View Full Version : where do I begin? HELP!!
alehouserock
2006-07-22, 09:48
Here's what I've got:
Logfile of HijackThis v1.99.1
Scan saved at 11:22:48 PM, on 7/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ssn6tuu.exe
C:\dfndred_7.exe
C:\WINDOWS\system32\nr1rnqm8.exe
C:\kybrded_7.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\win3208352-1065141.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\LogMeIn\RaMaint.exe
C:\WINDOWS\cfg32.exe
C:\nwnmed_7.exe
C:\Program Files\Common Files\{C0833B98-0952-1033-1022-020816020001}\Update.exe
C:\Program Files\PSHope\PSHope.exe
C:\WINDOWS\SYSTEM32\dwdsregt.exe
C:\Program Files\LogMeIn\LogMeIn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\MATTST~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wqfbj.exe
F2 - REG:system.ini: UserInit=userinit.exe,ilmftdj.exe,ddjfihw.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://mail.yahoo.com/"); (C:\Documents and Settings\Matt Stout\Application
Data\Mozilla\Profiles\default\wz076phi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%
5CSBWeb_01.src"); (C:\Documents and Settings\Matt Stout\Application Data\Mozilla\Profiles\default\wz076phi.slt\prefs.js)
O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINDOWS\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndred_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrded_7.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win3208352-1065141] C:\WINDOWS\win3208352-1065141.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [kokehbfA] C:\WINDOWS\kokehbfA.exe
O4 - HKLM\..\Run: [cyrd874f] RUNDLL32.EXE w002ed34.dll,n 001d874e00000003002ed34
O4 - HKLM\..\Run: [w002fe1d.dll] RUNDLL32.EXE w002fe1d.dll,I2 001d874e0002fe1d
O4 - HKLM\..\Run: [{33-3B-B9-98-ZN}] C:\WINDOWS\SYSTEM32\dwdsregt.exe CORN003
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmed_7.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\owinqpez.exe CORN003
O4 - HKLM\..\Run: [bppoxa] C:\WINDOWS\system32\bxlwxc.exe reg_run
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [PSHope] "C:\Program Files\PSHope\PSHope.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [wmwpy] C:\WINDOWS\system32\bxlwxc.exe reg_run
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\owinqpez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\opdsregl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4
\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!
\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/107739fc343540a30002/netzip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {73A8D51E-578B-4E4E-8FF8-112E51DBFBE3} (ADPConn Class) - http://caf.oeconnection.com/ActiveX/DMSISM.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\tCpisrv.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWF0dCBTdG91dA\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\kokehbf.exe
My power went out, when I booted-up again, I had all this extra nonsense.
I've got plenty of popups and some new links on my desktop now. There's also something called "tagasaurus" that I certainly don't want to open.
What should I do?
Thanks in advance.
-Matt
LonnyRJones
2006-07-26, 05:49
Welcome to the forum
In the windows control panel addremove programs uninstall
Windows Overlay Components
Network Monitor
SurfSideKick
and quicklinks if listed.
C:\DOCUME~1\MATTST~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
Your running Hijackthis from a temp and/Or it still hasnt been unzipped, neither is a good idea.
Create a new folder, for instance C:\AntiSpyware
Download the exe from here to that new folder.
http://www.merijn.org/files/HijackThis.exe
This is necessary to ensure you have backups should anything go wrong
Make and post a new log
alehouserock
2006-07-31, 04:19
Thanks for the reply! I had actually thought my post had been purged from the forum, as I didn't see it any longer. I found it again when google-ing some things in my logfile. I've uninstalled SSK3, run spybot, ad-aware, and Look2Me-destroyer, found and gotten rid of lots. Btw, spybot keeps finding "cmdService" and isn't able to get rid of it, perhaps it starts running before spybot can during startup.
