDOWS\system32\creative.exe
C:\WINDOWS\system32\dllcache\msvps.exe
C:\WINDOWS\system32\linksys.exe
C:\WINDOWS\system32\MS32.exe
C:\WINDOWS\system32\msjava.exe
C:\WINDOWS\system32\stonedrv.exe
C:\WINDOWS\system32\SVKP.SYS

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y40FZQWW\drsmartload152a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y40FZQWW\drsmartload46a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y40FZQWW\drsmartload[2].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EJQBY7U9\drsmartload849a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I9WPY12L\drsmartload45a[1].exe
C:\WINDOWS\system32\bootini.exe
C:\WINDOWS\system32\linksys.exe

Any files removed are saved to the SDFix\backups Folder

FINISHED

jabuck I left the machine whicle the combofix was running. I came back little later and found the machine constantly booting. I can no longer get into windows even in safe mode. The machine gets to the point where the MS Windows XP Pro windows disappears and then it reboots.

The boot.ini or the wininet.dll file was damaged by the malware.

First try to boot into safe mode then select "last known good configuration". Works once in a blue moon but may work.

If this failed you will need the the disk original install disk from the owner of the computer or a xp pro cd. It is possible that a repair install will be needed and only a xp pro cd will work so you may have to borrow one.

If you get the original install disk insert in the cd-rom then click open (don't let it run in auto)then browse through it and see if it offer a repair from console option. If is does try to repair the boot.ini file or if that option is not available and you have to use a xp pro cd to do a repair install these are about the best instructions http://www.michaelstevenstech.com/XPrepairinstall.htm

I have repaired the boot.ini from the recovery console with the 6 floppy disk download so that works also.

jabuck, I am a little confused. It sounds like I should be doing a repair from the console but part of Michael Stevens article says do not choose recovery console. He even repeats it although things I read before that seem to indicate that is what I wanted to do. Even Charlie Whites article (a link off of Michael's page says to use recovery console. Can you give me some direction.

What type of media do you have, xp pro cd, 6 floppies, oem recovery disk.

XP pro CD

Try the repair first. Boot with the xp pro cd> press enter (don't boot to recovery console)> accept license agreement> Choose the xp installation you would like to repair (C:\Windows "Windows microsoft XP professional)> press "R" to repair.

Look on the side of the box for the Key (25 alfa/numeric digits I think ) and write it down before you start. You may not need them but you will not have to scuffle for them if you do. Then just follow the prompts. Once finsihed make sure the firewall is turned on then download the windows updates.

And keep in mind that this computer is still infected so post a Hijack This log when you get through.

jabuck, I finished the repair. It forced me to activate windows before it would allow me to log in so I had to connect to the internet to do that. Once I started to activate a window came up with the following;

Message from Security_monito to Windows_User on 06-10-30 20:14
Stop! Critical system errors
1. Download registry repair from www.correctreg.com
2. install registry repair
3. run registry repair
4 reboot

Failure to act now may lead to data loss and coruption

I was not logged in yet so I was unable to download anything. After activating windows and logging in SDFIX started running again. It is now finished. I will run hijack and post a new log.

the combofix.txt is very long. Is there a way for me to attach it instead of pasting it. Also hijack will no longer run. it starts up and I see the window for a second and then it quits.

Jabuck I tried running hijack in safe mode and it ran but when it tried to open the log it said it could not open it. Now when I try to run it it fails on Incorrect function if I click the excutable in the hijack directory. If I do a start run, it says "Windows cannot create a shortcut here. Do you want the shortcut to be placed on the desktop instead? If I say yes it says the shortcut can npt be created - check to see if the disk is full. Looks like I am in a heap of trouble.

LAstly do you wish me to alert you when I need your input or just wait till you respond?

Also it seems it has lost the ability to run any exe's. I thought I saw a fix for this recently but I don't recall where.

Go to the following link and download the shell open command reset tool and run it http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99

If no luck http://www.kellys-korner-xp.com/xp_tweaks.htm and run item 12 on the list to repair executibale files in xp.

Post the HJT log and the combofix log.

I tried both the reset tool and the execfix.reg but neither worked. So I tried safe mode. Here I was able to run the execfix.reg and it gave the two prompts that you should get when loading something into the registry. I could now run hijack. Here are the combo and hijack logs.

