# strange svchost.exe file...



## ahoier (Feb 22, 2007)

I just googled for "Windows File Depictor and Rotator Service For Service Pack 2" after finding a reference to a strange C:\WINDOWS\system32\repair\svchost.exe file...which BitDefender online virus scan flagged, but could not clean due to it being in use...

Well, lo and behold, my favorite tech support forum was the only result in that list, pointing me to http://forums.techguy.org/security/546134-solved-says-i-keep-spamming.html

Now, I dont have Symantec installed...I pretty much discovered this out on my own through various BSODs and such that have been happening lately...lol.

Anyways, HJT:
Logfile of HijackThis v1.99.1
Scan saved at 6:57:55 AM, on 2/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\system32
Hosts file: C:\WINDOWS\System32\drivers\etc\hosts

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\repair\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\z'Adam\My Documents\Apps\inadyn\inadyn.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O1 - Hosts: 207.203.64.64 brev.org
O1 - Hosts: 208.67.219.43 aimexpress.aol.com
O1 - Hosts: 208.67.219.43 aimexpress.aim.com
O1 - Hosts: 208.67.219.43 blog.meebo.com
O1 - Hosts: 208.67.219.43 classic.meebo.com
O1 - Hosts: 208.67.219.43 css.meebo.com
O1 - Hosts: 208.67.219.43 js.meebo.com
O1 - Hosts: 208.67.219.43 login.nrnyspace.com
O1 - Hosts: 208.67.219.43 meebo13.com
O1 - Hosts: 208.67.219.43 meebo3.com
O1 - Hosts: 208.67.219.43 meebo31.com
O1 - Hosts: 208.67.219.43 stalkertrack.com
O1 - Hosts: 208.67.219.43 virginmoney.com.au
O1 - Hosts: 208.67.219.43 ww32.meebo.com
O1 - Hosts: 208.67.219.43 www.1o0ll.com
O1 - Hosts: 208.67.219.43 www.1o0ll01ll0o12.com
O1 - Hosts: 208.67.219.43 www.meebo31.com
O1 - Hosts: 208.67.219.43 www.profileawareness.com
O1 - Hosts: 208.67.219.43 www.profileviewz.com
O1 - Hosts: 208.67.219.43 www.stalkertrack.com
O1 - Hosts: 208.67.219.43 www.swfsearch.com
O1 - Hosts: 208.67.219.43 www10.meebo.com
O1 - Hosts: 208.67.219.43 www13.meebo.com
O1 - Hosts: 208.67.219.43 www18.meebo.com
O1 - Hosts: 208.67.219.43 www25.meebo.com
O1 - Hosts: 208.67.219.43 www30.meebo.com
O1 - Hosts: 208.67.219.43 www31.meebo.com
O1 - Hosts: 208.67.219.43 www33.meebo.com
O1 - Hosts: 208.67.219.43 www34.meebo.com
O1 - Hosts: 208.67.219.43 www36.meebo.com
O1 - Hosts: 208.67.219.43 www37.meebo.com
O1 - Hosts: 208.67.219.43 www38.meebo.com
O1 - Hosts: 208.67.219.43 www45.meebo.com
O1 - Hosts: 208.67.219.43 www49.meebo.com
O1 - Hosts: 208.67.219.43 wwwl.meebo.com
O1 - Hosts: 208.67.219.43 wwwm.meebo.com
O1 - Hosts: 208.67.219.43 wwwm.meebo13.com
O1 - Hosts: 208.67.219.43 wwwm.meebo3.com
O1 - Hosts: 64.233.167.99 notebook.google.com
O1 - Hosts: 208.67.219.43 www.beeasy.info
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (filesize 853672 bytes, MD5 250D787A5712D7768DDC133B3E477759)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (filesize 440056 bytes, MD5 38C5BE22267A9236E79B1401B5D71D04)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (filesize 2403392 bytes, MD5 6319F2D4708DBCAE37CFA03DA10782C0)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (filesize 2403392 bytes, MD5 6319F2D4708DBCAE37CFA03DA10782C0)
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll (filesize 507904 bytes, MD5 9E35696F5ADCBA66B2F4FC66AA97E022)
O4 - HKLM\..\Run: [myspaceIM] C:\patch\myspaceIM.exe -f "C:\patch" -a -b -x F13 -n "C:\Program Files\Ultima Online 2D\client.exe" -n "C:\Program Files\IrfanView\i_view32.exe" -s "systemlog.txt"
O4 - HKLM\..\Run: [RunAppBk] C:\windows\rsp.exeC:\windows\rsp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" (filesize 75520 bytes, MD5 EDF5D27C6D244740418903626DF5741A)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - Startup: eDexter.exe.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe (filesize 188416 bytes, MD5 3DB45D6F5EDCA42EC07D35AEBB166E14)
O4 - Global Startup: inadyn.exe.lnk = C:\Documents and Settings\z'Adam\My Documents\Apps\inadyn\inadyn.exe (filesize 57344 bytes, MD5 45A19A997D5DAFF5B23AFABFF18C25F6)
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (filesize 440056 bytes, MD5 38C5BE22267A9236E79B1401B5D71D04)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (filesize 440056 bytes, MD5 38C5BE22267A9236E79B1401B5D71D04)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.aim.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.search.aol.com
O15 - Trusted Zone: *.aol.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.arin.net
O15 - Trusted Zone: *.ask.com
O15 - Trusted Zone: *.att.com
O15 - Trusted Zone: *.bbzspace.com
O15 - Trusted Zone: *.bellsouth.net
O15 - Trusted Zone: *.blogger.com
O15 - Trusted Zone: *.blogspot.com
O15 - Trusted Zone: *.brev.org
O15 - Trusted Zone: *.brevardcc.edu
O15 - Trusted Zone: *.brevard.cc.fl.us
O15 - Trusted Zone: *.cdcovers.cc
O15 - Trusted Zone: *.chacha.com
O15 - Trusted Zone: *.changenotes.com
O15 - Trusted Zone: *.cingular.com
O15 - Trusted Zone: *.countylinesaloon.com
O15 - Trusted Zone: http://www.crossengine.com
O15 - Trusted Zone: *.defianceuo.com
O15 - Trusted Zone: *.digg.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.easyuo.com
O15 - Trusted Zone: *.ehow.com
O15 - Trusted Zone: *.ercim.org
O15 - Trusted Zone: feeds.feedburner.com
O15 - Trusted Zone: *.frappr.com
O15 - Trusted Zone: *.furl.net
O15 - Trusted Zone: *.fuse.tv
O15 - Trusted Zone: *.gmail.com
O15 - Trusted Zone: *.ma.gnolia.com
O15 - Trusted Zone: *.froogle.google.com
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: *.googlepages.com
O15 - Trusted Zone: *.I
O15 - Trusted Zone: *.ilike.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: *.imageshack.us
O15 - Trusted Zone: *.k12.fl.us
O15 - Trusted Zone: *.koolim.com
O15 - Trusted Zone: *.last.fm
O15 - Trusted Zone: *.lavasoftusa.com
O15 - Trusted Zone: *.lifehacker.com
O15 - Trusted Zone: *.lijit.com
O15 - Trusted Zone: click.linksynergy.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: http://*.localhost
O15 - Trusted Zone: *.lockergnome.com
O15 - Trusted Zone: *.lostinthecrowd.org
O15 - Trusted Zone: *.lyriki.com
O15 - Trusted Zone: *.meebo.com
O15 - Trusted Zone: http://www.megarotic.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: *.mit.edu
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mtv.com
O15 - Trusted Zone: *.mtve.com
O15 - Trusted Zone: *.musicovery.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: *.myway.com
O15 - Trusted Zone: *.netlibrary.com
O15 - Trusted Zone: *.netvibes.com
O15 - Trusted Zone: *.notepad.org
O15 - Trusted Zone: *.on10.net
O15 - Trusted Zone: *.opendns.com
O15 - Trusted Zone: *.orkut.com
O15 - Trusted Zone: *.orock1059.com
O15 - Trusted Zone: *.pandora.com
O15 - Trusted Zone: *.parlophone.co.uk
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.phishtank.com
O15 - Trusted Zone: *.photobucket.com
O15 - Trusted Zone: *.projectplaylist.com
O15 - Trusted Zone: *.redhotchilipeppers.com
O15 - Trusted Zone: *.resize2mail.com
O15 - Trusted Zone: *.rssfwd.com
O15 - Trusted Zone: *.runuo.com
O15 - Trusted Zone: *.screenname.com
O15 - Trusted Zone: http://www.sexuploader.com
O15 - Trusted Zone: *.songbirdnest.com
O15 - Trusted Zone: *.sonicnet.com
O15 - Trusted Zone: *.sourceforge.net
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: *.thejosher.net
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.tunefind.com
O15 - Trusted Zone: *.U
O15 - Trusted Zone: *.unicru.com
O15 - Trusted Zone: *.w3.org
O15 - Trusted Zone: *.wallop.com
O15 - Trusted Zone: *.webwag.com
O15 - Trusted Zone: *.wikihow.com
O15 - Trusted Zone: *.wjrr.com
O15 - Trusted Zone: *.worldcatlibraries.org
O15 - Trusted Zone: *.xmpp.net
O15 - Trusted Zone: *.yahoo.com
O15 - Trusted Zone: *.yes.com
O15 - Trusted Zone: *.youtube.com
O15 - Trusted IP range: 207.203.64.103
O15 - Trusted IP range: 207.203.64.242
O15 - Trusted IP range: http://207.203.64.242
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161890076781
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag4716.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4716.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A47C71B-154D-403F-A857-123BF517E7B6}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B496639E-7F43-41DA-98F6-6724B42468B5}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7EA7661-9F50-4BAA-BB4C-EF86AAA388C0}: NameServer = 205.152.144.23,205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34FC63B-69A2-4956-B5DD-2E6F9FD5E727}: NameServer = 205.152.144.23,205.152.37.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\system32\igfxdev.dllC:\WINDOWS\system32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dllC:\WINDOWS\system32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (filesize 133632 bytes, MD5 045E228F71C31901084B64BE59093499)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXBCES.EXE
Just as a background, those HOSTS entries are valid, I added those...so nothing malicious is indicated there.  And also, same with the "Trusted" Zone entries. all were added by me (Im the one that uses IE in high security...my sister doesn't...hehe


----------



## Cookiegal (Aug 27, 2003)

I don't see any anti-virus program running. Why is that?


----------



## ahoier (Feb 22, 2007)

I use ClamWin to scan on-demand.

here's my updated HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:03:23 AM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\z'Adam\My Documents\Apps\inadyn\inadyn.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\Program Files\Password Safe\pwsafe.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O1 - Hosts: 207.203.64.64 brev.org
O1 - Hosts: 208.67.219.43 aimexpress.aol.com
O1 - Hosts: 208.67.219.43 aimexpress.aim.com
O1 - Hosts: 208.67.219.43 blog.meebo.com
O1 - Hosts: 208.67.219.43 classic.meebo.com
O1 - Hosts: 208.67.219.43 css.meebo.com
O1 - Hosts: 208.67.219.43 js.meebo.com
O1 - Hosts: 208.67.219.43 login.nrnyspace.com
O1 - Hosts: 208.67.219.43 meebo13.com
O1 - Hosts: 208.67.219.43 meebo3.com
O1 - Hosts: 208.67.219.43 meebo31.com
O1 - Hosts: 208.67.219.43 stalkertrack.com
O1 - Hosts: 208.67.219.43 virginmoney.com.au
O1 - Hosts: 208.67.219.43 ww32.meebo.com
O1 - Hosts: 208.67.219.43 www.1o0ll.com
O1 - Hosts: 208.67.219.43 www.1o0ll01ll0o12.com
O1 - Hosts: 208.67.219.43 www.meebo31.com
O1 - Hosts: 208.67.219.43 www.profileawareness.com
O1 - Hosts: 208.67.219.43 www.profileviewz.com
O1 - Hosts: 208.67.219.43 www.stalkertrack.com
O1 - Hosts: 208.67.219.43 www.swfsearch.com
O1 - Hosts: 208.67.219.43 www10.meebo.com
O1 - Hosts: 208.67.219.43 www13.meebo.com
O1 - Hosts: 208.67.219.43 www18.meebo.com
O1 - Hosts: 208.67.219.43 www25.meebo.com
O1 - Hosts: 208.67.219.43 www30.meebo.com
O1 - Hosts: 208.67.219.43 www31.meebo.com
O1 - Hosts: 208.67.219.43 www33.meebo.com
O1 - Hosts: 208.67.219.43 www34.meebo.com
O1 - Hosts: 208.67.219.43 www36.meebo.com
O1 - Hosts: 208.67.219.43 www37.meebo.com
O1 - Hosts: 208.67.219.43 www38.meebo.com
O1 - Hosts: 208.67.219.43 www45.meebo.com
O1 - Hosts: 208.67.219.43 www49.meebo.com
O1 - Hosts: 208.67.219.43 wwwl.meebo.com
O1 - Hosts: 208.67.219.43 wwwm.meebo.com
O1 - Hosts: 208.67.219.43 wwwm.meebo13.com
O1 - Hosts: 208.67.219.43 wwwm.meebo3.com
O1 - Hosts: 64.233.167.99 notebook.google.com
O1 - Hosts: 208.67.219.43 www.beeasy.info
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [myspaceIM] C:\patch\myspaceIM.exe -f "C:\patch" -a -b -x F13 -n "C:\Program Files\Ultima Online 2D\client.exe" -n "C:\Program Files\IrfanView\i_view32.exe" -s "systemlog.txt"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: eDexter.exe.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O4 - Global Startup: inadyn.exe.lnk = C:\Documents and Settings\z'Adam\My Documents\Apps\inadyn\inadyn.exe
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.aim.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.search.aol.com
O15 - Trusted Zone: *.aol.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.arin.net
O15 - Trusted Zone: *.ask.com
O15 - Trusted Zone: *.att.com
O15 - Trusted Zone: *.bbzspace.com
O15 - Trusted Zone: *.bellsouth.net
O15 - Trusted Zone: *.blogger.com
O15 - Trusted Zone: *.blogspot.com
O15 - Trusted Zone: *.brev.org
O15 - Trusted Zone: *.brevardcc.edu
O15 - Trusted Zone: *.brevard.cc.fl.us
O15 - Trusted Zone: *.cdcovers.cc
O15 - Trusted Zone: *.chacha.com
O15 - Trusted Zone: *.changenotes.com
O15 - Trusted Zone: *.cingular.com
O15 - Trusted Zone: *.countylinesaloon.com
O15 - Trusted Zone: http://www.crossengine.com
O15 - Trusted Zone: *.defianceuo.com
O15 - Trusted Zone: *.digg.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.easyuo.com
O15 - Trusted Zone: *.ehow.com
O15 - Trusted Zone: *.ercim.org
O15 - Trusted Zone: feeds.feedburner.com
O15 - Trusted Zone: *.frappr.com
O15 - Trusted Zone: *.furl.net
O15 - Trusted Zone: *.fuse.tv
O15 - Trusted Zone: *.gmail.com
O15 - Trusted Zone: *.ma.gnolia.com
O15 - Trusted Zone: *.froogle.google.com
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: *.googlepages.com
O15 - Trusted Zone: *.I
O15 - Trusted Zone: *.ilike.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: *.imageshack.us
O15 - Trusted Zone: *.k12.fl.us
O15 - Trusted Zone: *.koolim.com
O15 - Trusted Zone: *.last.fm
O15 - Trusted Zone: *.lavasoftusa.com
O15 - Trusted Zone: *.lifehacker.com
O15 - Trusted Zone: *.lijit.com
O15 - Trusted Zone: click.linksynergy.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: http://*.localhost
O15 - Trusted Zone: *.lockergnome.com
O15 - Trusted Zone: *.lostinthecrowd.org
O15 - Trusted Zone: *.lyriki.com
O15 - Trusted Zone: *.meebo.com
O15 - Trusted Zone: http://www.megarotic.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: *.mit.edu
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mtv.com
O15 - Trusted Zone: *.mtve.com
O15 - Trusted Zone: *.musicovery.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: *.myway.com
O15 - Trusted Zone: *.netlibrary.com
O15 - Trusted Zone: *.netvibes.com
O15 - Trusted Zone: *.notepad.org
O15 - Trusted Zone: *.on10.net
O15 - Trusted Zone: *.opendns.com
O15 - Trusted Zone: *.orkut.com
O15 - Trusted Zone: *.orock1059.com
O15 - Trusted Zone: *.pandora.com
O15 - Trusted Zone: *.parlophone.co.uk
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.phishtank.com
O15 - Trusted Zone: *.photobucket.com
O15 - Trusted Zone: *.projectplaylist.com
O15 - Trusted Zone: *.redhotchilipeppers.com
O15 - Trusted Zone: *.resize2mail.com
O15 - Trusted Zone: *.rssfwd.com
O15 - Trusted Zone: *.runuo.com
O15 - Trusted Zone: *.screenname.com
O15 - Trusted Zone: http://www.sexuploader.com
O15 - Trusted Zone: *.songbirdnest.com
O15 - Trusted Zone: *.sonicnet.com
O15 - Trusted Zone: *.sourceforge.net
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: *.thejosher.net
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.tunefind.com
O15 - Trusted Zone: *.U
O15 - Trusted Zone: *.unicru.com
O15 - Trusted Zone: *.w3.org
O15 - Trusted Zone: *.wallop.com
O15 - Trusted Zone: *.webwag.com
O15 - Trusted Zone: *.wikihow.com
O15 - Trusted Zone: *.wjrr.com
O15 - Trusted Zone: *.worldcatlibraries.org
O15 - Trusted Zone: *.xmpp.net
O15 - Trusted Zone: *.yahoo.com
O15 - Trusted Zone: *.yes.com
O15 - Trusted Zone: *.youtube.com
O15 - Trusted IP range: 207.203.64.103
O15 - Trusted IP range: 207.203.64.242
O15 - Trusted IP range: http://207.203.64.242
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161890076781
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag4716.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4716.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A47C71B-154D-403F-A857-123BF517E7B6}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B496639E-7F43-41DA-98F6-6724B42468B5}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7EA7661-9F50-4BAA-BB4C-EF86AAA388C0}: NameServer = 205.152.144.23,205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34FC63B-69A2-4956-B5DD-2E6F9FD5E727}: NameServer = 205.152.144.23,205.152.37.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

