Hello, and thank you in advance for your help.
About a year ago i was able to solve my problem with S&D and HijackThis thanks to reading archives on this forum, but this time i seem to be facing something more sinister.
Below is my log. i am also having trouble with Command Service on S&D.
thanks again in advance; any help i will greatly appreciate.
rod
Logfile of HijackThis v1.99.1
Scan saved at 6:01:05 PM, on 7/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ssn6tuu.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\nr1rnqm8.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\use\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\cwqmb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mrxqlcf.exe
O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINDOWS\System32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [keyboard] C:\\kybrdad_5.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\System32\ssn6tuu.exe"
O4 - HKLM\..\Run: [orzc06f1] RUNDLL32.EXE w0037790.dll,n 001c06f0000000030037790
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0840ddc446ebc1d9bc04/netzip/RdxIE601.cab
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\System32\x3cqp0.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\en0sl1d71.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Welcome :)
Download Combofix (http://download.bleepingcomputer.com/sUBs/combofix.exe) to your desktop:
Double-click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Thank you, Rawe.
Below is the log combofix generated:
Start Time= Wed 07/19/2006 8:53:49.54
Running from: C:\Documents and Settings\use\Desktop
((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\clsid\{D322F024-6308-42FA-A92C-8B56714E43A3}]
@=""
[HKEY_CLASSES_ROOT\clsid\{D322F024-6308-42FA-A92C-8B56714E43A3}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\clsid\{D322F024-6308-42FA-A92C-8B56714E43A3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\clsid\{D322F024-6308-42FA-A92C-8B56714E43A3}\InprocServer32]
@="C:\\WINDOWS\\system32\\kldla.dll"
"ThreadingModel"="Apartment"
Granting sedebugprivilege to Administrators ... successful
((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))
8:55:53.15
Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst
No infected Qoologic files found. Reg entries were fixed
(((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\use\Application Data\Sskcwrd.dll
C:\Documents and Settings\use\Application Data\Sskknwrd.dll
C:\Documents and Settings\use\Application Data\Sskuknwrd.dll
C:\Documents and Settings\use\Local Settings\Temporary Internet Files\Ssk.log
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
8:57:39.84
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\teller2.chk
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\uninstall_nmon.vbs
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys
C:\Documents and Settings\LocalService\Application Data\NetMon
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-07-19 08:57 <DIR> C:\Program Files\common files
2006-07-19 08:28 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-19 08:27 <DIR> C:\Program Files\mozilla firefox
2006-07-18 09:02 <DIR> C:\Program Files\windowsupdate
2006-07-17 19:07 69 C:\WINDOWS\nerodigital.ini
2006-07-16 08:40 <DIR> C:\Program Files\Common Files\{8cf908a4-0570-1033-0903-030128030001}
2006-07-15 00:42 1,063 C:\WINDOWS\system32\orzc06f1.sys
2006-07-14 22:47 61,440 C:\WINDOWS\system32\orzc06f1.dll
2006-07-14 22:47 434 C:\WINDOWS\kigps.dll
2006-07-14 17:34 <DIR> C:\Program Files\Common Files\fiwu
2006-07-14 16:47 <DIR> C:\Program Files\lavasoft
2006-07-14 16:47 <DIR> C:\Documents and Settings\use\Application Data\lavasoft
2006-07-14 16:37 298,840 C:\silent runners.vbs
2006-07-14 10:28 <DIR> C:\Program Files\partypoker
2006-07-14 10:22 2 C:\WINDOWS\system32\wnsintcc.exe
2006-07-14 10:21 38,412 C:\WINDOWS\ssqbn.exe
2006-07-14 10:19 48,167 C:\WINDOWS\system32\vsl05.exe
2006-07-14 10:18 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-14 10:16 <DIR> C:\Program Files\Common Files\microsoft shared
2006-07-14 10:02 104 C:\WINDOWS\system32\attfd42.dll
2006-07-05 12:35 <DIR> C:\Documents and Settings\use\Application Data\microsoft
2006-07-05 12:32 <DIR> C:\Program Files\final draft 6
2006-07-05 12:32 <DIR> C:\Documents and Settings\use\Application Data\final draft