ComboFix 06.10.19 - Running from: "D:\"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{100EB6D4-512D-4293-9A2E-277D9E15CA54}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{100EB6D4-512D-4293-9A2E-277D9E15CA54}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{100EB6D4-512D-4293-9A2E-277D9E15CA54}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{100EB6D4-512D-4293-9A2E-277D9E15CA54}\InprocServer32]
@="C:\\WINDOWS\\system32\\kqdru.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{26D6F870-3953-4D3F-9009-3271ACF0483E}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{26D6F870-3953-4D3F-9009-3271ACF0483E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{26D6F870-3953-4D3F-9009-3271ACF0483E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{26D6F870-3953-4D3F-9009-3271ACF0483E}\InprocServer32]
@="C:\\WINDOWS\\system32\\meconf.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{004FD0E5-D836-45DB-9770-5FFFAA884B1F}]
@=""

[HKEY_CLASSES_ROOT\clsid\{004FD0E5-D836-45DB-9770-5FFFAA884B1F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{004FD0E5-D836-45DB-9770-5FFFAA884B1F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{004FD0E5-D836-45DB-9770-5FFFAA884B1F}\InprocServer32]
@="C:\\WINDOWS\\system32\\splwid.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{EF4CCECA-2061-4A44-9E62-9B9B95E5452E}]
@=""

[HKEY_CLASSES_ROOT\clsid\{EF4CCECA-2061-4A44-9E62-9B9B95E5452E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{EF4CCECA-2061-4A44-9E62-9B9B95E5452E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{EF4CCECA-2061-4A44-9E62-9B9B95E5452E}\InprocServer32]
@="C:\\WINDOWS\\system32\\ptdx5016.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{379DFD6E-1F7B-4112-9FC8-2EB4A383B649}]
@=""

[HKEY_CLASSES_ROOT\clsid\{379DFD6E-1F7B-4112-9FC8-2EB4A383B649}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{379DFD6E-1F7B-4112-9FC8-2EB4A383B649}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{379DFD6E-1F7B-4112-9FC8-2EB4A383B649}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{8C0B88BC-AFCC-4002-9A59-960C4F971946}]
@=""

[HKEY_CLASSES_ROOT\clsid\{8C0B88BC-AFCC-4002-9A59-960C4F971946}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{8C0B88BC-AFCC-4002-9A59-960C4F971946}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{8C0B88BC-AFCC-4002-9A59-960C4F971946}\InprocServer32]
@="C:\\WINDOWS\\system32\\iZsrad.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{34051B84-280A-4591-AF26-44C001537C51}]
@=""

[HKEY_CLASSES_ROOT\clsid\{34051B84-280A-4591-AF26-44C001537C51}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{34051B84-280A-4591-AF26-44C001537C51}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{34051B84-280A-4591-AF26-44C001537C51}\InprocServer32]
@="C:\\WINDOWS\\system32\\wrv3is.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{B505ACE4-4127-4C77-9467-0307DA08665E}]
@=""

[HKEY_CLASSES_ROOT\clsid\{B505ACE4-4127-4C77-9467-0307DA08665E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{B505ACE4-4127-4C77-9467-0307DA08665E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{B505ACE4-4127-4C77-9467-0307DA08665E}\InprocServer32]
@="C:\\WINDOWS\\system32\\mkrepl40.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{EB5BB201-8816-46B1-86F4-ABB8625BA582}]
@=""

[HKEY_CLASSES_ROOT\clsid\{EB5BB201-8816-46B1-86F4-ABB8625BA582}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{EB5BB201-8816-46B1-86F4-ABB8625BA582}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{EB5BB201-8816-46B1-86F4-ABB8625BA582}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{488C9FD1-8758-4211-B3D5-97719ACF28C4}]
@=""

[HKEY_CLASSES_ROOT\clsid\{488C9FD1-8758-4211-B3D5-97719ACF28C4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{488C9FD1-8758-4211-B3D5-97719ACF28C4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{488C9FD1-8758-4211-B3D5-97719ACF28C4}\InprocServer32]
@="C:\\WINDOWS\\system32\\tintsvrp.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{135AB6E7-A592-4200-9694-E65E9A540FD3}]
@=""

[HKEY_CLASSES_ROOT\clsid\{135AB6E7-A592-4200-9694-E65E9A540FD3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{135AB6E7-A592-4200-9694-E65E9A540FD3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{135AB6E7-A592-4200-9694-E65E9A540FD3}\InprocServer32]
@="C:\\WINDOWS\\system32\\wpvdmod.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{CAF1E1B0-E2B7-4B41-B176-51EA6D3F6F54}]
@=""

[HKEY_CLASSES_ROOT\clsid\{CAF1E1B0-E2B7-4B41-B176-51EA6D3F6F54}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{CAF1E1B0-E2B7-4B41-B176-51EA6D3F6F54}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{CAF1E1B0-E2B7-4B41-B176-51EA6D3F6F54}\InprocServer32]
@="C:\\WINDOWS\\system32\\irxmontr.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{44C43A9A-D9C1-41F7-8416-05C393A45697}]
@=""