Currently, I seem to be getting popups only when I go from one website to another. I do, however, hear a click now and then like perhaps a popup is being blocked. Hopefully you can make some sense of all this. Thanks:)
Logfile of HijackThis v1.99.1
Scan saved at 4:56:25 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\{C0833B98-0952-1033-1022-020816020001}\Update.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Matt Stout\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wqfbj.exe
F2 - REG:system.ini: UserInit=userinit.exe,ilmftdj.exe,ddjfihw.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://mail.yahoo.com/"); (C:\Documents and Settings\Matt Stout\Application Data\Mozilla\Profiles\default\wz076phi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matt Stout\Application Data\Mozilla\Profiles\default\wz076phi.slt\prefs.js)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {73A8D51E-578B-4E4E-8FF8-112E51DBFBE3} (ADPConn Class) - http://caf.oeconnection.com/ActiveX/DMSISM.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
LonnyRJones
2006-07-31, 06:22
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
alehouserock
2006-07-31, 06:55
Start Time= Sun 07/30/2006 20:35:42.17
Running from: C:\Documents and Settings\Matt Stout\Desktop\Anti-Spyware
((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
REGISTRY ENTRIES REMOVED:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
FILES REMOVED:
C:\WINDOWS\SYSTEM32\ISSRECST.DLL
C:\WINDOWS\SYSTEM32\UQRLBVA.DLL
Granting sedebugprivilege to Administrators ... successful
((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))
20:38:26.70
Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst
* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *
C:\WINDOWS\system32\ghowjx.exe
C:\WINDOWS\system32\wqfbj.exe
C:\WINDOWS\SYSTEM32\ilmftdj.exe
* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
2006-07-21 21:55:26 127,488 "C:\WINDOWS\SYSTEM32\ghowjx.exe"
2006-07-20 16:31:36 1,163,264 "C:\WINDOWS\SYSTEM32\wfxqhv.exe"
2006-07-25 23:45:08 36,864 "C:\WINDOWS\SYSTEM32\n9nyb.exe"
2006-07-21 21:56:04 48,167 "C:\WINDOWS\SYSTEM32\VSL05.exe"
2006-07-21 21:55:26 28,672 "C:\WINDOWS\SYSTEM32\wqfbj.exe"
2006-07-20 16:31:24 36,864 "C:\WINDOWS\SYSTEM32\zqskw.exe"
2006-05-19 05:59:42 148,480 "C:\WINDOWS\SYSTEM32\dnsapi.dll"
2006-05-09 22:23:00 55,808 "C:\WINDOWS\SYSTEM32\extmgr.dll"
2006-05-09 22:23:00 96,256 "C:\WINDOWS\SYSTEM32\inseng.dll"
2006-05-19 08:08:32 3,052,544 "C:\WINDOWS\SYSTEM32\mshtml.dll"
2006-05-09 22:23:02 532,480 "C:\WINDOWS\SYSTEM32\mstime.dll"
2006-07-21 21:55:40 159,744 "C:\WINDOWS\SYSTEM32\redist.dll"