I've since disabled "Windows File Depictor and Rotator Service For Service Pack 2" service. But I've been getting some strange system crashes and BSODs lately.

While I wait, Im going to go ahead and scan with HouseCall, BitDefender, and Panda Antivirus and see what pops up.

If it matters, the BSODs usually occur when logging out, or logging into another account.

Like, for example; I'll log out of my user account fine. But when my sibling jumps on, when he logs into his user account, Windows will BSOD, forcing us to restart with the power button, scan disk(CHKDSK) will kick in, may or may not fix file errors (sometimes it does, sometimes it doesnt), and THEN finally it will let him login without a problem.


----------



## Cookiegal (Aug 27, 2003)

Using an anti-virus program as an on-demand scanner only is essentially running without an anti-virus program and cleaning a machine with no anti-virus program running is a waste of time. You need to have protection to stop infections before then can get into your system and do their damage rather than closing the barn door after the horse has gotten out and run amok.

So in order for us to go any further, please post a new HijackThis log showing an anti-virus program running. There are several free ones (ClamWin is one of them).

When you post your next log, please do not use code tags as it makes the screen too wide and you have to scroll left to right to read the log. I've removed them from the previous logs.


----------



## ahoier (Feb 22, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 10:25:38 AM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\system32
Hosts file: C:\WINDOWS\System32\drivers\etc\hosts

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\z'Adam\My Documents\Apps\inadyn\inadyn.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\Program Files\Password Safe\pwsafe.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\ClamWin\bin\ClamWin.exe
C:\Program Files\ClamWin\bin\clamscan.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O1 - Hosts: 207.203.64.64 brev.org
O1 - Hosts: 208.67.219.43 aimexpress.aol.com
O1 - Hosts: 208.67.219.43 aimexpress.aim.com
O1 - Hosts: 208.67.219.43 blog.meebo.com
O1 - Hosts: 208.67.219.43 classic.meebo.com
O1 - Hosts: 208.67.219.43 css.meebo.com
O1 - Hosts: 208.67.219.43 js.meebo.com
O1 - Hosts: 208.67.219.43 login.nrnyspace.com
O1 - Hosts: 208.67.219.43 meebo13.com
O1 - Hosts: 208.67.219.43 meebo3.com
O1 - Hosts: 208.67.219.43 meebo31.com
O1 - Hosts: 208.67.219.43 stalkertrack.com
O1 - Hosts: 208.67.219.43 virginmoney.com.au
O1 - Hosts: 208.67.219.43 ww32.meebo.com
O1 - Hosts: 208.67.219.43 www.1o0ll.com
O1 - Hosts: 208.67.219.43 www.1o0ll01ll0o12.com
O1 - Hosts: 208.67.219.43 www.meebo31.com
O1 - Hosts: 208.67.219.43 www.profileawareness.com
O1 - Hosts: 208.67.219.43 www.profileviewz.com
O1 - Hosts: 208.67.219.43 www.stalkertrack.com
O1 - Hosts: 208.67.219.43 www.swfsearch.com
O1 - Hosts: 208.67.219.43 www10.meebo.com
O1 - Hosts: 208.67.219.43 www13.meebo.com
O1 - Hosts: 208.67.219.43 www18.meebo.com
O1 - Hosts: 208.67.219.43 www25.meebo.com
O1 - Hosts: 208.67.219.43 www30.meebo.com
O1 - Hosts: 208.67.219.43 www31.meebo.com
O1 - Hosts: 208.67.219.43 www33.meebo.com
O1 - Hosts: 208.67.219.43 www34.meebo.com
O1 - Hosts: 208.67.219.43 www36.meebo.com
O1 - Hosts: 208.67.219.43 www37.meebo.com
O1 - Hosts: 208.67.219.43 www38.meebo.com
O1 - Hosts: 208.67.219.43 www45.meebo.com
O1 - Hosts: 208.67.219.43 www49.meebo.com
O1 - Hosts: 208.67.219.43 wwwl.meebo.com
O1 - Hosts: 208.67.219.43 wwwm.meebo.com
O1 - Hosts: 208.67.219.43 wwwm.meebo13.com
O1 - Hosts: 208.67.219.43 wwwm.meebo3.com
O1 - Hosts: 64.233.167.99 notebook.google.com
O1 - Hosts: 208.67.219.43 www.beeasy.info
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (filesize 440056 bytes, MD5 38C5BE22267A9236E79B1401B5D71D04)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (filesize 2403392 bytes, MD5 6319F2D4708DBCAE37CFA03DA10782C0)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (filesize 2403392 bytes, MD5 6319F2D4708DBCAE37CFA03DA10782C0)
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll (filesize 507904 bytes, MD5 9E35696F5ADCBA66B2F4FC66AA97E022)
O4 - HKLM\..\Run: [myspaceIM] C:\patch\myspaceIM.exe -f "C:\patch" -a -b -x F13 -n "C:\Program Files\Ultima Online 2D\client.exe" -n "C:\Program Files\IrfanView\i_view32.exe" -s "systemlog.txt"
O4 - HKLM\..\Run: [RunAppBk] C:\windows\rsp.exeC:\windows\rsp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" (filesize 75520 bytes, MD5 EDF5D27C6D244740418903626DF5741A)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime (filesize 282624 bytes, MD5 FA7EB9AFF3D726A6BF0494BEE7E378F6)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon (filesize 73728 bytes, MD5 673C4FE1F896C52F2191C9586C892093)
O4 - Startup: eDexter.exe.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe (filesize 188416 bytes, MD5 3DB45D6F5EDCA42EC07D35AEBB166E14)
O4 - Global Startup: inadyn.exe.lnk = C:\Documents and Settings\z'Adam\My Documents\Apps\inadyn\inadyn.exe (filesize 57344 bytes, MD5 45A19A997D5DAFF5B23AFABFF18C25F6)
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (filesize 440056 bytes, MD5 38C5BE22267A9236E79B1401B5D71D04)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (filesize 440056 bytes, MD5 38C5BE22267A9236E79B1401B5D71D04)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.aim.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.search.aol.com
O15 - Trusted Zone: *.aol.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.arin.net
O15 - Trusted Zone: *.ask.com
O15 - Trusted Zone: *.att.com
O15 - Trusted Zone: *.bbzspace.com
O15 - Trusted Zone: *.bellsouth.net
O15 - Trusted Zone: *.blogger.com
O15 - Trusted Zone: *.blogspot.com
O15 - Trusted Zone: *.brev.org
O15 - Trusted Zone: *.brevardcc.edu
O15 - Trusted Zone: *.brevard.cc.fl.us
O15 - Trusted Zone: *.cdcovers.cc
O15 - Trusted Zone: *.chacha.com
O15 - Trusted Zone: *.changenotes.com
O15 - Trusted Zone: *.cingular.com
O15 - Trusted Zone: *.countylinesaloon.com
O15 - Trusted Zone: http://www.crossengine.com
O15 - Trusted Zone: *.defianceuo.com
O15 - Trusted Zone: *.digg.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.easyuo.com
O15 - Trusted Zone: *.ehow.com
O15 - Trusted Zone: *.ercim.org
O15 - Trusted Zone: feeds.feedburner.com
O15 - Trusted Zone: *.frappr.com
O15 - Trusted Zone: *.furl.net
O15 - Trusted Zone: *.fuse.tv
O15 - Trusted Zone: *.gmail.com
O15 - Trusted Zone: *.ma.gnolia.com
O15 - Trusted Zone: *.froogle.google.com
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: *.googlepages.com
O15 - Trusted Zone: *.I
O15 - Trusted Zone: *.ilike.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: *.imageshack.us
O15 - Trusted Zone: *.k12.fl.us
O15 - Trusted Zone: *.koolim.com
O15 - Trusted Zone: *.last.fm
O15 - Trusted Zone: *.lavasoftusa.com
O15 - Trusted Zone: *.lifehacker.com
O15 - Trusted Zone: *.lijit.com
O15 - Trusted Zone: click.linksynergy.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: http://*.localhost
O15 - Trusted Zone: *.lockergnome.com
O15 - Trusted Zone: *.lostinthecrowd.org
O15 - Trusted Zone: *.lyriki.com
O15 - Trusted Zone: *.meebo.com
O15 - Trusted Zone: http://www.megarotic.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: *.mit.edu
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mtv.com
O15 - Trusted Zone: *.mtve.com
O15 - Trusted Zone: *.musicovery.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: *.myway.com
O15 - Trusted Zone: *.netlibrary.com
O15 - Trusted Zone: *.netvibes.com
O15 - Trusted Zone: *.notepad.org
O15 - Trusted Zone: *.on10.net
O15 - Trusted Zone: *.opendns.com
O15 - Trusted Zone: *.orkut.com
O15 - Trusted Zone: *.orock1059.com
O15 - Trusted Zone: *.pandora.com
O15 - Trusted Zone: *.parlophone.co.uk
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.phishtank.com
O15 - Trusted Zone: *.photobucket.com
O15 - Trusted Zone: *.projectplaylist.com
O15 - Trusted Zone: *.redhotchilipeppers.com
O15 - Trusted Zone: *.resize2mail.com
O15 - Trusted Zone: *.rssfwd.com
O15 - Trusted Zone: *.runuo.com
O15 - Trusted Zone: *.screenname.com
O15 - Trusted Zone: http://www.sexuploader.com
O15 - Trusted Zone: *.songbirdnest.com
O15 - Trusted Zone: *.sonicnet.com
O15 - Trusted Zone: *.sourceforge.net
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: *.thejosher.net
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.tunefind.com
O15 - Trusted Zone: *.U
O15 - Trusted Zone: *.unicru.com
O15 - Trusted Zone: *.w3.org
O15 - Trusted Zone: *.wallop.com
O15 - Trusted Zone: *.webwag.com
O15 - Trusted Zone: *.wikihow.com
O15 - Trusted Zone: *.wjrr.com
O15 - Trusted Zone: *.worldcatlibraries.org
O15 - Trusted Zone: *.xmpp.net
O15 - Trusted Zone: *.yahoo.com
O15 - Trusted Zone: *.yes.com
O15 - Trusted Zone: *.youtube.com
O15 - Trusted IP range: 207.203.64.103
O15 - Trusted IP range: 207.203.64.242
O15 - Trusted IP range: http://207.203.64.242
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161890076781
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag4716.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4716.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A47C71B-154D-403F-A857-123BF517E7B6}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B496639E-7F43-41DA-98F6-6724B42468B5}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7EA7661-9F50-4BAA-BB4C-EF86AAA388C0}: NameServer = 205.152.144.23,205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34FC63B-69A2-4956-B5DD-2E6F9FD5E727}: NameServer = 205.152.144.23,205.152.37.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\system32\igfxdev.dllC:\WINDOWS\system32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dllC:\WINDOWS\system32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (filesize 133632 bytes, MD5 045E228F71C31901084B64BE59093499)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXBCES.EXE

this is the new HiJackThis log.

Thanks in advance for the help.