2006-07-05 12:30 <DIR> C:\Program Files\Common Files\wise installation wizard
2006-06-25 18:11 <DIR> C:\Program Files\aoa dvd ripper
2006-06-25 18:04 <DIR> C:\Documents and Settings\use\Application Data\ahead
2006-06-25 17:54 <DIR> C:\Program Files\amadis dvd ripper
2006-06-20 18:16 <DIR> C:\Program Files\slysoft
2006-06-19 11:39 <DIR> C:\Program Files\installshield installation information
2006-06-19 11:39 <DIR> C:\Program Files\ifoxsoft
2006-06-19 10:16 <DIR> C:\Program Files\Common Files\symantec shared
2006-06-15 16:18 6,656 C:\WINDOWS\system32\pndx5016.dll
2006-06-15 16:18 5,632 C:\WINDOWS\system32\pndx5032.dll
2006-06-15 16:18 176,167 C:\WINDOWS\system32\rmoc3260.dll
2006-06-15 16:18 <DIR> C:\Program Files\Common Files\xing shared
2006-06-15 16:18 <DIR> C:\Program Files\Common Files\real
2006-06-15 16:17 278,528 C:\WINDOWS\system32\pncrt.dll
2006-06-15 11:36 <DIR> C:\Program Files\java
2006-06-15 11:27 <DIR> C:\Program Files\Common Files\java
2006-06-12 10:13 439,376 C:\WINDOWS\system32\perfstringbackup.ini
2006-06-01 12:03 7,075 C:\WINDOWS\hpdj5800.ini
2006-06-01 12:01 478 C:\WINDOWS\hpbvspst.ini
2006-06-01 12:01 <DIR> C:\Program Files\hewlett-packard
2006-05-30 17:09 24,576 C:\WINDOWS\uninstall.exe
2006-05-16 02:38 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-05-16 02:38 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-05-14 03:13 98,304 C:\WINDOWS\system32\polstore.dll
2006-05-14 03:13 364,544 C:\WINDOWS\system32\ipsmsnap.dll
2006-05-14 03:13 334,848 C:\WINDOWS\system32\ipsecsnp.dll
2006-05-14 03:13 29,184 C:\WINDOWS\system32\winipsec.dll
2006-05-14 03:13 257,536 C:\WINDOWS\system32\oakley.dll
2006-05-14 03:13 159,744 C:\WINDOWS\system32\ipsecsvc.dll
2006-05-13 23:51 <DIR> C:\Program Files\divx
2006-05-06 20:23 <DIR> C:\Program Files\discovery multimedia
2006-04-30 17:34 <DIR> C:\Program Files\outlook express
2006-04-30 17:34 <DIR> C:\Program Files\Common Files\system
2006-04-30 00:50 <DIR> C:\Program Files\flydvdripper
2006-04-29 22:53 14,848 C:\WINDOWS\system32\bassmod.dll
2006-04-29 19:27 <DIR> C:\Program Files\xmpeg 4.2a
2006-04-29 19:27 <DIR> C:\Program Files\mpeg mediator
2006-04-29 19:27 <DIR> C:\Program Files\flaskmpeg
2006-04-29 19:27 <DIR> C:\Program Files\dvdx
2006-04-29 19:26 <DIR> C:\Program Files\dvdx20
2006-04-29 19:22 <DIR> C:\Program Files\divx5pro
2006-04-19 00:51 <DIR> C:\Program Files\daemon tools
2006-04-08 13:17 <DIR> C:\Program Files\snood
2006-04-08 00:35 <DIR> C:\Program Files\Common Files\ahead
2006-04-08 00:34 <DIR> C:\Program Files\nero
2006-04-08 00:30 <DIR> C:\Documents and Settings\use\Application Data\macromedia
2006-04-08 00:28 <DIR> C:\Program Files\Common Files\macromedia
2006-04-08 00:26 <DIR> C:\Program Files\macromedia
2006-03-25 03:45 <DIR> C:\Program Files\real
2006-03-24 20:05 <DIR> C:\Documents and Settings\use\Application Data\dvdcss
2006-03-24 19:56 <DIR> C:\Program Files\no1 dvd ripper
2006-03-18 02:15 <DIR> C:\Documents and Settings\use\Application Data\sun
2006-03-01 03:15 <DIR> C:\Program Files\winrar
2006-02-26 12:17 <DIR> C:\Program Files\messenger
2006-02-26 12:13 <DIR> C:\Program Files\netmeeting
2006-02-26 12:06 <DIR> C:\Program Files\windows media player
2006-02-19 21:59 <DIR> C:\Program Files\symantec
2006-01-22 00:47 <DIR> C:\Documents and Settings\use\Application Data\real
2006-01-21 19:54 <DIR> C:\Program Files\rhapsody
2006-01-14 23:56 <DIR> C:\Documents and Settings\use\Application Data\adobe
2006-01-08 04:53 <DIR> C:\Program Files\acoustica mp3 audio mixer
2006-01-08 03:30 <DIR> C:\Documents and Settings\use\Application Data\apple computer
2006-01-08 02:03 <DIR> C:\Program Files\quicktime
2006-01-04 22:49 <DIR> C:\Program Files\spybot - search & destroy
2006-01-04 21:34 <DIR> C:\Program Files\norton antivirus
2006-01-04 04:14 <DIR> C:\Documents and Settings\use\Application Data\mozilla
2006-01-04 03:34 <DIR> C:\Program Files\hp
2006-01-02 02:25 <DIR> C:\Program Files\eurotalk
2006-01-02 02:25 <DIR> C:\Documents and Settings\use\Application Data\eurotalk
2006-01-01 19:56 <DIR> C:\Program Files\Common Files\adobe
2006-01-01 19:56 <DIR> C:\Program Files\adobe
2005-12-25 22:44 <DIR> C:\Program Files\Common Files\installshield
2005-12-24 13:08 <DIR> C:\Program Files\internet explorer
2005-12-15 22:05 <DIR> C:\Documents and Settings\use\Application Data\roxio
2005-12-06 23:29 <DIR> C:\Program Files\yahoo!