2006-05-09 22:23:02 613,888 "C:\WINDOWS\SYSTEM32\urlmon.dll"
2006-07-21 21:55:26 23,552 "C:\WINDOWS\SYSTEM32\ilmftdj.exe"
2006-05-09 22:23:00 151,040 "C:\WINDOWS\SYSTEM32\cdfview.dll"
2006-05-09 22:23:00 357,888 "C:\WINDOWS\SYSTEM32\dxtmsft.dll"
2006-05-09 22:23:00 205,312 "C:\WINDOWS\SYSTEM32\dxtrans.dll"
2006-05-09 22:23:00 251,392 "C:\WINDOWS\SYSTEM32\iepeers.dll"
2006-06-01 11:47:08 163,840 "C:\WINDOWS\SYSTEM32\jgdw400.dll"
2006-06-01 11:47:08 27,648 "C:\WINDOWS\SYSTEM32\jgpl400.dll"
2006-05-17 22:24:26 450,560 "C:\WINDOWS\SYSTEM32\jscript.dll"
2006-05-09 22:23:00 16,384 "C:\WINDOWS\SYSTEM32\jsproxy.dll"
2006-06-15 11:09:38 11,496 "C:\WINDOWS\SYSTEM32\LMIinit.dll"
2006-06-15 11:09:38 23,016 "C:\WINDOWS\SYSTEM32\LMImirr.dll"
2006-07-21 21:55:26 51,712 "C:\WINDOWS\SYSTEM32\monwagu.dll"
2006-05-09 22:23:02 39,424 "C:\WINDOWS\SYSTEM32\pngfilt.dll"
2006-06-22 03:47:18 181,248 "C:\WINDOWS\SYSTEM32\rasmans.dll"
2006-05-29 08:30:34 1,494,016 "C:\WINDOWS\SYSTEM32\shdocvw.dll"
2006-05-09 22:23:02 474,112 "C:\WINDOWS\SYSTEM32\shlwapi.dll"
2006-07-29 01:15:46 8,464 "C:\WINDOWS\SYSTEM32\sporder.dll"
2006-07-29 00:47:08 234,601 "C:\WINDOWS\SYSTEM32\UQRLBVA.DLL"
2006-05-09 22:23:04 658,432 "C:\WINDOWS\SYSTEM32\wininet.dll"
2006-05-09 22:23:00 1,054,208 "C:\WINDOWS\SYSTEM32\danim.dll"
2006-07-30 20:29:40 436 "C:\WINDOWS\fcuea.dll"
2006-07-27 23:21:48 53 "C:\WINDOWS\nbbewb.dat"
2006-07-21 21:55:26 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yoaxp.exe"
* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *
07/21/2006 09:55 PM 127,488 ghowjx.exe.vir
07/21/2006 09:55 PM 127,488 yoaxp.exe.vir
07/21/2006 09:55 PM 51,712 monwagu.dll.vir
07/21/2006 09:55 PM 28,672 wqfbj.exe.vir
07/21/2006 09:55 PM 23,552 ilmftdj.exe.vir
07/27/2006 11:21 PM 53 nbbewb.dat.vir
DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO
* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
2006-07-20 16:31:36 1,163,264 "C:\WINDOWS\SYSTEM32\wfxqhv.exe"
2006-07-25 23:45:08 36,864 "C:\WINDOWS\SYSTEM32\n9nyb.exe"
2006-07-21 21:56:04 48,167 "C:\WINDOWS\SYSTEM32\VSL05.exe"
2006-07-20 16:31:24 36,864 "C:\WINDOWS\SYSTEM32\zqskw.exe"
2006-05-09 22:23:00 151,040 "C:\WINDOWS\SYSTEM32\cdfview.dll"
2006-05-09 22:23:00 357,888 "C:\WINDOWS\SYSTEM32\dxtmsft.dll"
2006-05-09 22:23:00 205,312 "C:\WINDOWS\SYSTEM32\dxtrans.dll"
2006-05-09 22:23:00 251,392 "C:\WINDOWS\SYSTEM32\iepeers.dll"
2006-06-01 11:47:08 163,840 "C:\WINDOWS\SYSTEM32\jgdw400.dll"
2006-06-01 11:47:08 27,648 "C:\WINDOWS\SYSTEM32\jgpl400.dll"
2006-05-17 22:24:26 450,560 "C:\WINDOWS\SYSTEM32\jscript.dll"
2006-05-09 22:23:00 16,384 "C:\WINDOWS\SYSTEM32\jsproxy.dll"
2006-06-15 11:09:38 11,496 "C:\WINDOWS\SYSTEM32\LMIinit.dll"