Edit:
I also went ahead and uploaded the mystery svchost.exe file to virustotal.com and here's the results:
well, I uploaded the svchost.exe to www.virustotal.com and here's the results:

STATUS: FINISHED
Complete scanning result of "svchost.exe", received in VirusTotal at 02.26.2007, 14:39:06 (CET).

Antivirus Version Update Result 
AntiVir 7.3.1.38 02.26.2007 Worm/Sdbot.50688.40 
Authentium 4.93.8 02.25.2007 no virus found 
Avast 4.7.936.0 02.26.2007 Win32:SdBot-gen44 
AVG 386 02.25.2007 IRC/BackDoor.SdBot2.UAN 
BitDefender 7.2 02.26.2007 Backdoor.SDBot.UR 
CAT-QuickHeal 9.00 02.26.2007 Backdoor.SdBot.aad 
ClamAV devel-20060426 02.26.2007 no virus found 
DrWeb 4.33 02.26.2007 Win32.HLLW.MyBot.based 
eSafe 7.0.14.0 02.25.2007 Win32.SdBot.aad 
eTrust-Vet 30.4.3434 02.26.2007 no virus found 
Ewido 4.0 02.26.2007 Backdoor.SdBot.aad 
FileAdvisor 1 02.26.2007 no virus found 
Fortinet 2.85.0.0 02.26.2007 W32/SDBot.AAD!tr.bdr 
F-Prot 4.3.1.45 02.25.2007 no virus found 
F-Secure 6.70.13030.0 02.26.2007 Backdoor.Win32.SdBot.aad 
Ikarus T3.1.1.3 02.26.2007 Backdoor.Win32.SdBot.aad 
Kaspersky 4.0.2.24 02.26.2007 Backdoor.Win32.SdBot.aad 
McAfee 4970 02.23.2007 no virus found 
Microsoft 1.2204 02.26.2007 no virus found 
NOD32v2 2080 02.25.2007 a variant of IRC/SdBot 
Norman 5.80.02 02.26.2007 W32/SDBot.AORY 
Panda 9.0.0.4 02.26.2007 Bck/Sdbot.JUW 
Prevx1 V2 02.26.2007 Polynomial.Code.Exploit 
Sophos 4.14.0 02.24.2007 no virus found 
Sunbelt 2.2.907.0 02.24.2007 VIPRE.Suspicious 
Symantec 10 02.26.2007 no virus found 
TheHacker 6.1.6.065 02.26.2007 Backdoor/SdBot.aad 
UNA 1.83 02.23.2007 Backdoor.SdBot.883D 
VBA32 3.11.2 02.25.2007 Win32.HLLW.MyBot.based 
VirusBuster 4.3.19:9 02.25.2007 Worm.SdBot.TFC

Aditional Information 
File size: 50688 bytes 
MD5: 46cf4a026a8e740bac33be0c136349da 
SHA1: 741e4e1b0abf0a8f44cb153bf2b271741520e538 
packers: PECompact 
packers: PECOMPACT 
packers: PecBundle, PECompact 
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=679477196590 
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

The scan at TrendMicro HouseCall just finished, and they detect the file as WORM_SDBOT.CWA

Though, HouseCall wiped the file clean when I did the latest run...so I don't have any live specimen.

Edit 2:
I've gone and done some of my own research on some of those processes and such..rsp.exe seems to set off a red flag, there are a couple search results at google for it, one of which points to http://forums.spywareinfo.com/lofiversion/index.php/t44347.html
Though, my infection doesn't seem to be as nasty as that one...atleast not by looking at all the processes that the other user had listed.

I'd also like to point out that rsp.exe was one of the files that F-Secure Blacklight turned up as a possible threat. Uploading it to VirusTotal now...
STATUS: FINISHEDComplete scanning result of "rsp.exe", received in VirusTotal at 02.26.2007, 16:52:51 (CET).

Antivirus Version Update Result 
AntiVir 7.3.1.38 02.26.2007 HEUR/Malware 
Authentium 4.93.8 02.25.2007 no virus found 
Avast 4.7.936.0 02.26.2007 no virus found 
AVG 386 02.25.2007 no virus found 
BitDefender 7.2 02.26.2007 Trojan.Spy.Secm.A 
CAT-QuickHeal 9.00 02.26.2007 no virus found 
ClamAV devel-20060426 02.26.2007 no virus found 
DrWeb 4.33 02.26.2007 DLOADER.Trojan packed by BINARYRES 
eSafe 7.0.14.0 02.26.2007 no virus found 
eTrust-Vet 30.4.3434 02.26.2007 no virus found 
Ewido 4.0 02.26.2007 no virus found 
FileAdvisor 1 02.26.2007 no virus found 
Fortinet 2.85.0.0 02.26.2007 no virus found 
F-Prot 4.3.1.45 02.26.2007 no virus found 
F-Secure 6.70.13030.0 02.26.2007 no virus found 
Ikarus T3.1.1.3 02.26.2007 no virus found 
Kaspersky 4.0.2.24 02.26.2007 no virus found 
McAfee 4970 02.23.2007 BackDoor-CXV 
Microsoft 1.2204 02.26.2007 no virus found 
NOD32v2 2082 02.26.2007 probably unknown NewHeur_PE virus 
Norman 5.80.02 02.26.2007 no virus found 
Panda 9.0.0.4 02.26.2007 Suspicious file 
Prevx1 V2 02.26.2007 Dropper.Payload 
Sophos 4.14.0 02.24.2007 no virus found 
Sunbelt 2.2.907.0 02.24.2007 no virus found 
Symantec 10 02.26.2007 no virus found 
TheHacker 6.1.6.065 02.26.2007 no virus found 
UNA 1.83 02.23.2007 no virus found
VBA32 3.11.2 02.25.2007 no virus found
VirusBuster 4.3.19:9 02.26.2007 no virus found

Aditional Information
File size: 192512 bytes
MD5: 74eb3ff3e97c504327f444040ca090db
SHA1: 5d698f7fdaac68db7eb1c78360fe74dc334783df
packers: BINARYRES
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=2e8a79301639


----------



## ahoier (Feb 22, 2007)

ClamWin scans show up clean...
HouseCall is finally showing up as clean...
I'm scanning with BitDefender currently, and it's found 3 infected files; C:\WINDOWS\rsp.exe, C:\WINDOWS\rsp.exe.ren (the renamed file from F-Secure Blacklight root kit scanner), and then pvc[1].exe which was under C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\*

Oh, and jsut now it Detected, and deleted the quarantined svchost.exe that HouseCall quarantined at C:\Docs and Settings\z'adam\.housecall6.6\Quarantine\*

But yea, this scan is nearing it's completion...

This past reboot I did, I didn't get a BSOD as I logged out, nor as I logged back in, so I guess that's a good sign 

Looking forward to some help/guidance.

It couldn't delete the C:\WINDOWS\rsp.exe file, I have a feeling it must be hooked somewhere...but Im not seeing it in Task Manager, nor HJT Process Viewer...

Edit 2:
I just downloaded and scanned with Rootkit Revealer, and it showed 8 potential problems...a couple of which, make sense, since the file referenced has been shown on a couple BSODs I've gotten...the log is as follows:


> HKLM\SECURITY\Policy\Secrets\SAC*	9/13/2005 4:14 PM	0 bytes	Key name contains embedded nulls (*)
> HKLM\SECURITY\Policy\Secrets\SAI*	9/13/2005 4:14 PM	0 bytes	Key name contains embedded nulls (*)
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunAppBk	2/26/2007 3:44 PM	38 bytes	Hidden from Windows API.
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\BaseWinOptions	9/13/2005 8:51 AM	0 bytes	Hidden from Windows API.
> ...


The RunAppBk is where rsp.exe is hiding at...and HiJackThis doesn't allow it's removal...? Though it SHOWS the rsp.exe result in it's scan listing...any ideas?

SecMon.sys seems to be hidden from view, so all I have access to is the "renamed" file, Secmon.sys.ren which F-Secure Blacklight renamed when it did it's scan...but I've uploaded SecMon.sys.ren to Virustotal.com, here's the results:

STATUS: FINISHED
Complete scanning result of "SecMon.sys.ren", received in VirusTotal at 02.26.2007, 22:29:26 (CET).

Antivirus Version Update Result 
AntiVir 7.3.1.38 02.26.2007 no virus found 
Authentium 4.93.8 02.26.2007 no virus found 
Avast 4.7.936.0 02.26.2007 no virus found 
AVG 386 02.25.2007 no virus found 
BitDefender 7.2 02.26.2007 no virus found 
CAT-QuickHeal 9.00 02.26.2007 no virus found 
ClamAV devel-20060426 02.26.2007 no virus found 
DrWeb 4.33 02.26.2007 no virus found 
eSafe 7.0.14.0 02.26.2007 no virus found 
eTrust-Vet 30.4.3434 02.26.2007 no virus found 
Ewido 4.0 02.26.2007 no virus found 
FileAdvisor 1 02.26.2007 no virus found 
Fortinet 2.85.0.0 02.26.2007 no virus found 
F-Prot 4.3.1.45 02.26.2007 no virus found 
F-Secure 6.70.13030.0 02.26.2007 no virus found 
Ikarus T3.1.1.3 02.26.2007 no virus found 
Kaspersky 4.0.2.24 02.26.2007 no virus found 
McAfee 4971 02.26.2007 no virus found 
Microsoft 1.2204 02.26.2007 no virus found 
NOD32v2 2082 02.26.2007 no virus found 
Norman 5.80.02 02.26.2007 no virus found 
Panda 9.0.0.4 02.26.2007 no virus found 
Prevx1 V2 02.26.2007 no virus found 
Sophos 4.14.0 02.26.2007 no virus found 
Sunbelt 2.2.907.0 02.24.2007 no virus found 
Symantec 10 02.26.2007 no virus found 
TheHacker 6.1.6.065 02.26.2007 no virus found 
UNA 1.83 02.26.2007 no virus found 
VBA32 3.11.2 02.25.2007 no virus found 
VirusBuster 4.3.19:9 02.26.2007 no virus found

Aditional Information 
File size: 5120 bytes 
MD5: a8f45ff0ea96e85dd3233165a4cc78ca 
SHA1: 97b6c3c379c999cd6ec96e4c4c016e94638a4e25

And yes, I have Show Hidden files toggled/enabled on...this must be the rootkit hiding itself.

Anyways, the latest BSOD I've gotten gave the following information:
STOP: 0x0000008E (0xC0000005,0xF9A02A0D,0xA9FF0CB0,0x00000000)
SecMon.sys - Address F9A02A0D base at F9A02000,DateStamp 45c9ac5d

Any other ideas? hehe.


----------



## Cookiegal (Aug 27, 2003)

Download *AVG Anti-Spyware* from *HERE* and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button. The update will start and a progress bar will show the updates being installed.

Once the update has completed, select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
Reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight *Safe Mode* then hit enter.

*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:

Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
AVG will now begin the scanning process. Please be patient as this may take a little time.
*Once the scan is complete, do the following:*
If you have any infections you will be prompted. Then select "*Apply all actions.*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower left-hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go *HERE* to run Panda's ActiveScan
You need to use IE to run this scan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## ahoier (Feb 22, 2007)

AVG report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:	11:42:43 PM 2/26/2007

+ Scan result:

Nothing found.

::Report end

Activescan.txt:

Incident Status Location

Potentially unwanted tool:Application/Spyagent.A Not disinfected C:\WINDOWS\IMGLIB.DLL 
HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 1:48:11 AM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O1 - Hosts: 207.203.64.64 brev.org
O1 - Hosts: 208.67.219.43 aimexpress.aol.com
O1 - Hosts: 208.67.219.43 aimexpress.aim.com
O1 - Hosts: 208.67.219.43 blog.meebo.com
O1 - Hosts: 208.67.219.43 classic.meebo.com
O1 - Hosts: 208.67.219.43 css.meebo.com
O1 - Hosts: 208.67.219.43 js.meebo.com
O1 - Hosts: 208.67.219.43 login.nrnyspace.com
O1 - Hosts: 208.67.219.43 meebo13.com
O1 - Hosts: 208.67.219.43 meebo3.com
O1 - Hosts: 208.67.219.43 meebo31.com
O1 - Hosts: 208.67.219.43 stalkertrack.com
O1 - Hosts: 208.67.219.43 virginmoney.com.au
O1 - Hosts: 208.67.219.43 ww32.meebo.com
O1 - Hosts: 208.67.219.43 www.1o0ll.com
O1 - Hosts: 208.67.219.43 www.1o0ll01ll0o12.com
O1 - Hosts: 208.67.219.43 www.meebo31.com
O1 - Hosts: 208.67.219.43 www.profileawareness.com
O1 - Hosts: 208.67.219.43 www.profileviewz.com
O1 - Hosts: 208.67.219.43 www.stalkertrack.com
O1 - Hosts: 208.67.219.43 www.swfsearch.com
O1 - Hosts: 208.67.219.43 www10.meebo.com
O1 - Hosts: 208.67.219.43 www13.meebo.com
O1 - Hosts: 208.67.219.43 www18.meebo.com
O1 - Hosts: 208.67.219.43 www25.meebo.com
O1 - Hosts: 208.67.219.43 www30.meebo.com
O1 - Hosts: 208.67.219.43 www31.meebo.com
O1 - Hosts: 208.67.219.43 www33.meebo.com
O1 - Hosts: 208.67.219.43 www34.meebo.com
O1 - Hosts: 208.67.219.43 www36.meebo.com
O1 - Hosts: 208.67.219.43 www37.meebo.com
O1 - Hosts: 208.67.219.43 www38.meebo.com
O1 - Hosts: 208.67.219.43 www45.meebo.com
O1 - Hosts: 208.67.219.43 www49.meebo.com
O1 - Hosts: 208.67.219.43 wwwl.meebo.com
O1 - Hosts: 208.67.219.43 wwwm.meebo.com
O1 - Hosts: 208.67.219.43 wwwm.meebo13.com
O1 - Hosts: 208.67.219.43 wwwm.meebo3.com
O1 - Hosts: 64.233.167.99 notebook.google.com
O1 - Hosts: 208.67.219.43 www.beeasy.info
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [myspaceIM] C:\patch\myspaceIM.exe -f "C:\patch" -a -b -x F13 -n "C:\Program Files\Ultima Online 2D\client.exe" -n "C:\Program Files\IrfanView\i_view32.exe" -s "systemlog.txt"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - Startup: eDexter.exe.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O15 - Trusted Zone: *.aim.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.search.aol.com
O15 - Trusted Zone: *.aol.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.arin.net
O15 - Trusted Zone: *.ask.com
O15 - Trusted Zone: *.att.com
O15 - Trusted Zone: *.bbzspace.com
O15 - Trusted Zone: *.bellsouth.net
O15 - Trusted Zone: *.blogger.com
O15 - Trusted Zone: *.blogspot.com
O15 - Trusted Zone: *.brev.org
O15 - Trusted Zone: *.brevardcc.edu
O15 - Trusted Zone: *.brevard.cc.fl.us
O15 - Trusted Zone: *.cdcovers.cc
O15 - Trusted Zone: *.chacha.com
O15 - Trusted Zone: *.changenotes.com
O15 - Trusted Zone: *.cingular.com
O15 - Trusted Zone: *.countylinesaloon.com
O15 - Trusted Zone: http://www.crossengine.com
O15 - Trusted Zone: *.defianceuo.com
O15 - Trusted Zone: *.digg.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.easyuo.com
O15 - Trusted Zone: *.ehow.com
O15 - Trusted Zone: *.ercim.org
O15 - Trusted Zone: feeds.feedburner.com
O15 - Trusted Zone: *.frappr.com
O15 - Trusted Zone: *.furl.net
O15 - Trusted Zone: *.fuse.tv
O15 - Trusted Zone: *.gmail.com
O15 - Trusted Zone: *.ma.gnolia.com
O15 - Trusted Zone: *.froogle.google.com
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: *.googlepages.com
O15 - Trusted Zone: *.I
O15 - Trusted Zone: *.ilike.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: *.imageshack.us
O15 - Trusted Zone: *.k12.fl.us
O15 - Trusted Zone: *.koolim.com
O15 - Trusted Zone: *.last.fm
O15 - Trusted Zone: *.lavasoftusa.com
O15 - Trusted Zone: *.lifehacker.com
O15 - Trusted Zone: *.lijit.com
O15 - Trusted Zone: click.linksynergy.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: http://*.localhost
O15 - Trusted Zone: *.lockergnome.com
O15 - Trusted Zone: *.lostinthecrowd.org
O15 - Trusted Zone: *.lyriki.com
O15 - Trusted Zone: *.meebo.com
O15 - Trusted Zone: http://www.megarotic.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: *.mit.edu
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mtv.com
O15 - Trusted Zone: *.mtve.com
O15 - Trusted Zone: *.musicovery.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: *.myway.com
O15 - Trusted Zone: *.netlibrary.com
O15 - Trusted Zone: *.netvibes.com
O15 - Trusted Zone: *.notepad.org
O15 - Trusted Zone: *.on10.net
O15 - Trusted Zone: *.opendns.com
O15 - Trusted Zone: *.orkut.com
O15 - Trusted Zone: *.orock1059.com
O15 - Trusted Zone: *.pandasoftware.com
O15 - Trusted Zone: *.pandora.com
O15 - Trusted Zone: *.parlophone.co.uk
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.phishtank.com
O15 - Trusted Zone: *.photobucket.com
O15 - Trusted Zone: *.projectplaylist.com
O15 - Trusted Zone: *.redhotchilipeppers.com
O15 - Trusted Zone: *.resize2mail.com
O15 - Trusted Zone: *.rssfwd.com
O15 - Trusted Zone: *.runuo.com
O15 - Trusted Zone: *.screenname.com
O15 - Trusted Zone: http://www.sexuploader.com
O15 - Trusted Zone: *.songbirdnest.com
O15 - Trusted Zone: *.sonicnet.com
O15 - Trusted Zone: *.sourceforge.net
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.thejosher.net
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.tunefind.com
O15 - Trusted Zone: *.U
O15 - Trusted Zone: *.unicru.com
O15 - Trusted Zone: *.w3.org
O15 - Trusted Zone: *.wallop.com
O15 - Trusted Zone: *.webwag.com
O15 - Trusted Zone: *.wikihow.com
O15 - Trusted Zone: *.wjrr.com
O15 - Trusted Zone: *.worldcatlibraries.org
O15 - Trusted Zone: *.xmpp.net
O15 - Trusted Zone: *.yahoo.com
O15 - Trusted Zone: *.yes.com
O15 - Trusted Zone: *.youtube.com
O15 - Trusted IP range: 207.203.64.103
O15 - Trusted IP range: 207.203.64.242
O15 - Trusted IP range: http://207.203.64.242
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161890076781
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag4716.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4716.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A47C71B-154D-403F-A857-123BF517E7B6}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B496639E-7F43-41DA-98F6-6724B42468B5}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7EA7661-9F50-4BAA-BB4C-EF86AAA388C0}: NameServer = 205.152.144.23,205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34FC63B-69A2-4956-B5DD-2E6F9FD5E727}: NameServer = 205.152.144.23,205.152.37.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: QV - Sysinternals - www.sysinternals.com - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\QV.exe
O23 - Service: TUSIWHXDNYCGWJE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\TUSIWHXDNYCGWJE.exe

Kinda weird that they turned up fairly clean...SOmething I noticed, in my Registry Run settings, Im only seeing very minimal entries...under Both HKCU and HKLM...
But in MSCONFIG, startup tab, there's about 20 startup entries...
Yes, the startup entries do reflect those that are in my task manager so to speak...

And well while AVG Anti-Spyware was loaded in Safe Mode, most (if not all?) of the startup entries were showing up in the AVG AntiSpyware Tools > Autostart...so somehow they are hiding the entries from my user level...cause they aren't all showing up when in Normal windows mode in that area of AVG...

While Im waiting, I figured I'd start up Spybot S&D and check out the startups that Spybot is able to "see"...and here's the SpybotSD.System startup report.txt:


> --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
> 
> 2006-12-27 unins000.exe (51.41.0.0)
> 2005-05-31 blindman.exe (1.0.0.1)
> ...


Spybot is saying ctfmon.exe is a virus, so I disabled that entry...going to upload it to virustotal right now...I know in the past I've read that ctfmon*32*.exe is often an infected file...but I guess there's nothing stopping that filename from changing.

Anyways, here's the virustotal scan, nothing detected...
STATUS: FINISHEDComplete scanning result of "ctfmon.exe", received in VirusTotal at 02.27.2007, 15:28:14 (CET).

Antivirus Version Update Result 
AntiVir 7.3.1.38 02.27.2007 no virus found 
Authentium 4.93.8 02.26.2007 no virus found 
Avast 4.7.936.0 02.27.2007 no virus found 
AVG 7.5.0.441 02.27.2007 no virus found 
BitDefender 7.2 02.27.2007 no virus found 
CAT-QuickHeal 9.00 02.27.2007 no virus found 
ClamAV devel-20060426 02.27.2007 no virus found 
DrWeb 4.33 02.27.2007 no virus found 
eSafe 7.0.14.0 02.27.2007 no virus found 
eTrust-Vet 30.4.3438 02.27.2007 no virus found 
Ewido 4.0 02.27.2007 no virus found 
FileAdvisor 1 02.27.2007 No threat detected 
Fortinet 2.85.0.0 02.27.2007 no virus found 
F-Prot 4.3.1.45 02.26.2007 no virus found 
F-Secure 6.70.13030.0 02.27.2007 no virus found 
Ikarus T3.1.1.3 02.27.2007 no virus found 
Kaspersky 4.0.2.24 02.27.2007 no virus found 
McAfee 4971 02.26.2007 no virus found 
Microsoft 1.2204 02.27.2007 no virus found 
NOD32v2 2083 02.27.2007 no virus found 
Norman 5.80.02 02.27.2007 no virus found 
Panda 9.0.0.4 02.27.2007 no virus found 
Prevx1 V2 02.27.2007 no virus found 
Sophos 4.14.0 02.26.2007 no virus found 
Sunbelt 2.2.907.0 02.24.2007 no virus found 
Symantec 10 02.27.2007 no virus found 
TheHacker 6.1.6.065 02.26.2007 no virus found 
UNA 1.83 02.26.2007 no virus found 
VBA32 3.11.2 02.26.2007 no virus found 
VirusBuster 4.3.19:9 02.27.2007 no virus found

Aditional Information 
File size: 15360 bytes 
MD5: 24232996a38c0b0cf151c2140ae29fc8 
SHA1: b36d03b56a30187ffc6257459d632a4faac48af2 
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=24232996a38c0b0cf151c2140ae29fc8

But can anyone confirm those checksums (either MD5 or SHA1) with their own system files?

Just did some research on this ctfmon.exe, and according to Microsoft it is used for text input...the steps they give to remove it detail by going through Control Panel > Add or Remove Programs, and uninstalling the component from Microsoft Office XP...well, I dont have Office XP on this sytem, never have...all I use is OpenOffice.Org for my Office Suite, and Notepad/Wordpad on occassion...but that's about it.


----------



## ahoier (Feb 22, 2007)

I just tried scanning with Windows Live OneCare online scanner thing, and during the scan, I got a BSOD stating:


> STOP: 0x0000008E (0xC0000005, 0xF9A02A0D,0xA989CCB0,0x00000000)
> SecMon.sys - Address F9A02A0D base at F9A02000, DateStamp 45c9ac5d)


Upon reboot and reporting the system crash, Microsoft had this to say:


> Problem caused by Device Driver
> 
> You received this message because a device driver installed on your computer caused the Windows operating system to stop unexpectedly. This type of error is referred to as a "stop error." A stop error requires you to restart your computer.
> 
> ...


I just did a search through regedit for secmon.sys and here's what turned up:


...Im going to try the OneCare scan again, if it crashes again, Ill try it in Safe Mode with Networking and see what happens...


----------



## ahoier (Feb 22, 2007)

hmm...the second attempt at Microsoft Live Care online scan failed...so I rebooted from the crash, let chkdisk check the disk for errors, etc...and then logged in, reported the error to Microsoft.

I then restarted, got into Safe Mode via F8 key-tapping on boot up, and was able to run the Windows Live OneCare Full Scan without a problem. There were no big threats, but there were registry entries that it was able to fix.

Here's the new HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:00:05 PM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\system
Hosts file: C:\WINDOWS\System32\drivers\etc\hosts

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\Program Files\inadyn\inadyn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O1 - Hosts: 207.203.64.64 brev.org
O1 - Hosts: 208.67.219.43 aimexpress.aol.com
O1 - Hosts: 208.67.219.43 aimexpress.aim.com
O1 - Hosts: 208.67.219.43 blog.meebo.com
O1 - Hosts: 208.67.219.43 classic.meebo.com
O1 - Hosts: 208.67.219.43 css.meebo.com
O1 - Hosts: 208.67.219.43 js.meebo.com
O1 - Hosts: 208.67.219.43 login.nrnyspace.com
O1 - Hosts: 208.67.219.43 meebo13.com
O1 - Hosts: 208.67.219.43 meebo3.com
O1 - Hosts: 208.67.219.43 meebo31.com
O1 - Hosts: 208.67.219.43 stalkertrack.com
O1 - Hosts: 208.67.219.43 virginmoney.com.au
O1 - Hosts: 208.67.219.43 ww32.meebo.com
O1 - Hosts: 208.67.219.43 www.1o0ll.com
O1 - Hosts: 208.67.219.43 www.1o0ll01ll0o12.com
O1 - Hosts: 208.67.219.43 www.meebo31.com
O1 - Hosts: 208.67.219.43 www.profileawareness.com
O1 - Hosts: 208.67.219.43 www.profileviewz.com
O1 - Hosts: 208.67.219.43 www.stalkertrack.com
O1 - Hosts: 208.67.219.43 www.swfsearch.com
O1 - Hosts: 208.67.219.43 www10.meebo.com
O1 - Hosts: 208.67.219.43 www13.meebo.com
O1 - Hosts: 208.67.219.43 www18.meebo.com
O1 - Hosts: 208.67.219.43 www25.meebo.com
O1 - Hosts: 208.67.219.43 www30.meebo.com
O1 - Hosts: 208.67.219.43 www31.meebo.com
O1 - Hosts: 208.67.219.43 www33.meebo.com
O1 - Hosts: 208.67.219.43 www34.meebo.com
O1 - Hosts: 208.67.219.43 www36.meebo.com
O1 - Hosts: 208.67.219.43 www37.meebo.com
O1 - Hosts: 208.67.219.43 www38.meebo.com
O1 - Hosts: 208.67.219.43 www45.meebo.com
O1 - Hosts: 208.67.219.43 www49.meebo.com
O1 - Hosts: 208.67.219.43 wwwl.meebo.com
O1 - Hosts: 208.67.219.43 wwwm.meebo.com
O1 - Hosts: 208.67.219.43 wwwm.meebo13.com
O1 - Hosts: 208.67.219.43 wwwm.meebo3.com
O1 - Hosts: 64.233.167.99 notebook.google.com
O1 - Hosts: 208.67.219.43 www.beeasy.info
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (filesize 440056 bytes, MD5 38C5BE22267A9236E79B1401B5D71D04)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (filesize 2403392 bytes, MD5 6319F2D4708DBCAE37CFA03DA10782C0)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (filesize 2403392 bytes, MD5 6319F2D4708DBCAE37CFA03DA10782C0)
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll (filesize 507904 bytes, MD5 9E35696F5ADCBA66B2F4FC66AA97E022)
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [inadyn] "C:\Program Files\inadyn\inadyn.exe" (filesize 57344 bytes, MD5 45A19A997D5DAFF5B23AFABFF18C25F6)
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exeC:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized (filesize 6266880 bytes, MD5 01D90AE5DCCBCE0C7B52874FEC35A608)
O4 - HKCU\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon (filesize 73728 bytes, MD5 673C4FE1F896C52F2191C9586C892093)
O4 - Startup: eDexter.exe.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe (filesize 188416 bytes, MD5 3DB45D6F5EDCA42EC07D35AEBB166E14)
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (filesize 440056 bytes, MD5 38C5BE22267A9236E79B1401B5D71D04)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (filesize 440056 bytes, MD5 38C5BE22267A9236E79B1401B5D71D04)
O15 - Trusted Zone: *.aim.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.search.aol.com
O15 - Trusted Zone: *.aol.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.arin.net
O15 - Trusted Zone: *.ask.com
O15 - Trusted Zone: *.att.com
O15 - Trusted Zone: *.bbzspace.com
O15 - Trusted Zone: *.bellsouth.net
O15 - Trusted Zone: *.blogger.com
O15 - Trusted Zone: *.blogspot.com
O15 - Trusted Zone: *.brev.org
O15 - Trusted Zone: *.brevardcc.edu
O15 - Trusted Zone: *.brevard.cc.fl.us
O15 - Trusted Zone: *.cdcovers.cc
O15 - Trusted Zone: *.chacha.com
O15 - Trusted Zone: *.changenotes.com
O15 - Trusted Zone: *.cingular.com
O15 - Trusted Zone: *.countylinesaloon.com
O15 - Trusted Zone: http://www.crossengine.com
O15 - Trusted Zone: *.defianceuo.com
O15 - Trusted Zone: *.digg.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.easyuo.com
O15 - Trusted Zone: *.ehow.com
O15 - Trusted Zone: *.ercim.org
O15 - Trusted Zone: feeds.feedburner.com
O15 - Trusted Zone: *.frappr.com
O15 - Trusted Zone: *.furl.net
O15 - Trusted Zone: *.fuse.tv
O15 - Trusted Zone: *.gmail.com
O15 - Trusted Zone: *.ma.gnolia.com
O15 - Trusted Zone: *.froogle.google.com
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: *.googlepages.com
O15 - Trusted Zone: *.I
O15 - Trusted Zone: *.ilike.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: *.imageshack.us
O15 - Trusted Zone: *.k12.fl.us
O15 - Trusted Zone: *.koolim.com
O15 - Trusted Zone: *.last.fm
O15 - Trusted Zone: *.lavasoftusa.com
O15 - Trusted Zone: *.lifehacker.com
O15 - Trusted Zone: *.lijit.com
O15 - Trusted Zone: click.linksynergy.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: http://*.localhost
O15 - Trusted Zone: *.lockergnome.com
O15 - Trusted Zone: *.lostinthecrowd.org
O15 - Trusted Zone: *.lyriki.com
O15 - Trusted Zone: *.meebo.com
O15 - Trusted Zone: http://www.megarotic.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: *.mit.edu
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mtv.com
O15 - Trusted Zone: *.mtve.com
O15 - Trusted Zone: *.musicovery.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: *.myway.com
O15 - Trusted Zone: *.netlibrary.com
O15 - Trusted Zone: *.netvibes.com
O15 - Trusted Zone: *.notepad.org
O15 - Trusted Zone: *.on10.net
O15 - Trusted Zone: *.opendns.com
O15 - Trusted Zone: *.orkut.com
O15 - Trusted Zone: *.orock1059.com
O15 - Trusted Zone: *.pandasoftware.com
O15 - Trusted Zone: *.pandora.com
O15 - Trusted Zone: *.parlophone.co.uk
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.phishtank.com
O15 - Trusted Zone: *.photobucket.com
O15 - Trusted Zone: *.projectplaylist.com
O15 - Trusted Zone: *.redhotchilipeppers.com
O15 - Trusted Zone: *.resize2mail.com
O15 - Trusted Zone: *.rssfwd.com
O15 - Trusted Zone: *.runuo.com
O15 - Trusted Zone: *.screenname.com
O15 - Trusted Zone: http://www.sexuploader.com
O15 - Trusted Zone: *.songbirdnest.com
O15 - Trusted Zone: *.sonicnet.com
O15 - Trusted Zone: *.sourceforge.net
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.thejosher.net
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.tunefind.com
O15 - Trusted Zone: *.U
O15 - Trusted Zone: *.unicru.com
O15 - Trusted Zone: *.w3.org
O15 - Trusted Zone: *.wallop.com
O15 - Trusted Zone: *.webwag.com
O15 - Trusted Zone: *.wikihow.com
O15 - Trusted Zone: *.wjrr.com
O15 - Trusted Zone: *.worldcatlibraries.org
O15 - Trusted Zone: *.xmpp.net
O15 - Trusted Zone: *.yahoo.com
O15 - Trusted Zone: *.yes.com
O15 - Trusted Zone: *.youtube.com
O15 - Trusted IP range: 207.203.64.103
O15 - Trusted IP range: 207.203.64.242
O15 - Trusted IP range: http://207.203.64.242
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161890076781
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag4716.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4716.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A47C71B-154D-403F-A857-123BF517E7B6}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B496639E-7F43-41DA-98F6-6724B42468B5}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7EA7661-9F50-4BAA-BB4C-EF86AAA388C0}: NameServer = 205.152.144.23,205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34FC63B-69A2-4956-B5DD-2E6F9FD5E727}: NameServer = 205.152.144.23,205.152.37.23
O20 - Winlogon Notify: igfxcui - igfxdev.dll (file missing)
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (filesize 133632 bytes, MD5 045E228F71C31901084B64BE59093499)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exeC:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: QV - Sysinternals - www.sysinternals.com - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\QV.exeC:\DOCUME~1\z'Adam\LOCALS~1\Temp\QV.exe
O23 - Service: TUSIWHXDNYCGWJE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\TUSIWHXDNYCGWJE.exeC:\DOCUME~1\z'Adam\LOCALS~1\Temp\TUSIWHXDNYCGWJE.exe