[HKEY_CLASSES_ROOT\clsid\{44C43A9A-D9C1-41F7-8416-05C393A45697}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{44C43A9A-D9C1-41F7-8416-05C393A45697}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{44C43A9A-D9C1-41F7-8416-05C393A45697}\InprocServer32]
@="C:\\WINDOWS\\system32\\dvauth.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{F185FE32-23E5-441B-956D-CD8BABC76DC7}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F185FE32-23E5-441B-956D-CD8BABC76DC7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{F185FE32-23E5-441B-956D-CD8BABC76DC7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F185FE32-23E5-441B-956D-CD8BABC76DC7}\InprocServer32]
@="C:\\WINDOWS\\system32\\coyptext.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{EC5D7807-37A3-4BDB-88E9-B112D45DA21D}]
@=""

[HKEY_CLASSES_ROOT\clsid\{EC5D7807-37A3-4BDB-88E9-B112D45DA21D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{EC5D7807-37A3-4BDB-88E9-B112D45DA21D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{EC5D7807-37A3-4BDB-88E9-B112D45DA21D}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{C985DBA4-529B-4E95-AFFE-CD176A00F4E9}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C985DBA4-529B-4E95-AFFE-CD176A00F4E9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{C985DBA4-529B-4E95-AFFE-CD176A00F4E9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C985DBA4-529B-4E95-AFFE-CD176A00F4E9}\InprocServer32]
@="C:\\WINDOWS\\system32\\mvidle.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{F9723C7B-0986-4CE9-A91F-B72A5DF27C41}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F9723C7B-0986-4CE9-A91F-B72A5DF27C41}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{F9723C7B-0986-4CE9-A91F-B72A5DF27C41}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F9723C7B-0986-4CE9-A91F-B72A5DF27C41}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{ECE02B2B-FEB1-4D6F-9C64-4D1B76A9F0DF}]
@=""

[HKEY_CLASSES_ROOT\clsid\{ECE02B2B-FEB1-4D6F-9C64-4D1B76A9F0DF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{ECE02B2B-FEB1-4D6F-9C64-4D1B76A9F0DF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{ECE02B2B-FEB1-4D6F-9C64-4D1B76A9F0DF}\InprocServer32]
@="C:\\WINDOWS\\system32\\kadbene.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{9B24C6C0-E8C7-4C90-A76B-6A71714FD4B2}]
@=""

[HKEY_CLASSES_ROOT\clsid\{9B24C6C0-E8C7-4C90-A76B-6A71714FD4B2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{9B24C6C0-E8C7-4C90-A76B-6A71714FD4B2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{9B24C6C0-E8C7-4C90-A76B-6A71714FD4B2}\InprocServer32]
@="C:\\WINDOWS\\system32\\SLLSRV32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{FF77CCAE-06C6-4315-851C-0F8AC81A4BB9}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FF77CCAE-06C6-4315-851C-0F8AC81A4BB9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{FF77CCAE-06C6-4315-851C-0F8AC81A4BB9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FF77CCAE-06C6-4315-851C-0F8AC81A4BB9}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{07BC1A18-52FF-4F9D-8920-F13B20531868}]
@=""

[HKEY_CLASSES_ROOT\clsid\{07BC1A18-52FF-4F9D-8920-F13B20531868}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{07BC1A18-52FF-4F9D-8920-F13B20531868}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{07BC1A18-52FF-4F9D-8920-F13B20531868}\InprocServer32]
@="C:\\WINDOWS\\system32\\dlmstor.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{9F34DCED-D6D6-4529-B8AB-80F4CDC0F006}]
@=""

[HKEY_CLASSES_ROOT\clsid\{9F34DCED-D6D6-4529-B8AB-80F4CDC0F006}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{9F34DCED-D6D6-4529-B8AB-80F4CDC0F006}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{9F34DCED-D6D6-4529-B8AB-80F4CDC0F006}\InprocServer32]
@="C:\\WINDOWS\\system32\\dvlay.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{0BA0A4C2-3681-4E05-A5CC-0F8809B96AF0}]
@=""

[HKEY_CLASSES_ROOT\clsid\{0BA0A4C2-3681-4E05-A5CC-0F8809B96AF0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{0BA0A4C2-3681-4E05-A5CC-0F8809B96AF0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{0BA0A4C2-3681-4E05-A5CC-0F8809B96AF0}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{E9253E35-45AA-40BB-AF33-73F643384E0A}]
@=""

[HKEY_CLASSES_ROOT\clsid\{E9253E35-45AA-40BB-AF33-73F643384E0A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{E9253E35-45AA-40BB-AF33-73F643384E0A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{E9253E35-45AA-40BB-AF33-73F643384E0A}\InprocServer32]
@="C:\\WINDOWS\\system32\\impromon.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{FE8F349C-4170-431B-8936-413E494D0359}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FE8F349C-4170-431B-8936-413E494D0359}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{FE8F349C-4170-431B-8936-413E494D0359}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FE8F349C-4170-431B-8936-413E494D0359}\InprocServer32]
@="C:\\WINDOWS\\system32\\rPsrad.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{3058CC60-2CD3-4799-A060-5EDB47AF581A}]
@=""