2006-06-15 11:09:38 23,016 "C:\WINDOWS\SYSTEM32\LMImirr.dll"
2006-05-09 22:23:02 39,424 "C:\WINDOWS\SYSTEM32\pngfilt.dll"
2006-06-22 03:47:18 181,248 "C:\WINDOWS\SYSTEM32\rasmans.dll"
2006-05-29 08:30:34 1,494,016 "C:\WINDOWS\SYSTEM32\shdocvw.dll"
2006-05-09 22:23:02 474,112 "C:\WINDOWS\SYSTEM32\shlwapi.dll"
2006-07-29 01:15:46 8,464 "C:\WINDOWS\SYSTEM32\sporder.dll"
2006-05-09 22:23:04 658,432 "C:\WINDOWS\SYSTEM32\wininet.dll"
2006-05-19 05:59:42 148,480 "C:\WINDOWS\SYSTEM32\dnsapi.dll"
2006-05-09 22:23:00 55,808 "C:\WINDOWS\SYSTEM32\extmgr.dll"
2006-05-09 22:23:00 96,256 "C:\WINDOWS\SYSTEM32\inseng.dll"
2006-05-19 08:08:32 3,052,544 "C:\WINDOWS\SYSTEM32\mshtml.dll"
2006-05-09 22:23:02 532,480 "C:\WINDOWS\SYSTEM32\mstime.dll"
2006-07-21 21:55:40 159,744 "C:\WINDOWS\SYSTEM32\redist.dll"
2006-05-09 22:23:02 613,888 "C:\WINDOWS\SYSTEM32\urlmon.dll"
2006-05-09 22:23:00 1,054,208 "C:\WINDOWS\SYSTEM32\danim.dll"
2006-07-30 20:29:40 436 "C:\WINDOWS\fcuea.dll"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\Matt Stout\Local Settings\Temp\Temporary Internet Files\Content.IE5\8F73AWD9\nwnmef_7[1].exe
C:\Documents and Settings\Matt Stout\Local Settings\Temp\Temporary Internet Files\Content.IE5\F3XJ3XKW\drsmartload46a[1].exe
C:\Documents and Settings\Matt Stout\Local Settings\Temp\Temporary Internet Files\Content.IE5\F3XJ3XKW\dfndref_7[1].exe
C:\Documents and Settings\Matt Stout\Local Settings\Temp\Temporary Internet Files\Content.IE5\H8ORTL0L\drsmartload45a[1].exe
C:\Documents and Settings\Matt Stout\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q13CLORE\drsmartload849a[1].exe
C:\Documents and Settings\Matt Stout\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q13CLORE\kybrdef_7[1].exe
C:\WINDOWS\keyboard1.dat
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-07-30 20:29:40 436 ( A.... ) "C:\WINDOWS\fcuea.dll"
2006-07-29 01:19:02 183296 ( A.S.. ) "C:\WINDOWS\NDNuninstall7_22.exe"
2006-07-29 01:15:46 8464 ( A.... ) "C:\WINDOWS\SYSTEM32\sporder.dll"
2006-07-26 00:53:40 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-26 00:20:40 1064 ( A.... ) "C:\WINDOWS\SYSTEM32\cyrd874f.sys"
2006-07-26 00:20:40 1064 ( A.... ) "C:\WINDOWS\SYSTEM32\cyrd874f.sys"
2006-07-25 23:45:10 45056 ( A.... ) "C:\WINDOWS\system32ghynf.exe"
2006-07-25 23:45:10 36864 ( A.... ) "C:\WINDOWS\system32n9nyb.exe"
2006-07-25 23:45:10 28672 ( A.... ) "C:\WINDOWS\system32bez6n4r21.exe"
2006-07-25 23:45:08 36864 ( A.... ) "C:\WINDOWS\SYSTEM32\n9nyb.exe"
2006-07-25 23:45:08 28672 ( A.... ) "C:\WINDOWS\SYSTEM32\bez6n4r21.exe"
2006-07-21 23:28:54 ( .D... ) "C:\Program Files\TClock"