----------



## Cookiegal (Aug 27, 2003)

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press *Enter*
Choose your usual account.

Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
Type *Y* to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot. 
Press any Key and it will restart the PC. 
When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Download ComboScan by Deckard from *Here* and save it to your Desktop. 

Double click *comboScan.exe * and follow the prompts.
When finished, it will produce a log for you. 
Post the contents of that log in your next reply.
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the *C:\ComboScan *folder. You will find two logs in the folder, *ComboScan.txt *and *Supplementary.txt*.
Open the *Supplementary.txt* log in Notepad
Also Copy and Paste its contents in a reply.


----------



## ahoier (Feb 22, 2007)

SDFix's report.txt:
SDFix: Version 1.68

Run by z'Adam - Tue 02/27/2007 @ 22:55:51.89

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Windows File Depictor and Rotator

Path:
"C:\WINDOWS\repair\svchost.exe"

Windows File Depictor and Rotator Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\Z'ADAM\LOCALS~1\TEMP\SCS1FB.TMP - Deleted
C:\DOCUME~1\Z'ADAM\LOCALS~1\TEMP\SCS1FC.TMP - Deleted
C:\DOCUME~1\Z'ADAM\LOCALS~1\TEMP\SCS202.TMP - Deleted

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*isabledxpsp2res.dll,-22019"
"C:\\mIRC\\mirc.exe"="C:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\System32\\ftp.exe"="C:\\WINDOWS\\System32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\UOAM\\uoam.exe"="C:\\Program Files\\UOAM\\uoam.exe:*:Enabled:Ultima Online's premier mapping tool."
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Ultima Online 2D\\Client.exe"="C:\\Program Files\\Ultima Online 2D\\Client.exe:*:Enabled:Client"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*isabled:Internet Explorer"
"C:\\WINDOWS\\System32\\usmt\\migwiz.exe"="C:\\WINDOWS\\System32\\usmt\\migwiz.exe:*isabled:Files and Settings Transfer Wizard"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\System32\\javaw.exe"="C:\\WINDOWS\\System32\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:Nero ProductSetup"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Psi\\psi.exe"="C:\\Program Files\\Psi\\psi.exe:*:Enabledsi"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\System32\\LEXPPS.EXE"="C:\\WINDOWS\\System32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\WINDOWS\\system32\\qlyhus.exe"="C:\\WINDOWS\\system32\\qlyhus.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\togaaq.exe"="C:\\WINDOWS\\system32\\togaaq.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\iqebur.exe"="C:\\WINDOWS\\system32\\iqebur.exe:*:Enabled:Server"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\qlyhus.exe"="C:\\WINDOWS\\system32\\qlyhus.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\togaaq.exe"="C:\\WINDOWS\\system32\\togaaq.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\iqebur.exe"="C:\\WINDOWS\\system32\\iqebur.exe:*:Enabled:Server"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\WINDOWS\system32\NTICDMK7.dll
C:\WINDOWS\system32\NTIMPEG2.dll
C:\WINDOWS\system32\NTIMP3.dll
C:\WINDOWS\system32\NTIFCD3.dll
C:\WINDOWS\system32\NTIBUN4.dll
C:\Restoration\DLL16.DLL
C:\Restoration\DLL32.DLL
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Picasa2\setup.exe
C:\Restoration\Restoration.exe
C:\Documents and Settings\Marianne\SecMon.sys
C:\Documents and Settings\Jaclyn\SecMon.sys
C:\Documents and Settings\z'Adam\SecMon.sys.ren
C:\Documents and Settings\z'Adam\SecMon.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\Marianne\Desktop\New Folder\SIV2D.tmp

Add/Remove Programs List:

7-Zip 4.42
Ad-Aware SE Personal
AIM 6.0
AVG Anti-Spyware 7.5
BitTorrent 5.0.3
burnatonce
ClamWin Free Antivirus 0.90
DVD Decrypter (Remove Only)
DVD Shrink 3.2
eDexter(remove only)
FairUse Wizard 2
FrostWire 4.13.1.4 BETA
Gaim (remove only)
Gizmo Plugin
Google Video Player
GTK+ Runtime 2.6.9 rev a (remove only)
Intel(R) Graphics Media Accelerator Driver
HijackThis 1.99.1
Microsoft Internationalized Domain Names Mitigation APIs
NTI Backup NOW! 4
IrfanView (remove only)
High Definition Audio Driver Package - KB888111
Lexmark 640 Series
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
mIRC
Move Networks Player for Internet Explorer
Mozilla Firefox (2.0.0.1)
Microsoft Compression Client Pack 1.0 for Windows XP
MusicBrainz Tagger 0.10.5
Memorex exPressit Label Design Studio
Microsoft National Language Support Downlevel APIs
OpenPandora 0.6.3
Panda ActiveScan
PeerGuardian 2.0
Photo To Sketch 3.21
Picasa 2
Psi (remove only)
QuickTime Alternative 1.73
Recuva (remove only)
Adobe Flash Player 9 ActiveX
SoulSeek Client 156c
Spybot - Search & Destroy 1.4
Starcraft
StarCraft X-tra Editor Version 2.5
Tweak UI
Ultima Online 2D
Warcraft II BNE
Windows Imaging Component
Windows Live OneCare safety scanner
Microsoft User-Mode Driver Framework Feature Pack 1.0
XoftSpySE
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger
MSXML4 Parser
Microsoft .NET Framework 3.0
Google Talk (remove only)
Google Toolbar for Internet Explorer
Nero 7
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 11
NTI Backup NOW! 4
ImageShack Toolbar for Internet Explorer
Windows Communication Foundation
Clear Cache feature for Internet Explorer
OpenOffice.org 2.0
Microsoft .NET Framework 2.0
Windows Workflow Foundation
Managed DirectX (0901)
B.I.S.S. Hosts Manager
Windows Presentation Foundation
Windows Rights Management Client with Service Pack 2
Microsoft .NET Framework 1.1
HostsMan 3.0 Beta1
Google Toolbar for Internet Explorer
Windows Rights Management Client Backwards Compatibility SP2
Realtek High Definition Audio Driver
Windows Resource Kit Tools

Finished

And then comboScan.exe's supplementary.txt:
ComboScan v20070226.18 run by z'Adam on 2007-02-27 at 23:27:21
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.93GHz
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 247.36 MiB / 79.07 MiB
Pagefile Memory (total/avail): 603.89 MiB / 359.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1997.84 MiB

C: is Fixed (FAT32) - 35.6 GiB total, 22.6 GiB free. 
D: is Fixed (FAT32) - 35.98 GiB total, 35.98 GiB free. 
E: is CDROM (No Media)
F: is CDROM (No Media)

-- Security Center --------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\z'Adam\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ACER-BDAB9BFFC1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\z'Adam
LOGONSERVER=\\ACER-BDAB9BFFC1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Windows Resource Kits\Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SYSTEM=C:\WINDOWS\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\z'Adam\LOCALS~1\Temp
TMP=C:\DOCUME~1\z'Adam\LOCALS~1\Temp
USERDOMAIN=ACER-BDAB9BFFC1
USERNAME=z'Adam
USERPROFILE=C:\Documents and Settings\z'Adam
windir=C:\WINDOWS

-- User Profiles ----------------------------------------------------------------

Marianne _(admin)_
Jaclyn _(admin)_
z'Adam _(admin)_
Administrator _(admin)_

-- Add/Remove Programs ----------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.42 --> "C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware SE Personal --> C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
AIM 6.0 --> C:\Program Files\AIM6\uninst.exe
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
B.I.S.S. Hosts Manager --> MsiExec.exe /I{A931C76A-8189-4485-A686-53A91658CD30}
BitTorrent 5.0.3 --> "C:\Program Files\BitTorrent\uninstall.exe"
burnatonce --> "C:\Program Files\burnatonce\unins000.exe"
ClamWin Free Antivirus 0.90 --> "C:\Program Files\ClamWin\unins000.exe"
Clear Cache feature for Internet Explorer --> MsiExec.exe /I{4E901875-0F15-44BA-89DE-94AA41A7F507}
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
eDexter(remove only) --> "C:\Program Files\Pyrenean\eDexter\uninstall.exe"
FairUse Wizard 2 --> "C:\Program Files\FairUse Wizard 2\UnInstall_14333.exe"
FrostWire 4.13.1.4 BETA --> C:\Program Files\FrostWire\Uninstall.exe
Gaim (remove only) --> C:\Program Files\Gaim\gaim-uninst.exe
Gizmo Plugin --> C:\Program Files\GizmoPlugin\uninstall.exe
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Video Player --> "C:\Program Files\Google\Google Video Player\Uninstall.exe"
GTK+ Runtime 2.6.9 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 1.99.1 --> C:\HiJackThis\HijackThis.exe /uninstall
HostsMan 3.0 Beta1 --> "C:\Program Files\abelhadigital.com\HostsMan\unins000.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
ImageShack Toolbar for Internet Explorer --> MsiExec.exe /X{48C97477-1D55-4B51-86BF-822677C04164}
Intel(R) Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Lexmark 640 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXDAUN5C.EXE -dLexmark 640 Series
Memorex exPressit Label Design Studio --> C:\WINDOWS\mvuninst\App1\mvuninst.exe "Memorex exPressit Label Design Studio"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIRC --> "C:\mIRC\mirc.exe" -uninstall
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\z'Adam\Application Data\Move Networks\ie_bin\unins000.exe"
Mozilla Firefox (2.0.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
MusicBrainz Tagger 0.10.5 --> C:\PROGRA~1\MUSICB~1\UNWISE.EXE C:\PROGRA~1\MUSICB~1\INSTALL.LOG
Nero 7 --> MsiExec.exe /I{2D7D9D86-923A-41A8-919F-437332AB1033}
NTI Backup NOW! 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{385979FE-DC4F-4140-8EAD-A59625000D72} /l1033 BUN4
OpenOffice.org 2.0 --> MsiExec.exe /I{686BB230-DE5B-44F4-8DB0-4F9BEE7310F7}
OpenPandora 0.6.3 --> C:\Program Files\OpenPandora\uninstall.exe
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
Photo To Sketch 3.21 --> "C:\Program Files\Photo To Sketch\unins000.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Psi (remove only) --> C:\Program Files\Psi\uninstall.exe
QuickTime Alternative 1.73 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
Realtek High Definition Audio Driver --> RtlUpd.exe -r
Recuva (remove only) --> "C:\Program Files\Recuva\uninst.exe"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
StarCraft X-tra Editor Version 2.5 --> "C:\Program Files\Starcraft\SCXEDeinst\unins000.exe"
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Ultima Online 2D --> C:\WINDOWS\UOUninst.exe
Warcraft II BNE --> C:\WINDOWS\W2BNEUnin.exe C:\WINDOWS\W2BNEUnin.dat
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
XML Paper Specification Shared Components Pack 1.0 --> 
XoftSpySE --> C:\Program Files\XoftSpySE\uninstall.exe
Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG

-- End of ComboScan: finished at 2007-02-27 at 23:27:50 -------------------------

Do you need me to post ComboScan.txt as well?