[HKEY_CLASSES_ROOT\clsid\{3058CC60-2CD3-4799-A060-5EDB47AF581A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{3058CC60-2CD3-4799-A060-5EDB47AF581A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{3058CC60-2CD3-4799-A060-5EDB47AF581A}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{3B773ECC-E041-4A3F-80D3-C6481179FD71}]
@=""

[HKEY_CLASSES_ROOT\clsid\{3B773ECC-E041-4A3F-80D3-C6481179FD71}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{3B773ECC-E041-4A3F-80D3-C6481179FD71}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{3B773ECC-E041-4A3F-80D3-C6481179FD71}\InprocServer32]
@="C:\\WINDOWS\\system32\\bmackbox.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{627B51D7-5D78-47EB-9923-D0D21F4094C4}]
@=""

[HKEY_CLASSES_ROOT\clsid\{627B51D7-5D78-47EB-9923-D0D21F4094C4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{627B51D7-5D78-47EB-9923-D0D21F4094C4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{627B51D7-5D78-47EB-9923-D0D21F4094C4}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{BDAE74E1-D2B2-426D-89F1-E2781DF85319}]
@=""

[HKEY_CLASSES_ROOT\clsid\{BDAE74E1-D2B2-426D-89F1-E2781DF85319}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{BDAE74E1-D2B2-426D-89F1-E2781DF85319}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{BDAE74E1-D2B2-426D-89F1-E2781DF85319}\InprocServer32]
@="C:\\WINDOWS\\system32\\ooffilt.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{389817DA-A1E8-47A5-8274-92AF21E3E3A7}]
@=""

[HKEY_CLASSES_ROOT\clsid\{389817DA-A1E8-47A5-8274-92AF21E3E3A7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{389817DA-A1E8-47A5-8274-92AF21E3E3A7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{389817DA-A1E8-47A5-8274-92AF21E3E3A7}\InprocServer32]
@="C:\\WINDOWS\\system32\\mnxml2.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{A0D24765-1358-44A9-AA01-BE4A92BED8C7}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A0D24765-1358-44A9-AA01-BE4A92BED8C7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{A0D24765-1358-44A9-AA01-BE4A92BED8C7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A0D24765-1358-44A9-AA01-BE4A92BED8C7}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{F774B8E7-4E24-4747-98DA-34E1267D17F4}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F774B8E7-4E24-4747-98DA-34E1267D17F4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{F774B8E7-4E24-4747-98DA-34E1267D17F4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F774B8E7-4E24-4747-98DA-34E1267D17F4}\InprocServer32]
@="C:\\WINDOWS\\system32\\oyepro32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{E17B0DC2-C49C-4FEB-8599-9615E5FC1EC4}]
@=""

[HKEY_CLASSES_ROOT\clsid\{E17B0DC2-C49C-4FEB-8599-9615E5FC1EC4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{E17B0DC2-C49C-4FEB-8599-9615E5FC1EC4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{E17B0DC2-C49C-4FEB-8599-9615E5FC1EC4}\InprocServer32]
@="C:\\WINDOWS\\system32\\ivmpagnt.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{082509AD-036F-42C9-9E25-1CD1A184AEE1}]
@=""

[HKEY_CLASSES_ROOT\clsid\{082509AD-036F-42C9-9E25-1CD1A184AEE1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{082509AD-036F-42C9-9E25-1CD1A184AEE1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{082509AD-036F-42C9-9E25-1CD1A184AEE1}\InprocServer32]
@="C:\\WINDOWS\\system32\\dicprop.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{A8F12B90-789E-44EC-95D9-25FF72EF33EF}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A8F12B90-789E-44EC-95D9-25FF72EF33EF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{A8F12B90-789E-44EC-95D9-25FF72EF33EF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A8F12B90-789E-44EC-95D9-25FF72EF33EF}\InprocServer32]
@="C:\\WINDOWS\\system32\\pmlstore.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{9C43FAC0-5F87-462B-BD98-CABAEB1DA9D9}]
@=""

[HKEY_CLASSES_ROOT\clsid\{9C43FAC0-5F87-462B-BD98-CABAEB1DA9D9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{9C43FAC0-5F87-462B-BD98-CABAEB1DA9D9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{9C43FAC0-5F87-462B-BD98-CABAEB1DA9D9}\InprocServer32]
@="C:\\WINDOWS\\system32\\lbcdll.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

FILES REMOVED:

C:\WINDOWS\system32\ptdx5016.dll
C:\WINDOWS\system32\mkrepl40.dll
C:\WINDOWS\system32\wrv3is.dll
C:\WINDOWS\system32\coyptext.dll
C:\WINDOWS\system32\kadbene.dll
C:\WINDOWS\system32\tintsvrp.dll
C:\WINDOWS\system32\irxmontr.dll
C:\WINDOWS\system32\dlmstor.dll
C:\WINDOWS\system32\ooffilt.dll
C:\WINDOWS\system32\wphip6.dll
C:\WINDOWS\system32\impromon.dll
C:\WINDOWS\system32\pmlstore.dll
C:\WINDOWS\system32\dqound.dll
C:\WINDOWS\system32\nntui1.dll
C:\WINDOWS\system32\nwmsdba.dll
C:\WINDOWS\system32\srnsapi.dll
C:\WINDOWS\system32\wpvdmod.dll
C:\WINDOWS\system32\fbeploy.dll
C:\WINDOWS\system32\dnju0119e.dll
C:\WINDOWS\system32\lbcdll.dll
C:\WINDOWS\system32\oyepro32.dll
C:\WINDOWS\system32\ivmpagnt.dll
C:\WINDOWS\system32\mvl2l93o1.dll
C:\WINDOWS\system32\jt4607hse.dll
C:\WINDOWS\system32\rqhx32.dll
C:\WINDOWS\system32\dicprop.dll
C:\WINDOWS\system32\p88qlil518q.dll
C:\WINDOWS\system32\jOvacypt.dll
C:\WINDOWS\system32\j80s0id7e80.dll
C:\WINDOWS\system32\q4680ejueho80.dll
C:\WINDOWS\system32\fpnq0355e.dll
C:\WINDOWS\system32\lvpo0973e.dll
C:\WINDOWS\system32\l6j8lg1u16.dll
C:\WINDOWS\system32\kt0sl7d71.dll
C:\WINDOWS\system32\j06mlaj11do.dll
C:\WINDOWS\system32\f0j2la1o1d.dll
C:\WINDOWS\system32\dn4u01h9e.dll
C:\WINDOWS\system32\k280lclm1fqa.dll
C:\WINDOWS\system32\r68s0gl7e6q.dll
C:\WINDOWS\system32\mv04l9dq1.dll
C:\WINDOWS\system32\gp80l3lm1.dll
C:\WINDOWS\system32\t6r8lg9u16.dll
C:\WINDOWS\system32\gp08l3du1.dll
C:\WINDOWS\system32\mvn6l95s1.dll
C:\WINDOWS\system32\lvl2093oe.dll
C:\WINDOWS\system32\gp4ml3h11.dll
C:\WINDOWS\system32\l4l6le3s1h.dll
C:\WINDOWS\system32\i2nmlc511f.dll
C:\WINDOWS\system32\h60q0gd5e60.dll

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Mae\Application Data\Sskknwrd.dll
C:\Documents and Settings\Administrator\Application Data\Sskdmns.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\WZUZI9YH\dfndrff_e_uit[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\012Z4523\dfndrff_e[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\8BP36AV5\drsmartload44a[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\LIR35ACU\drsmartload[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\D1G2GJP3\drsmartload[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\JU43Z98X\deskbar_e[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\K1UR8P2F\kybrdff_e[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\012Z4523\kybrdff_e[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\8PWZKZS7\MTE3NDI6ODoxNg[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\8BP36AV5\nwnmff_e[1].exe
C:\Documents and Settings\Mae\Local Settings\Temporary Internet Files\Content.IE5\V9RW133O\nwnmff_e[1].exe
C:\WINDOWS\offun.exe
C:\WINDOWS\uni_ehhhh.exe
C:\WINDOWS\uninst104.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Program Files\Deskbar
C:\Program Files\network monitor

((((((((((((((((((((((((((((((( Files Created from 2020-07-29 to 202006-10-29 ))))))))))))))))))))))))))))))))))