2006-07-21 22:29:12 397312 ( A.... ) "C:\WINDOWS\cfg32p.dll"
2006-07-21 22:01:16 32768 ( A.... ) "C:\WINDOWS\qjtohnkd.exe"
2006-07-21 22:00:14 1392640 ( A.... ) "C:\WINDOWS\cfg32a.exe"
2006-07-21 21:56:16 0 ( A.... ) "C:\Documents and Settings\Matt Stout\Application Data\internaldb41.dat"
2006-07-21 21:56:06 69632 ( A.... ) "C:\WINDOWS\SYSTEM32\enndmmec.dll"
2006-07-21 21:56:04 48167 ( A.... ) "C:\WINDOWS\SYSTEM32\VSL05.exe"
2006-07-21 21:56:02 45068 ( A.... ) "C:\WINDOWS\SYSTEM32\ZICORN003.exe"
2006-07-21 21:55:58 61440 ( A.... ) "C:\WINDOWS\SYSTEM32\cyrd874f.dll"
2006-07-21 21:55:56 69632 ( A.... ) "C:\WINDOWS\SYSTEM32\fmkkaiga.dll"
2006-07-21 21:55:54 32976 ( A.... ) "C:\WINDOWS\SYSTEM32\uninstIcn.exe"
2006-07-21 21:55:50 ( .D... ) "C:\Program Files\Common Files\{C0833B98-0952-1033-1022-020816020001}"
2006-07-21 21:55:40 159744 ( A.... ) "C:\WINDOWS\SYSTEM32\redist.dll"
2006-07-21 21:55:40 126464 ( A.... ) "C:\WINDOWS\SYSTEM32\redistributor.exe"
2006-07-21 21:54:56 ( .D... ) "C:\Program Files\Common Files\kiqq"
2006-07-21 21:54:44 232749 ( A.... ) "C:\WINDOWS\pf78.exe"
2006-07-21 21:54:06 45056 ( A.... ) "C:\WINDOWS\system32tfthot.exe"
2006-07-21 21:54:06 28672 ( A.... ) "C:\WINDOWS\system32ftuninst.exe"
2006-07-21 19:13:10 ( .D... ) "C:\Documents and Settings\Matt Stout\Application Data\n-Track Studio"
2006-07-20 16:31:36 1163264 ( A.... ) "C:\WINDOWS\SYSTEM32\wfxqhv.exe"
2006-07-20 16:31:24 36864 ( A.... ) "C:\WINDOWS\SYSTEM32\zqskw.exe"
2006-07-08 00:35:24 ( .D... ) "C:\Program Files\WinRAR"
2006-07-08 00:24:16 ( .D... ) "C:\Program Files\AoA DVD Ripper"
2006-06-29 07:07:36 61440 ( A.... ) "C:\WINDOWS\SYSTEM32\BattyRun.dll"
2006-06-20 17:55:26 389120 ( A.... ) "C:\WINDOWS\SYSTEM32\nodeipproc.dll"
2006-06-15 15:26:40 24576 ( A.... ) "C:\WINDOWS\SYSTEM32\nr1rnqm8.exe"
2006-06-15 11:09:40 9576 ( A.... ) "C:\WINDOWS\SYSTEM32\LMImirr2.dll"
2006-06-15 11:09:38 23016 ( A.... ) "C:\WINDOWS\SYSTEM32\LMImirr.dll"
2006-06-15 11:09:38 11496 ( A.... ) "C:\WINDOWS\SYSTEM32\LMIinit.dll"
2006-06-02 23:26:24 ( .D... ) "C:\Documents and Settings\Matt Stout\Application Data\Publish Providers"
2006-06-02 23:26:04 ( .D... ) "C:\Documents and Settings\Matt Stout\Application Data\Sony"
2006-06-02 22:44:18 ( .D... ) "C:\Program Files\Sony Setup"
2006-05-30 16:19:18 2088960 ( A.... ) "C:\WINDOWS\cfg32.exe"
2006-05-30 16:09:20 24576 ( A.... ) "C:\WINDOWS\Uninstall.exe"
2006-05-26 06:09:40 24576 ( A.... ) "C:\WINDOWS\SYSTEM32\rmoc3260.dll"
2006-05-19 05:59:42 148480 ( A.... ) "C:\WINDOWS\SYSTEM32\dnsapi.dll"
2006-05-19 05:59:42 111616 ( A.... ) "C:\WINDOWS\SYSTEM32\dhcpcsvc.dll"
2006-05-19 05:59:42 94720 ( A.... ) "C:\WINDOWS\SYSTEM32\iphlpapi.dll"