----------



## ahoier (Feb 22, 2007)

Just for curiosity sake, I just looked through startuplist.txt (generated by HJT):

I think some/one of those sevices listed may have been left behind from Rootkit Revealer. During one of it's scans, I got a BSOD so it couldn't remove itself from memory.

And well, I dont know about SecMon.sys...but in nearly every BSOD, that is the "driver" that is mentioned...I dont know if that is a legitimate file or not...I did a google search for it, and didnt get any results...though there were results for secmon.exe...

In msconfig, under the services tab, with Hide all Microsoft Services checked/enabled, I'm seeing the following:


My latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:08:10 AM, on 2/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\system
Hosts file: C:\WINDOWS\System32\drivers\etc\hosts

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [inadyn] "C:\Program Files\inadyn\inadyn.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - Startup: eDexter.exe.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.aim.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.search.aol.com
O15 - Trusted Zone: *.aol.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.arin.net
O15 - Trusted Zone: *.ask.com
O15 - Trusted Zone: *.att.com
O15 - Trusted Zone: *.bbzspace.com
O15 - Trusted Zone: *.bellsouth.net
O15 - Trusted Zone: *.blogger.com
O15 - Trusted Zone: *.blogspot.com
O15 - Trusted Zone: *.brev.org
O15 - Trusted Zone: *.brevardcc.edu
O15 - Trusted Zone: *.brevard.cc.fl.us
O15 - Trusted Zone: *.cdcovers.cc
O15 - Trusted Zone: *.chacha.com
O15 - Trusted Zone: *.changenotes.com
O15 - Trusted Zone: *.cingular.com
O15 - Trusted Zone: *.countylinesaloon.com
O15 - Trusted Zone: http://www.crossengine.com
O15 - Trusted Zone: *.defianceuo.com
O15 - Trusted Zone: *.digg.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.easyuo.com
O15 - Trusted Zone: *.ehow.com
O15 - Trusted Zone: *.ercim.org
O15 - Trusted Zone: *.f-secure.com
O15 - Trusted Zone: feeds.feedburner.com
O15 - Trusted Zone: *.frappr.com
O15 - Trusted Zone: *.furl.net
O15 - Trusted Zone: *.fuse.tv
O15 - Trusted Zone: *.gmail.com
O15 - Trusted Zone: *.ma.gnolia.com
O15 - Trusted Zone: *.froogle.google.com
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: *.googlepages.com
O15 - Trusted Zone: *.I
O15 - Trusted Zone: *.ilike.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: *.imageshack.us
O15 - Trusted Zone: *.k12.fl.us
O15 - Trusted Zone: *.koolim.com
O15 - Trusted Zone: *.last.fm
O15 - Trusted Zone: *.lavasoftusa.com
O15 - Trusted Zone: *.lifehacker.com
O15 - Trusted Zone: *.lijit.com
O15 - Trusted Zone: click.linksynergy.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: http://*.localhost
O15 - Trusted Zone: *.lockergnome.com
O15 - Trusted Zone: *.lostinthecrowd.org
O15 - Trusted Zone: *.lyriki.com
O15 - Trusted Zone: *.meebo.com
O15 - Trusted Zone: http://www.megarotic.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: *.mit.edu
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mtv.com
O15 - Trusted Zone: *.mtve.com
O15 - Trusted Zone: *.musicovery.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: *.myway.com
O15 - Trusted Zone: *.netlibrary.com
O15 - Trusted Zone: *.netvibes.com
O15 - Trusted Zone: *.notepad.org
O15 - Trusted Zone: *.on10.net
O15 - Trusted Zone: *.opendns.com
O15 - Trusted Zone: *.orkut.com
O15 - Trusted Zone: *.orock1059.com
O15 - Trusted Zone: *.pandasoftware.com
O15 - Trusted Zone: *.pandora.com
O15 - Trusted Zone: *.parlophone.co.uk
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.paygonline.com
O15 - Trusted Zone: *.phishtank.com
O15 - Trusted Zone: *.photobucket.com
O15 - Trusted Zone: *.projectplaylist.com
O15 - Trusted Zone: *.redhotchilipeppers.com
O15 - Trusted Zone: *.resize2mail.com
O15 - Trusted Zone: *.rssfwd.com
O15 - Trusted Zone: *.runuo.com
O15 - Trusted Zone: *.screenname.com
O15 - Trusted Zone: http://www.sexuploader.com
O15 - Trusted Zone: *.songbirdnest.com
O15 - Trusted Zone: *.sonicnet.com
O15 - Trusted Zone: *.sourceforge.net
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.thejosher.net
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.tunefind.com
O15 - Trusted Zone: *.U
O15 - Trusted Zone: *.unicru.com
O15 - Trusted Zone: *.w3.org
O15 - Trusted Zone: *.wallop.com
O15 - Trusted Zone: *.webwag.com
O15 - Trusted Zone: *.wikihow.com
O15 - Trusted Zone: *.wjrr.com
O15 - Trusted Zone: *.worldcatlibraries.org
O15 - Trusted Zone: *.xmpp.net
O15 - Trusted Zone: *.yahoo.com
O15 - Trusted Zone: *.yes.com
O15 - Trusted Zone: *.youtube.com
O15 - Trusted IP range: 207.203.64.103
O15 - Trusted IP range: 207.203.64.242
O15 - Trusted IP range: http://207.203.64.242
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161890076781
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag4716.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4716.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A47C71B-154D-403F-A857-123BF517E7B6}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B496639E-7F43-41DA-98F6-6724B42468B5}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7EA7661-9F50-4BAA-BB4C-EF86AAA388C0}: NameServer = 205.152.144.23,205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34FC63B-69A2-4956-B5DD-2E6F9FD5E727}: NameServer = 205.152.144.23,205.152.37.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: QV - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\QV.exe (file missing)
O23 - Service: TBSRKKWFMQ - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\TBSRKKWFMQ.exe (file missing)
O23 - Service: TUSIWHXDNYCGWJE - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\TUSIWHXDNYCGWJE.exe (file missing)


----------



## Cookiegal (Aug 27, 2003)

Yes, I need to see the other ComboScan log please.


----------



## ahoier (Feb 22, 2007)

ComboScan.txt is attached, since it was too large to contain within this post.


----------



## Cookiegal (Aug 27, 2003)

Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

C:\Documents and Settings\Marianne\SecMon.sys
C:\WINDOWS\rsv.exe
C:\WINDOWS\spysplash.dat
C:\WINDOWS\system32\wiaservc.dll


----------



## ahoier (Feb 22, 2007)

C:\Documents and Settings\Marianne\SecMon.sys is showing:
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.) 
MD5 a8f45ff0ea96e85dd3233165a4cc78ca 
Packers detected: -
Scan taken on 01 Mar 2007 02:04:10 (GMT) 
AntiVir Found nothing 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found nothing 
BitDefender Found nothing 
ClamAV *Found Trojan.Rootkit-98*
Dr.Web Found nothing 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found nothing 
Fortinet Found nothing 
Kaspersky Anti-Virus Found nothing 
NOD32 Found nothing 
Norman Virus Control Found nothing 
VirusBuster Found nothing 
VBA32 Found nothing

C:\WINDOWS\rsv.exe
Status: OK 
MD5 4617938e96f3e43a345c4e6f1682156f 
Packers detected: -

Scanner results 
Scan taken on 01 Mar 2007 02:05:30 (GMT) 
AntiVir Found nothing 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found nothing 
BitDefender Found nothing 
ClamAV Found nothing 
Dr.Web Found nothing 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found nothing 
Fortinet Found nothing 
Kaspersky Anti-Virus Found nothing 
NOD32 Found nothing 
Norman Virus Control Found nothing 
VirusBuster Found nothing 
VBA32 Found nothing

spysplash.dat
Status: OK 
MD5 de3bd63953a25c3aa1a9fe1c430b1de7 
Packers detected: -

Scanner results 
Scan taken on 01 Mar 2007 02:06:46 (GMT) 
AntiVir Found nothing 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found nothing 
BitDefender Found nothing 
ClamAV Found nothing 
Dr.Web Found nothing 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found nothing 
Fortinet Found nothing 
Kaspersky Anti-Virus Found nothing 
NOD32 Found nothing 
Norman Virus Control Found nothing 
VirusBuster Found nothing 
VBA32 Found nothing

File: wiaservc.dll 
Status: OK
MD5 b6763f8534ac547cf1af98afdff2edc8 
Packers detected: -

Scanner results 
Scan taken on 01 Mar 2007 02:11:17 (GMT) 
AntiVir Found nothing 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found nothing 
BitDefender Found nothing 
ClamAV Found nothing 
Dr.Web Found nothing 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found nothing 
Fortinet Found nothing 
Kaspersky Anti-Virus Found nothing 
NOD32 Found nothing 
Norman Virus Control Found nothing 
VirusBuster Found nothing 
VBA32 Found nothing

So, it looks like the only infected file is SecMon.sys...which is kinda interesting, since I just recently submitted one of those SecMon.sys files through the ClamAV site a couple days ago 

Edit:
and yes, looking through the mailing list archives there, I saw mention of my name next to that infection in the list...

I'll wait for further instructions before scanning and cleaning this infection with ClamAV.


----------



## Cookiegal (Aug 27, 2003)

I would like to have someone take a closer look at those files so please do this:

Download Suspicious File Packer from http://www.safer-networking.org/en/tools/index.html and unzip it to desktop, open it & 
paste in this list of files and when it has created the archive on your desktop please upload that to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so we can examine the files

*C:\Documents and Settings\Marianne\SecMon.sys
C:\WINDOWS\rsv.exe
C:\WINDOWS\spysplash.dat
C:\WINDOWS\system32\wiaservc.dll*

Please add a link to your post here so we know where the files came from. Thanks.


----------



## ahoier (Feb 22, 2007)

I've uploaded the requested files to http://www.thespykiller.co.uk/forum/index.php?topic=3700.0

Thanks for the help!


----------



## dvk01 (Dec 14, 2002)

C:\Documents and Settings\Marianne\SecMon.sys ..I suspect is part of spytech spyagent 
C:\WINDOWS\rsv.exe.......... spam tool for hostgator hosting 
C:\WINDOWS\spysplash.dat.... spytech spyagent http://www.spytech-web.com/spyagent.shtml (keylogger)
C:\WINDOWS\system32\wiaservc.dll ...... looks like genuine MS file ( still image monitor)


----------



## ahoier (Feb 22, 2007)

what is hostgator hosting? Looking it up in google shows it a web hosting service, but I've never used it.

Infact, the closest I've gotten to "web hosting" is GooglePages and GeoCities ehehe.

But yea, looking thru clusty results, there are a lot of mentions of rsv.exe, but most in correlation to some bible software, and some font software..but one link did stand out, http://forum.grisoft.cz/freeforum/read.php?4,91980,92063 - If I recall, I had a similar .com file within my temporary internet files as well.


----------



## Cookiegal (Aug 27, 2003)

Thanks Derek.


----------



## Cookiegal (Aug 27, 2003)

So did you install spytech spyagent intentionally?

It's not listed in the Add/Remove programs of ComboFix but let's try this anyway:


Open HijackThis and click on the "Open the Misc Tools Section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.


----------



## ahoier (Feb 22, 2007)

no I didn't install that software, but it's a multi-user system, so I dont know if one of the others did or not.

I know one of them mentioned clicking on a link in an AIM conversation, that linked to a .com file (they aren't very computer literate...) but they couldn't remember what site, or from what "buddy".

Here's the uninstall manager list from HJT:
7-Zip 4.42
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
AIM 6.0
AVG Anti-Spyware 7.5
B.I.S.S. Hosts Manager
BitTorrent 5.0.3
burnatonce
ClamWin Free Antivirus 0.90
Clear Cache feature for Internet Explorer
DVD Decrypter (Remove Only)
DVD Shrink 3.2
eDexter(remove only)
FairUse Wizard 2
FrostWire 4.13.1.4 BETA
Gaim (remove only)
Gizmo Plugin
Google Talk (remove only)
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Video Player
GTK+ Runtime 2.6.9 rev a (remove only)
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
HostsMan 3.0 Beta1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
ImageShack Toolbar for Internet Explorer
Intel(R) Graphics Media Accelerator Driver
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Lexmark 640 Series
Memorex exPressit Label Design Studio
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIRC
Move Networks Player for Internet Explorer
Mozilla Firefox (2.0.0.1)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
MSXML4 Parser
MusicBrainz Tagger 0.10.5
Nero 7
NTI Backup NOW! 4
OpenOffice.org 2.0
OpenPandora 0.6.3
Panda ActiveScan
PeerGuardian 2.0
Photo To Sketch 3.21
Picasa 2
Psi (remove only)
QuickTime Alternative 1.73
Realtek High Definition Audio Driver
Recuva (remove only)
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
SoulSeek Client 156c
Spybot - Search & Destroy 1.4
Starcraft
StarCraft X-tra Editor Version 2.5
Tweak UI
Ultima Online 2D
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB931836)
Warcraft II BNE
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Resource Kit Tools
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Workflow Foundation
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
XoftSpySE
Yahoo! Messenger


----------



## Cookiegal (Aug 27, 2003)

It would be helpful to post a HijackThis log taken from each of the other user accounts please.


----------



## Cookiegal (Aug 27, 2003)

Also, please do this.

I'm attaching a Fixahoier.zip file to this post. Save it to your desktop. Unzip it and double click the Fixahoier.reg file and allow it to enter into the registry.

Go to *Control Panel*  *Add/Remove programs* and remove the following:

*J2SE Runtime Environment 5.0 Update 6*

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\WINDOWS\system32\qlyhus.exe
C:\WINDOWS\system32\togaaq.exe
C:\WINDOWS\system32\iqebur.exe
C:\WINDOWS\rsv.exe
*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.