No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"SDFix"="D:\\sdfix\\SDFix\\RunThis.bat /second"
"Linksys Modem Drivers"="linksys.exe"
"Microsoft Windows"="bootini.exe"
"SRFirstRun"="rundll32 srclient.dll,CreateFirstRunRp"
"SchedulingAgent"="mstinit.exe /firstlogon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"TshootDLL_Reg"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\help\\TShoot.dll"
"SstubDLL_Reg"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\help\\sstub.dll"
"SniffpolDLL_Reg"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\help\\sniffpol.dll"
"OE_WMPDRM_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmstor.dll"
"OE_WMPDRM_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmclien.dll"
"OE_WMPDRM_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\asfsipc.dll"
"OE_WMPDRM_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmv2clt.dll"
"OE_WMPDRM_Install_5"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\blackbox.dll"
"OE_WMPDRM_Install_6"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\msnetobj.dll"
"OE_WMPMIndex_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\msisam11.dll\""
"OE_WMPMIndex_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\mindex.dll\""
"OE_WMPWMDM_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\mswmdm.dll\""
"OE_WMPWMDM_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\msscp.dll\""
"OE_WMPWMDM_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\mspmsp.dll\""
"OE_WMPWMDM_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmdmps.dll\""
"OE_WMPWMDM_Install_5"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmdmlog.dll\""
"OE_WMPWMDM_Install_6"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\cewmdm.dll\""
"OE_WMPWMDM_Install_7"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\mspmspsv.dll"
"OE_WMPWMFSDK_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmstream.dll\""
"OE_WMPWMFSDK_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmnetmgr.dll\""
"OE_WMPWMFSDK_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmidx.ocx\""
"OE_WMPWMFSDK_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmvdmod.dll\""
"OE_WMPWMFSDK_Install_5"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmvdmoe.dll\""
"OE_WMPWMFSDK_Install_6"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmadmod.dll\""
"OE_WMPWMFSDK_Install_7"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmadmoe.dll\""
"OE_WMPWMFSDK_Install_8"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\mpg4dmod.dll\""
"OE_WMPWMFSDK_Install_9"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmsdmod.dll\""
"OE_WMPWMFSDK_Install_10"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmsdmoe.dll\""
"OE_WMPWMFSDK_Install_11"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\laprxy.dll\""
"OE_WMPWMFSDK_Install_12"="\"C:\\WINDOWS\\System32\\logagent.exe\" /RegServer"
"OE_WMPWMFSDK_Install_13"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmvcore.dll\""
"OE_WMPWMPCodec_ivf"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\ivfsrc.ax\""
"OE_WMPWMPCodec_wmvax"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmvds32.ax\""
"OE_WMPWMPCodec_msscrnax"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\msscds32.ax\""
"OE_WMPWMPCodec_wmv8ax"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmv8ds32.ax\""
"OE_WMPWMPCodec_wmv8dmo"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\WINDOWS\\System32\\wmv8dmod.dll\""
"OE_WMPWMP6_Install_1"="C:\\WINDOWS\\INF\\unregmp2.exe /PreInstall"
"OE_WMPWMP6_Install_2"="C:\\WINDOWS\\INF\\unregmp2.exe /RegUniv"
"OE_WMPWMP6_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\msdxm.ocx"
"OE_WMPWMP6_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\dxmasf.dll"
"OE_WMPWMP7_Install_0"="C:\\WINDOWS\\INF\\unregmp2.exe /MigrateLibrary"
"OE_WMPWMP7_Install_1"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmpcore.dll"
"OE_WMPWMP7_Install_2"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmpui.dll"
"OE_WMPWMP7_Install_3"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmp.ocx"
"OE_WMPWMP7_Install_4"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmclien.dll"
"OE_WMPWMP7_Install_5"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmstor.dll"
"OE_WMPWMP7_Install_6"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\asfsipc.dll"
"OE_WMPWMP7_Install_7"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\drmv2clt.dll"
"OE_WMPWMP7_Install_8"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\blackbox.dll"
"OE_WMPWMP7_Install_9"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmpcd.dll"
"OE_WMPWMP7_Install_10"="C:\\WINDOWS\\System32\\regsvr32 /s C:\\WINDOWS\\System32\\wmpshell.dll"
"OE_WMPWMP7_Install_11"="C:\\WINDOWS\\System32\\wmpstub.exe /RegServer"
"OE_WMPWMP7_Install_12"="C:\\WINDOWS\\System32\\regsvr32 /s \"C:\\Program Files\\Windows Media Player\\wmpvis.dll\""
"OE_WMPWMP7_Install_13"="\"C:\\Program Files\\Windows Media Player\\wmplayer.exe\" /RegServer"
"OE_WMPWMP7_Install_20"="C:\\WINDOWS\\INF\\unregmp2.exe /Shortcuts /RegExts"
"GrpConv"="grpconv -u"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\OEWAB OS Setup]
"OE5_2"="C:\\WINDOWS\\System32\\inetcomm.dll|DllRegisterServer"
"OE5_1"="C:\\Program Files\\Common Files\\System\\directdb.dll|DllRegisterServer"
"OE5_3"="C:\\Program Files\\Outlook Express\\oeimport.dll|DllRegisterServer"
"OE5_4"="C:\\Program Files\\Outlook Express\\oemiglib.dll|DllRegisterServer"
"OE5_5"="C:\\Program Files\\Outlook Express\\msoe.dll|DllRegisterServer"
"OEWABOS_2"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:WINNT /INSTALL"
"WAB5_4"="C:\\WINDOWS\\System32\\msoeacct.dll|DllRegisterServer"
"WAB5_1"="C:\\Program Files\\Common Files\\System\\wab32.dll|DllRegisterServer"
"WAB5_2"="C:\\Program Files\\Outlook Express\\wabimp.dll|DllRegisterServer"
"WAB5_3"="C:\\Program Files\\Outlook Express\\wabfind.dll|DllRegisterServer"
"OEWABOS_1"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:WINNT /INSTALL"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Linksys Modem Drivers"="linksys.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\rykegogig.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Common Files\\pohyd.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"fiqz"="C:\\PROGRA~1\\COMMON~1\\fiqz\\fiqzm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_e37"
"hkey"="HKLM"
"command"="C:\\\\dfndrff_e37.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdff_e37"
"hkey"="HKLM"
"command"="C:\\\\kybrdff_e37.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Linksys Modem Drivers]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="linksys"
"hkey"="HKLM"
"command"="linksys.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bootini"
"hkey"="HKLM"
"command"="bootini.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_e37"
"hkey"="HKLM"
"command"="C:\\\\nwnmff_e37.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stonedrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="stonedrv"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\stonedrv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win3208833699094]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win3208833699094"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win3208833699094.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zkaqb]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Onhvppb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dtxdh\\Onhvppb.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\EFS