2005-12-06 22:46 <DIR> C:\Program Files\Common Files\designer
2005-12-06 22:43 <DIR> C:\Program Files\microsoft office
2005-12-06 22:43 <DIR> C:\Program Files\microsoft frontpage
2005-12-06 22:43 <DIR> C:\Documents and Settings\use\Application Data\microsoft web folders
2005-12-05 01:41 <DIR> C:\Program Files\symnetdrv
2003-05-22 09:16 <DIR> C:\Program Files\wlan
2003-03-20 09:25 <DIR> C:\Program Files\cyberlink
2003-03-18 02:24 <DIR> C:\Program Files\microsoft works
2003-03-18 02:09 <DIR> C:\Program Files\Common Files\adaptec shared
2003-03-18 02:08 <DIR> C:\Program Files\roxio
2003-03-18 01:58 <DIR> C:\Documents and Settings\use\Application Data\symantec
2003-03-18 01:52 <DIR> C:\Documents and Settings\use\Application Data\intertrust
2003-03-18 01:47 <DIR> C:\Program Files\movie maker
2003-03-18 01:46 <DIR> C:\Program Files\eurotool
2003-03-18 01:45 <DIR> C:\Program Files\windows journal viewer
2003-03-15 12:56 <DIR> C:\Program Files\via technologies, inc
2003-03-15 12:51 <DIR> C:\Program Files\s3
2003-03-15 12:42 <DIR> C:\Program Files\synaptics
2003-03-15 12:20 <DIR> C:\Program Files\uninstall information
2003-03-15 12:14 <DIR> C:\Program Files\xerox
2003-03-15 12:14 <DIR> C:\Documents and Settings\use\Application Data\identities
2003-03-15 12:11 <DIR> C:\Program Files\online services
2003-03-15 12:10 <DIR> C:\Program Files\Common Files\services
2003-03-15 12:10 <DIR> C:\Program Files\Common Files\mssoap
2003-03-15 12:08 <DIR> C:\Program Files\msn
2003-03-15 12:07 <DIR> C:\Program Files\windows nt
2003-03-15 12:07 <DIR> C:\Program Files\msn gaming zone
2003-03-15 04:02 <DIR> C:\Program Files\Common Files\speechengines
2003-03-15 04:02 <DIR> C:\Program Files\Common Files\odbc
(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))
2006-07-18 09:02 127,208 C:\WINDOWS\system32\mucltui.dll
2006-07-14 22:47 61,440 C:\WINDOWS\system32\orzc06f1.dll
2006-07-14 16:37 298,840 C:\Silent
2006-07-14 10:22 2 C:\WINDOWS\system32\wnsintcc.exe
2006-07-14 10:21 38,412 C:\WINDOWS\ssqbn.exe
2006-07-14 10:20 1,063 C:\WINDOWS\system32\orzc06f1.sys
2006-07-14 10:19 48,167 C:\WINDOWS\system32\VSL05.exe
2006-07-14 10:19 434 C:\WINDOWS\kigps.dll
2006-07-14 10:18 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-14 10:18 360,000 C:\WINDOWS\frxjbgz.exe
2006-07-13 02:59 104 C:\WINDOWS\system32\attfd42.dll
2006-06-25 17:53 67 C:\WINDOWS\Amadis
2006-06-19 11:24 45,056 C:\WINDOWS\system32\Wnaspi32.dll
2006-06-19 11:24 0 C:\WINDOWS\AoADVDRipper.INI
2006-06-19 10:23 208,896 C:\WINDOWS\system32\wmpns.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"orzc06f1"="RUNDLL32.EXE w0037790.dll,n 001c06f0000000030037790"
"Configuration Manager"="C:\\WINDOWS\\cfg32.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"UpdateManager"="C:\\Program Files\\Common Files\\Microsoft Shared\\MSEnv\\envupd.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{8CF908A4-0570-1033-0903-030128030001}"="\"C:\\Program Files\\Common Files\\{8CF908A4-0570-1033-0903-030128030001}\\Update.exe\" mc-110-12-0000360"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"=dword:00000000
"DisableTaskMgr"=dword:00000000
"DisableRegistryTools"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: Wed 07/19/2006 8:57:47.75
ComboFix ver 06.07.19.2 - This logfile is located at C:\ComboFix.txt
ComboFix.txt
Please print these instructions out, or write them down, as you can't read them during the fix.
Run Ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
If you aren't able to finish the update within Ewido for a reason or another, you can install the manual updates here (http://www.ewido.net/en/download/updates/).
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
Ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close Ewido and reboot your system back into Normal Mode and post back with the Ewido results. :bigthumb:
This topic is closed due to lack of a response to helper.
If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.