----------



## ahoier (Feb 22, 2007)

looking at that .reg file, is the space between *r* and *s* intentional?

...\Parameter s\...

it seems to have created a new "branch" off of SharedAccess, called Parameter s

Ill get those HJT logs from the other user accounts.

first one:
Logfile of HijackThis v1.99.1
Scan saved at 2:28:32 PM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [inadyn] C:\Program Files\inadyn\inadyn.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: eDexter.exe.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.17--768698076.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.17--768698076.dll/gn_menu2.html
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: *.imageshack.us
O15 - Trusted Zone: *.meebo.com
O15 - Trusted Zone: *.mylunchmoney.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: *.projectplaylist.com
O15 - Trusted Zone: *.yes.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161890076781
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag4716.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4716.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A47C71B-154D-403F-A857-123BF517E7B6}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B496639E-7F43-41DA-98F6-6724B42468B5}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7EA7661-9F50-4BAA-BB4C-EF86AAA388C0}: NameServer = 205.152.144.23,205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34FC63B-69A2-4956-B5DD-2E6F9FD5E727}: NameServer = 205.152.144.23,205.152.37.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: QV - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\QV.exe (file missing)
O23 - Service: TBSRKKWFMQ - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\TBSRKKWFMQ.exe (file missing)
O23 - Service: TUSIWHXDNYCGWJE - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\TUSIWHXDNYCGWJE.exe (file missing)

Second:
Logfile of HijackThis v1.99.1
Scan saved at 2:27:55 PM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [inadyn] C:\Program Files\inadyn\inadyn.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: eDexter.exe.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Note this (Google Note&book) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.6--1737014940.dll/gn_menu1.html
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.17--768698076.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.17--768698076.dll/gn_menu2.html
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.ebaystatic.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: http://activex.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161890076781
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag4716.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4716.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A47C71B-154D-403F-A857-123BF517E7B6}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B496639E-7F43-41DA-98F6-6724B42468B5}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7EA7661-9F50-4BAA-BB4C-EF86AAA388C0}: NameServer = 205.152.144.23,205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34FC63B-69A2-4956-B5DD-2E6F9FD5E727}: NameServer = 205.152.144.23,205.152.37.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: QV - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\QV.exe (file missing)
O23 - Service: TBSRKKWFMQ - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\TBSRKKWFMQ.exe (file missing)
O23 - Service: TUSIWHXDNYCGWJE - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\TUSIWHXDNYCGWJE.exe (file missing)

and then, the third is mine, if you wanna look at that one again:
Logfile of HijackThis v1.99.1
Scan saved at 2:31:28 PM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://clusty.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [inadyn] C:\Program Files\inadyn\inadyn.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - Startup: eDexter.exe.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.aim.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.search.aol.com
O15 - Trusted Zone: *.aol.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.arin.net
O15 - Trusted Zone: *.ask.com
O15 - Trusted Zone: *.att.com
O15 - Trusted Zone: *.bbzspace.com
O15 - Trusted Zone: *.bellsouth.net
O15 - Trusted Zone: *.blogger.com
O15 - Trusted Zone: *.blogspot.com
O15 - Trusted Zone: *.brev.org
O15 - Trusted Zone: *.brevardcc.edu
O15 - Trusted Zone: *.brevard.cc.fl.us
O15 - Trusted Zone: *.cdcovers.cc
O15 - Trusted Zone: *.chacha.com
O15 - Trusted Zone: *.changenotes.com
O15 - Trusted Zone: *.cingular.com
O15 - Trusted Zone: *.countylinesaloon.com
O15 - Trusted Zone: http://www.crossengine.com
O15 - Trusted Zone: *.defianceuo.com
O15 - Trusted Zone: *.digg.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.easyuo.com
O15 - Trusted Zone: *.ehow.com
O15 - Trusted Zone: *.ercim.org
O15 - Trusted Zone: *.f-secure.com
O15 - Trusted Zone: feeds.feedburner.com
O15 - Trusted Zone: *.frappr.com
O15 - Trusted Zone: *.furl.net
O15 - Trusted Zone: *.fuse.tv
O15 - Trusted Zone: *.gmail.com
O15 - Trusted Zone: *.ma.gnolia.com
O15 - Trusted Zone: *.froogle.google.com
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: *.googlepages.com
O15 - Trusted Zone: *.I
O15 - Trusted Zone: *.ilike.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: *.imageshack.us
O15 - Trusted Zone: *.k12.fl.us
O15 - Trusted Zone: *.koolim.com
O15 - Trusted Zone: *.last.fm
O15 - Trusted Zone: *.lavasoftusa.com
O15 - Trusted Zone: *.lifehacker.com
O15 - Trusted Zone: *.lijit.com
O15 - Trusted Zone: click.linksynergy.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: http://*.localhost
O15 - Trusted Zone: *.lockergnome.com
O15 - Trusted Zone: *.lostinthecrowd.org
O15 - Trusted Zone: *.lyriki.com
O15 - Trusted Zone: *.meebo.com
O15 - Trusted Zone: http://www.megarotic.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: *.mit.edu
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mtv.com
O15 - Trusted Zone: *.mtve.com
O15 - Trusted Zone: *.musicovery.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: *.myway.com
O15 - Trusted Zone: *.netlibrary.com
O15 - Trusted Zone: *.netvibes.com
O15 - Trusted Zone: *.notepad.org
O15 - Trusted Zone: *.on10.net
O15 - Trusted Zone: *.opendns.com
O15 - Trusted Zone: *.orkut.com
O15 - Trusted Zone: *.orock1059.com
O15 - Trusted Zone: *.pandasoftware.com
O15 - Trusted Zone: *.pandora.com
O15 - Trusted Zone: *.parlophone.co.uk
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.paygonline.com
O15 - Trusted Zone: *.phishtank.com
O15 - Trusted Zone: *.photobucket.com
O15 - Trusted Zone: *.projectplaylist.com
O15 - Trusted Zone: *.redhotchilipeppers.com
O15 - Trusted Zone: *.resize2mail.com
O15 - Trusted Zone: *.rssfwd.com
O15 - Trusted Zone: *.runuo.com
O15 - Trusted Zone: *.screenname.com
O15 - Trusted Zone: http://www.sexuploader.com
O15 - Trusted Zone: *.songbirdnest.com
O15 - Trusted Zone: *.sonicnet.com
O15 - Trusted Zone: *.sourceforge.net
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.thejosher.net
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.tunefind.com
O15 - Trusted Zone: *.U
O15 - Trusted Zone: *.unicru.com
O15 - Trusted Zone: *.w3.org
O15 - Trusted Zone: *.wallop.com
O15 - Trusted Zone: *.webwag.com
O15 - Trusted Zone: *.wikihow.com
O15 - Trusted Zone: *.wjrr.com
O15 - Trusted Zone: *.worldcatlibraries.org
O15 - Trusted Zone: *.xmpp.net
O15 - Trusted Zone: *.yahoo.com
O15 - Trusted Zone: *.yes.com
O15 - Trusted Zone: *.youtube.com
O15 - Trusted IP range: 207.203.64.103
O15 - Trusted IP range: 207.203.64.242
O15 - Trusted IP range: http://207.203.64.242
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161890076781
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag4716.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4716.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A47C71B-154D-403F-A857-123BF517E7B6}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B496639E-7F43-41DA-98F6-6724B42468B5}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7EA7661-9F50-4BAA-BB4C-EF86AAA388C0}: NameServer = 205.152.144.23,205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34FC63B-69A2-4956-B5DD-2E6F9FD5E727}: NameServer = 205.152.144.23,205.152.37.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: QV - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\QV.exe (file missing)
O23 - Service: TBSRKKWFMQ - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\TBSRKKWFMQ.exe (file missing)
O23 - Service: TUSIWHXDNYCGWJE - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\TUSIWHXDNYCGWJE.exe (file missing)


----------



## ahoier (Feb 22, 2007)

the only file killbox could kill was rsv.exe, the others said not found.

j2se update 6 is uninstalled.
waiting on a new fixahoier.reg


----------



## Cookiegal (Aug 27, 2003)

Sorry, it's the board software that does that and it's a pain.  

I've attached a new one. Please run this one.

Please export this key. Expand each branch by clicking on the + to their left and then right click on the SharedAccess key and select "export" then save it to your desktop. Copy and paste the contents here please.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess


----------



## ahoier (Feb 22, 2007)

here's the exported key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"DependOnGroup"=hex(7):00,00
"DependOnService"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:00000694

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\qlyhus.exe"="C:\\WINDOWS\\system32\\qlyhus.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\togaaq.exe"="C:\\WINDOWS\\system32\\togaaq.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\iqebur.exe"="C:\\WINDOWS\\system32\\iqebur.exe:*:Enabled:Server"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*isabledxpsp2res.dll,-22019"
"C:\\mIRC\\mirc.exe"="C:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\System32\\ftp.exe"="C:\\WINDOWS\\System32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\UOAM\\uoam.exe"="C:\\Program Files\\UOAM\\uoam.exe:*:Enabled:Ultima Online's premier mapping tool."
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Ultima Online 2D\\Client.exe"="C:\\Program Files\\Ultima Online 2D\\Client.exe:*:Enabled:Client"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*isabled:Internet Explorer"
"C:\\WINDOWS\\System32\\usmt\\migwiz.exe"="C:\\WINDOWS\\System32\\usmt\\migwiz.exe:*isabled:Files and Settings Transfer Wizard"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\System32\\javaw.exe"="C:\\WINDOWS\\System32\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:Nero ProductSetup"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Psi\\psi.exe"="C:\\Program Files\\Psi\\psi.exe:*:Enabledsi"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\System32\\LEXPPS.EXE"="C:\\WINDOWS\\System32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\WINDOWS\\system32\\qlyhus.exe"="C:\\WINDOWS\\system32\\qlyhus.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\togaaq.exe"="C:\\WINDOWS\\system32\\togaaq.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\iqebur.exe"="C:\\WINDOWS\\system32\\iqebur.exe:*:Enabled:Server"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNetisabledxpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNetisabledxpsp2res.dll,-22008"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

That was before importing this new Fixahoier.reg file.

After importing the new fixahoier.reg file, it shows as follows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"DependOnGroup"=hex(7):00,00
"DependOnService"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:00000695

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\qlyhus.exe"="C:\\WINDOWS\\system32\\qlyhus.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\togaaq.exe"="C:\\WINDOWS\\system32\\togaaq.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\iqebur.exe"="C:\\WINDOWS\\system32\\iqebur.exe:*:Enabled:Server"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*isabledxpsp2res.dll,-22019"
"C:\\mIRC\\mirc.exe"="C:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\System32\\ftp.exe"="C:\\WINDOWS\\System32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\UOAM\\uoam.exe"="C:\\Program Files\\UOAM\\uoam.exe:*:Enabled:Ultima Online's premier mapping tool."
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Ultima Online 2D\\Client.exe"="C:\\Program Files\\Ultima Online 2D\\Client.exe:*:Enabled:Client"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\WINDOWS\\System32\\usmt\\migwiz.exe"="C:\\WINDOWS\\System32\\usmt\\migwiz.exe:*isabled:Files and Settings Transfer Wizard"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\System32\\javaw.exe"="C:\\WINDOWS\\System32\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:Nero ProductSetup"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Psi\\psi.exe"="C:\\Program Files\\Psi\\psi.exe:*:Enabledsi"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\System32\\LEXPPS.EXE"="C:\\WINDOWS\\System32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNetisabledxpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNetisabledxpsp2res.dll,-22008"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


----------



## Cookiegal (Aug 27, 2003)

I'm attaching FixAhoier.zip to fix that extra entry. Run it the same way you did the others.

When you exported that key, had you run the corrected regfix? If so, had you rebooted?


----------



## ahoier (Feb 22, 2007)

No, I did not reboot my system between exporting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess , and merging that previously Fixahoier.reg file posted at 4:34 PM Eastern.

I'll merge this new FixAhoier2.reg file now.


And the .../Parameter s/... entry is gone now


----------



## Cookiegal (Aug 27, 2003)

Would you export the key again please after the reboot as I need to see if some nasty keys we took out are gone.


----------



## ahoier (Feb 22, 2007)

OK, here's what was exported for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"DependOnGroup"=hex(7):00,00
"DependOnService"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:0000069b

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\qlyhus.exe"="C:\\WINDOWS\\system32\\qlyhus.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\togaaq.exe"="C:\\WINDOWS\\system32\\togaaq.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\iqebur.exe"="C:\\WINDOWS\\system32\\iqebur.exe:*:Enabled:Server"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*isabledxpsp2res.dll,-22019"
"C:\\mIRC\\mirc.exe"="C:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\System32\\ftp.exe"="C:\\WINDOWS\\System32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\UOAM\\uoam.exe"="C:\\Program Files\\UOAM\\uoam.exe:*:Enabled:Ultima Online's premier mapping tool."
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Ultima Online 2D\\Client.exe"="C:\\Program Files\\Ultima Online 2D\\Client.exe:*:Enabled:Client"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\WINDOWS\\System32\\usmt\\migwiz.exe"="C:\\WINDOWS\\System32\\usmt\\migwiz.exe:*isabled:Files and Settings Transfer Wizard"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\System32\\javaw.exe"="C:\\WINDOWS\\System32\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:Nero ProductSetup"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Psi\\psi.exe"="C:\\Program Files\\Psi\\psi.exe:*:Enabledsi"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\System32\\LEXPPS.EXE"="C:\\WINDOWS\\System32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNetisabledxpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNetisabledxpsp2res.dll,-22008"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


----------



## ahoier (Feb 22, 2007)

I'd also like to point out also that whatever was done, The rootkit revealer scan has come up a lot cleaner now 

It previously had like 8 discrepencies, now it's down to 2...


> HKLM\SECURITY\Policy\Secrets\SAC*	9/13/2005 4:14 PM	0 bytes	Key name contains embedded nulls (*)
> HKLM\SECURITY\Policy\Secrets\SAI*	9/13/2005 4:14 PM	0 bytes	Key name contains embedded nulls (*)


Compared to hte previous:


> HKLM\SECURITY\Policy\Secrets\SAC*	9/13/2005 4:14 PM	0 bytes	Key name contains embedded nulls (*)
> HKLM\SECURITY\Policy\Secrets\SAI*	9/13/2005 4:14 PM	0 bytes	Key name contains embedded nulls (*)
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunAppBk	2/26/2007 3:44 PM	38 bytes	Hidden from Windows API.
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\BaseWinOptions	9/13/2005 8:51 AM	0 bytes	Hidden from Windows API.
> ...


----------



## Cookiegal (Aug 27, 2003)

There are still some files with firewall access that did not get deleted so please run the attached Fixahoier.reg file as you did the others. Then reboot and export the sharedaccess key again please.