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 2006-10-30 19:58:12.89
C:\ComboFix.txt ... 2006-10-30 19:58

Logfile of HijackThis v1.99.1
Scan saved at 6:13:57 AM, on 31/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\bootini.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe bootini.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,bootini.exe
O1 - Hosts: 235.214.107.41 www.virustotal.com
O1 - Hosts: 33.3.169.44 virusscan.jotti.org
O1 - Hosts: 95.95.239.187 sandbox.norman.no
O1 - Hosts: 236.16.252.76 www.symantec.com
O1 - Hosts: 81.237.212.190 securityresponse.symantec.com
O1 - Hosts: 153.77.69.6 symantec.com
O1 - Hosts: 101.81.142.37 www.sophos.com
O1 - Hosts: 51.92.5.83 sophos.com
O1 - Hosts: 22.84.63.236 www.mcafee.com
O1 - Hosts: 204.205.34.167 mcafee.com
O1 - Hosts: 243.212.96.143 liveupdate.symantecliveupdate.com
O1 - Hosts: 61.96.74.78 www.viruslist.com
O1 - Hosts: 104.47.238.203 viruslist.com
O1 - Hosts: 109.147.117.22 f-secure.com
O1 - Hosts: 13.244.51.53 www.f-secure.com
O1 - Hosts: 57.5.230.76 kaspersky.com
O1 - Hosts: 17.115.16.33 www.avp.com
O1 - Hosts: 90.161.208.139 www.kaspersky.com
O1 - Hosts: 50.145.99.80 avp.com
O1 - Hosts: 233.168.246.216 www.networkassociates.com
O1 - Hosts: 64.114.128.249 www.ca.com
O1 - Hosts: 236.121.110.141 ca.com
O1 - Hosts: 54.114.43.161 mast.mcafee.com
O1 - Hosts: 118.182.103.146 my-etrust.com
O1 - Hosts: 221.234.42.53 www.my-etrust.com
O1 - Hosts: 78.49.5.243 download.mcafee.com
O1 - Hosts: 11.207.240.9 dispatch.mcafee.com
O1 - Hosts: 185.176.201.53 secure.nai.com
O1 - Hosts: 219.150.202.149 nai.com
O1 - Hosts: 192.252.18.2 www.nai.com
O1 - Hosts: 21.236.30.16 update.symantec.com
O1 - Hosts: 19.195.32.170 updates.symantec.com
O1 - Hosts: 130.65.67.206 us.mcafee.com
O1 - Hosts: 115.196.49.111 liveupdate.symantec.com
O1 - Hosts: 117.157.101.252 customer.symantec.com
O1 - Hosts: 183.213.47.157 rads.mcafee.com
O1 - Hosts: 68.79.239.155 trendmicro.com
O1 - Hosts: 211.47.228.251 www.trendmicro.com
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SDFix] D:\sdfix\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [Linksys Modem Drivers] linksys.exe
O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwinrpem.exe GEN001
O4 - HKLM\..\RunServices: [Linksys Modem Drivers] linksys.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xcle...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Please download Atribune's http://www.atribune.org/public-beta/Look2Me-Destroyer.exe to your desktop.Run in normal mode.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.

Please post the contents of C:\Look2Me-Destroyer.txt.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Download and install AVG Anti-Spyware We will need this later in safe mode

Be sure to update AVG Anti- Spyware

Download Killbox to your desktop from this link Killbox by Option^Explicit. If you already have "Killbox" update to this newer version. We will need it later in safe mode

Go to start> run> type msconfig in the space provided> choose normal startup> apply> ok.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Boot into safe mode.

Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: Shell=Explorer.exe bootini.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,bootini.exe

O4 - HKLM\..\Run: [Linksys Modem Drivers] linksys.exe

O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe

O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwinrpem.exe GEN001

O4 - HKLM\..\RunServices: [Linksys Modem Drivers] linksys.exe

O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe

Exit Hijack this but remain in safe mode

Run Killbox frim safe mode. Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\System32\bootini.exe

C:\WINDOWS\System32\winIogon.exe

C:\WINDOWS\system32\rwinrpem.exe

C:\WINDOWS\system32\linksys.exe

C:\Program Files\Common Files\fiqz\fiqzm.exe

C:\Program Files\Common Files\fiqz\

C:\Program Files\Dtxdh\Onhvppb.exe

C:\Program Files\Dtxdh\

C:\WINDOWS\win3208833699094.exe

c:\windows\system32\stonedrv.exe

C:\nwnmff_e37.exe

C:\kybrdff_e37.exe

C:\dfndrff_e37.exe

C:\WINDOWS\v1201.exe

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let us know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click Here to download and run missingfilesetup.exe. Then try Killbox again.

To remove the 01's in the Hijack This log download Hoster to your desktop. Once installed click the "Restore Microsofts Original Host File" and nothing else.

Boot back to safe mode.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.

AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Boot back to normal mode.

Open notepad (Start Menu > Run > Type notepad and press "ok".

Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"fiqz"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Linksys Modem Drivers"=-
"Microsoft Windows"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Linksys Modem Drivers"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"fiqz"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"fiqz"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Linksys Modem Drivers]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stonedrv]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win3208833699094]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zkaqb]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.

Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.

Post the AVG AntiSpyware report on the desktop, a new combofix log and a new Hijack This log please.

I ran the lokk2me-detroyer and it seemed to work except I got a copy error 53. I clicked ok and it seemed to continue. The machine shutdown as you stated but now it is back to the old problem where it just keeps rebooting. Do I need to do the repair again and if I do will that undo what look2me did?

Yes, do the repair the continue.

Okay and when that is finished do I run the look2me again or continue with the strp after that?

Continue at "Download ATF-Cleaner" and make sure that firewall is turned on.

jabuck an update of where I am at. I finished the reapir and continued on with the hijack. I had to run hijack twice as the first time the two f2's did not get cleaned up. I then ran killbox but was a little confused and not sure if I ran it correctly. I ran it, clicked 'Delete on reboot' and then clicked on the all files button. I then went to Win Explorer and and for each file I right clicked on the file and then clicked copy. I then went back to killbox and chose paste from clipboard from the file menu. Nothing seems to happen and when I click the read and white delete button it says I have not specified any file to delete. Also I was unable to install AVG. I have it on a cd but as soon as I click the directory in Explorer, Explorer closes. If I do start-->run and then choose the program it runsd for a few seconds and then dies. I went to google.ca but as soon as I put 'AVG free scanner' in the search IE closes.

jabuck I looked at the help web page for killbox and tried to load each file one at a time and then hit the red and white delete button for each file. For each file I got a message that said 'file will be deleted on reboot, do you want to reboot now'. I didn't say yes until the last file. I then ran Hoster. It told me that my hosts file was not writable and was it okay to make it so. When I go into the program I also had to click a button to make it writable. After this it seem to restore Microsofts original file. It did howver tell me that the attributes will not be restored so I will have to do that after.

Next I ran ATF Cleaner. It finished okay. Nice program!!. Now I tried to install AVG again. It look like it was going to work until I noticed it was uninstalling and then failed on a message 'local machine: installation failed. Error action failed for file avgamsvr.exe starting service ... Access is denied (5)

Please download Brute Force Uninstaller
Unzip it to it’s own folder (c:\BFU)

Double click BFU.exe to run it. When the "Brute Force Uninstaller" window appears, click the "globe" icon in the top right hand corner.
In the "Download BFU script..." window, copy and paste the following and then click OK:

http://metallica.geekstogo.com/alcanshorty.bfu

You should see the file alcanshorty.bfu appear in the bfu folder next to BFU.exe.

Reboot into safe mode.

Open the bfu folder and double click BFU.exe.
To select the scriptfile to execute, first double click the folder icon to the left of the globe.
You should now see a window containing alcanshorty.bfu, simply double click it.
Finally, click the Execute button to begin.

When the tool has finished running, you will get a "BFU" window with the message "Completed script execution", click on OK.

Run Hoster and see if you can run AVG_AntiSpyware and post a new combofix log and a Hijack This log.

jabuck I still can't install AVG. I still get the same message about access denied trying to start the avgamsvr service. Also I got a screen this time when I rebotted from Messenger Service saying my registry is corrup and that I should go to www.registrycleanerxp.com and install the program. Should I do this? I have a print screen of everything if there is a way to send it to you.

I was finally able to get pandsoftware to run. It has found over 80 virus infected file so far. I also have another window from Messenger Service telling e to go to www.regfixit.com.