----------



## ahoier (Feb 22, 2007)

ok, after the reboot, here's the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess export:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"DependOnGroup"=hex(7):00,00
"DependOnService"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:000006a5

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\qlyhus.exe"="C:\\WINDOWS\\system32\\qlyhus.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\togaaq.exe"="C:\\WINDOWS\\system32\\togaaq.exe:*:Enabled:Server"
"C:\\WINDOWS\\system32\\iqebur.exe"="C:\\WINDOWS\\system32\\iqebur.exe:*:Enabled:Server"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*isabledxpsp2res.dll,-22019"
"C:\\mIRC\\mirc.exe"="C:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\System32\\ftp.exe"="C:\\WINDOWS\\System32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\UOAM\\uoam.exe"="C:\\Program Files\\UOAM\\uoam.exe:*:Enabled:Ultima Online's premier mapping tool."
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Ultima Online 2D\\Client.exe"="C:\\Program Files\\Ultima Online 2D\\Client.exe:*:Enabled:Client"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\WINDOWS\\System32\\usmt\\migwiz.exe"="C:\\WINDOWS\\System32\\usmt\\migwiz.exe:*isabled:Files and Settings Transfer Wizard"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\System32\\javaw.exe"="C:\\WINDOWS\\System32\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:Nero ProductSetup"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Psi\\psi.exe"="C:\\Program Files\\Psi\\psi.exe:*:Enabledsi"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\System32\\LEXPPS.EXE"="C:\\WINDOWS\\System32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNetisabledxpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNetisabledxpsp2res.dll,-22008"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

It looks like the forum is putting the S on a new link, but it's not like that in my .reg file...I'll attach it below, with a .txt extention.

Looking back up at the exported entries,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable dxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\qlyhus.exe"="C:\\WINDOWS\\system32\\qlyhus.exe:*:En abled:Server"
"C:\\WINDOWS\\system32\\togaaq.exe"="C:\\WINDOWS\\system32\\togaaq.exe:*:En abled:Server"
"C:\\WINDOWS\\system32\\iqebur.exe"="C:\\WINDOWS\\system32\\iqebur.exe:*:En abled:Server"

are still listed.

Can I go into regedit, and just manually remove those entries by right clicking and deleting the entries for
C:\WINDOWS\system32\togaaq.exe:*:Enabled:Server
C:\WINDOWS\system32\qlyhus.exe:*:Enabled:Server
C:\WINDOWS\system32\iqebur.exe:*:Enabled:Server

from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List


----------



## Cookiegal (Aug 27, 2003)

Yes, you can do that if you're comfortable but let's make a back-up of the registry first.

Go to Start > Run
Type:
*regedit*
Click OK.
On the left side, click to highlight *My Computer* at the top. 
Go up to "*File > Export*"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put *backup*

Choose to save it to *C:\* or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

You may have a program running that's blocking registry changes so please post a new HijackThis log as well.


----------



## ahoier (Feb 22, 2007)

here's the HJT:
Logfile of HijackThis v1.99.1
Scan saved at 3:18:19 PM, on 3/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\SYSTEM32
Hosts file: C:\WINDOWS\System32\drivers\etc\hosts

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\inadyn\inadyn.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://clusty.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (filesize 440056 bytes, MD5 38C5BE22267A9236E79B1401B5D71D04)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (filesize 2403392 bytes, MD5 6319F2D4708DBCAE37CFA03DA10782C0)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (filesize 2403392 bytes, MD5 6319F2D4708DBCAE37CFA03DA10782C0)
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll (filesize 507904 bytes, MD5 9E35696F5ADCBA66B2F4FC66AA97E022)
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exeC:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime (filesize 282624 bytes, MD5 FA7EB9AFF3D726A6BF0494BEE7E378F6)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exeC:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKCU\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon (filesize 73728 bytes, MD5 673C4FE1F896C52F2191C9586C892093)
O4 - Startup: eDexter.exe.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe (filesize 188416 bytes, MD5 3DB45D6F5EDCA42EC07D35AEBB166E14)
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll (filesize 75528 bytes, MD5 3B3F6984DBF972DAFF1B7E9C44E2FE75)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll (filesize 75528 bytes, MD5 3B3F6984DBF972DAFF1B7E9C44E2FE75)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.aim.com
O15 - Trusted Zone: *.amazon.com
O15 - Trusted Zone: *.search.aol.com
O15 - Trusted Zone: *.aol.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: *.arin.net
O15 - Trusted Zone: *.ask.com
O15 - Trusted Zone: *.att.com
O15 - Trusted Zone: *.bbzspace.com
O15 - Trusted Zone: *.bellsouth.net
O15 - Trusted Zone: *.blogger.com
O15 - Trusted Zone: *.blogspot.com
O15 - Trusted Zone: *.brev.org
O15 - Trusted Zone: *.brevardcc.edu
O15 - Trusted Zone: *.brevard.cc.fl.us
O15 - Trusted Zone: *.cdcovers.cc
O15 - Trusted Zone: *.chacha.com
O15 - Trusted Zone: *.changenotes.com
O15 - Trusted Zone: *.cingular.com
O15 - Trusted Zone: *.countylinesaloon.com
O15 - Trusted Zone: http://www.crossengine.com
O15 - Trusted Zone: *.defianceuo.com
O15 - Trusted Zone: *.digg.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.easyuo.com
O15 - Trusted Zone: *.ehow.com
O15 - Trusted Zone: *.ercim.org
O15 - Trusted Zone: *.f-secure.com
O15 - Trusted Zone: feeds.feedburner.com
O15 - Trusted Zone: *.frappr.com
O15 - Trusted Zone: *.furl.net
O15 - Trusted Zone: *.fuse.tv
O15 - Trusted Zone: *.gmail.com
O15 - Trusted Zone: *.ma.gnolia.com
O15 - Trusted Zone: *.froogle.google.com
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: *.googlepages.com
O15 - Trusted Zone: *.I
O15 - Trusted Zone: *.ilike.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O15 - Trusted Zone: *.imageshack.us
O15 - Trusted Zone: *.k12.fl.us
O15 - Trusted Zone: *.koolim.com
O15 - Trusted Zone: *.last.fm
O15 - Trusted Zone: *.lavasoftusa.com
O15 - Trusted Zone: *.lifehacker.com
O15 - Trusted Zone: *.lijit.com
O15 - Trusted Zone: click.linksynergy.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: http://*.localhost
O15 - Trusted Zone: *.lockergnome.com
O15 - Trusted Zone: *.lostinthecrowd.org
O15 - Trusted Zone: *.lyriki.com
O15 - Trusted Zone: *.meebo.com
O15 - Trusted Zone: http://www.megarotic.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: *.mit.edu
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.mtv.com
O15 - Trusted Zone: *.mtve.com
O15 - Trusted Zone: *.musicovery.com
O15 - Trusted Zone: *.myspace.com
O15 - Trusted Zone: *.myway.com
O15 - Trusted Zone: *.netlibrary.com
O15 - Trusted Zone: *.netvibes.com
O15 - Trusted Zone: *.notepad.org
O15 - Trusted Zone: *.on10.net
O15 - Trusted Zone: *.opendns.com
O15 - Trusted Zone: *.orkut.com
O15 - Trusted Zone: *.orock1059.com
O15 - Trusted Zone: *.pandasoftware.com
O15 - Trusted Zone: *.pandora.com
O15 - Trusted Zone: *.parlophone.co.uk
O15 - Trusted Zone: *.passport.net
O15 - Trusted Zone: *.paygonline.com
O15 - Trusted Zone: *.phishtank.com
O15 - Trusted Zone: *.photobucket.com
O15 - Trusted Zone: *.pornotube.com
O15 - Trusted Zone: *.projectplaylist.com
O15 - Trusted Zone: *.redhotchilipeppers.com
O15 - Trusted Zone: *.resize2mail.com
O15 - Trusted Zone: *.rssfwd.com
O15 - Trusted Zone: *.runuo.com
O15 - Trusted Zone: *.screenname.com
O15 - Trusted Zone: http://www.sexuploader.com
O15 - Trusted Zone: *.songbirdnest.com
O15 - Trusted Zone: *.sonicnet.com
O15 - Trusted Zone: *.sourceforge.net
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.thejosher.net
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.tunefind.com
O15 - Trusted Zone: *.U
O15 - Trusted Zone: *.unicru.com
O15 - Trusted Zone: *.w3.org
O15 - Trusted Zone: *.wallop.com
O15 - Trusted Zone: *.webwag.com
O15 - Trusted Zone: *.wikihow.com
O15 - Trusted Zone: *.wjrr.com
O15 - Trusted Zone: *.worldcatlibraries.org
O15 - Trusted Zone: *.xmpp.net
O15 - Trusted Zone: *.yahoo.com
O15 - Trusted Zone: *.yes.com
O15 - Trusted Zone: *.youtube.com
O15 - Trusted IP range: 207.203.64.103
O15 - Trusted IP range: 207.203.64.242
O15 - Trusted IP range: http://207.203.64.242
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161890076781
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} - http://entimg.msn.com/client/msnediag4716.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4716.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A47C71B-154D-403F-A857-123BF517E7B6}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B496639E-7F43-41DA-98F6-6724B42468B5}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7EA7661-9F50-4BAA-BB4C-EF86AAA388C0}: NameServer = 205.152.144.23,205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34FC63B-69A2-4956-B5DD-2E6F9FD5E727}: NameServer = 205.152.144.23,205.152.37.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dllC:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllC:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (filesize 133632 bytes, MD5 045E228F71C31901084B64BE59093499)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exeC:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: QV - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\QV.exe (file missing)
O23 - Service: TBSRKKWFMQ - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\TBSRKKWFMQ.exe (file missing)
O23 - Service: TUSIWHXDNYCGWJE - Unknown owner - C:\DOCUME~1\z'Adam\LOCALS~1\Temp\TUSIWHXDNYCGWJE.exe (file missing)

I guess you could check that log out...in the meantime, I'm going to reboot, I just removed the entries by right clicking, and Deleting the 3 objects. I'll see if they're gone after the reboot.


----------



## ahoier (Feb 22, 2007)

here's the new export of that SharedAccess key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"DependOnGroup"=hex(7):00,00
"DependOnService"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:000006ac

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*isabledxpsp2res.dll,-22019"
"C:\\mIRC\\mirc.exe"="C:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\System32\\ftp.exe"="C:\\WINDOWS\\System32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\Ultima Online 2D\\Client.exe"="C:\\Program Files\\Ultima Online 2D\\Client.exe:*:Enabled:Client"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\WINDOWS\\System32\\usmt\\migwiz.exe"="C:\\WINDOWS\\System32\\usmt\\migwiz.exe:*isabled:Files and Settings Transfer Wizard"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\System32\\javaw.exe"="C:\\WINDOWS\\System32\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:Nero ProductSetup"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Psi\\psi.exe"="C:\\Program Files\\Psi\\psi.exe:*:Enabledsi"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\System32\\LEXPPS.EXE"="C:\\WINDOWS\\System32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\UOAM\\uoam.exe"="C:\\Program Files\\UOAM\\uoam.exe:*isabled:Ultima Online's premier mapping tool."
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*isabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNetisabledxpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNetisabledxpsp2res.dll,-22008"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


----------



## Cookiegal (Aug 27, 2003)

That looks good.

Did you enter those file sizes and MD5s beside entries in your HijackThis log yourself?


----------



## ahoier (Feb 22, 2007)

nope. I let HJT do it, just incase hehe. In the Config area, Misc. section down at the bottom I toggled those options on for MD5 hash, and environmental variables.

As far as the other HJT logs, that were posted in Post #27, did those show clean?

Overall, it seems a lot better...I mean, I never have had much problems with this box performance-wise or anything; it's fairly new, just got it in August '06, so it's only a cpl months old...but yea, like outa nowhere, I was getting BSODs when logging out, users logging in, etc...so I figured it's time to investigate lol.


----------



## Cookiegal (Aug 27, 2003)

Yes but I have not checked all of the entries in the trusted zone as you told me you put them all there intentionally (and they keep changing ).

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK (this option does not exist in IE7). Click Apply then OK.

*Empty the recycle bin*.


----------



## ahoier (Feb 22, 2007)

yep, the Trusted Zone is all my doing  I personally only run in High security on my account...it's the other accounts that are lax on the security zone. But yea, I hooked them up with SpywareBlaster's restricted and cookie block settings.

But yea, I'll go flush the System Restore points.


----------



## Cookiegal (Aug 27, 2003)

:up:


----------



## ahoier (Feb 22, 2007)

alright. All cleared out, and system restore point has been set.


----------



## Cookiegal (Aug 27, 2003)

Sounds good. Happy computing.


----------



## ahoier (Feb 22, 2007)

Well, it's running great now. Anyways..reason Im back...I was looking through some index.dat files that I found around my computer...and I think I found what may/could have caused this whole thing...

hxxp://thecps.org.uk/mambots/content/rsp.com rsp[1].com HTTP/1.1 200 OK
ETag: "95400e-c800-45dbc1ae"
Content-Length: 51200
Content-Type: text/plain

hxxp://thecps.org.uk/mambots/content/rsv.com rsv[1].com HTTP/1.1 200 OK
ETag: "95400c-c800-45dccf90"
Content-Length: 51200
Content-Type: text/plain

hxxp://www.south-bristol-buddhist-meditation.org.uk/media/pvc.exe pvc[1].exe HTTP/1.1 200 OK
ETag: "1114b73-2f000-45df577a"
Content-Length: 192512
Content-Type: application/octet-stream

rsp.com? I think I had rsp.exe stuck in processes for a while if I remember...hehe.

How can I safely download these (save them) and get them uploaded to virustotal and clamav.net?

Edit: Right click and Save target as, looks that all 3 of those sites are down/not available...and 2 of the 3 seem to be affiliated with the previously mentioned "Hostgator"..


----------



## dvk01 (Dec 14, 2002)

Those sites were hacked sites that were discovered a little while ago and we managed to get the owners to clean them up so teh files no longer exist and we hope the vulnerabilities that allowed them to be hacked have been fixed


----------



## ahoier (Feb 22, 2007)

Glad to hear it. I was hoping I could download the files and send them to virustotal and clamav.net to get analyzed and added to the respestive database(s) if necessary; since as I recall, many of the "questionable" files I submitted during my period of problems came up clean/not infected (but possibly could have been).

I know my sister said she clicked on some "free cellphone ringtones and wallpapers" type message in an AIM message, and those URLs (specifically the ones linking to .com files...) did look familiar to the ones I saw mentioned in her IE History.


----------