2003-01-11 20:44:10 207759 ( A.... ) "C:\Program Files\INSTALL.LOG"
(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))
2006-07-29 01:19 183,296 C:\WINDOWS\NDNuninstall7_22.exe
2006-07-29 01:15 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-25 23:45 45,056 C:\WINDOWS\system32ghynf.exe
2006-07-25 23:45 36,864 C:\WINDOWS\system32n9nyb.exe
2006-07-25 23:45 36,864 C:\WINDOWS\system32\zqskw.exe
2006-07-25 23:45 36,864 C:\WINDOWS\system32\n9nyb.exe
2006-07-25 23:45 28,672 C:\WINDOWS\system32bez6n4r21.exe
2006-07-25 23:45 28,672 C:\WINDOWS\system32\bez6n4r21.exe
2006-07-25 23:45 1,163,264 C:\WINDOWS\system32\wfxqhv.exe
2006-07-21 22:29 397,312 C:\WINDOWS\cfg32p.dll
2006-07-21 22:01 32,768 C:\WINDOWS\qjtohnkd.exe
2006-07-21 22:00 1,392,640 C:\WINDOWS\cfg32a.exe
2006-07-21 21:56 69,632 C:\WINDOWS\system32\enndmmec.dll
2006-07-21 21:56 48,167 C:\WINDOWS\system32\VSL05.exe
2006-07-21 21:56 45,068 C:\WINDOWS\system32\ZICORN003.exe
2006-07-21 21:55 69,632 C:\WINDOWS\system32\fmkkaiga.dll
2006-07-21 21:55 61,440 C:\WINDOWS\system32\cyrd874f.dll
2006-07-21 21:55 436 C:\WINDOWS\fcuea.dll
2006-07-21 21:55 32,976 C:\WINDOWS\system32\uninstIcn.exe
2006-07-21 21:55 159,744 C:\WINDOWS\system32\redist.dll
2006-07-21 21:55 126,464 C:\WINDOWS\system32\redistributor.exe
2006-07-21 21:55 1,064 C:\WINDOWS\system32\cyrd874f.sys
2006-07-21 21:54 483,728 C:\WINDOWS\kokehbf.exe
2006-07-21 21:54 474,304 C:\WINDOWS\kokehbfA.exe
2006-07-21 21:54 45,056 C:\WINDOWS\system32tfthot.exe
2006-07-21 21:54 28,672 C:\WINDOWS\system32ftuninst.exe
2006-07-21 21:54 24,576 C:\WINDOWS\system32\nr1rnqm8.exe
2006-07-21 21:54 232,749 C:\WINDOWS\pf78.exe
2006-07-21 21:54 21,504 C:\WINDOWS\offun.exe
2006-06-29 07:07 61,440 C:\WINDOWS\system32\BattyRun.dll
2006-06-20 17:55 389,120 C:\WINDOWS\system32\nodeipproc.dll
alehouserock
2006-07-31, 06:57
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"UpdateManager"="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Components\\vupdman32.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{C0833B98-0952-1033-1022-020816020001}"="\"C:\\Program Files\\Common Files\\{C0833B98-0952-1033-1022-020816020001}\\Update.exe\" mc-110-12-0000651"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Messenger\\kyzen.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows NT\\howylyh.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bppoxa]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bxlwxc"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\bxlwxc.exe reg_run"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="owinqpez"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\owinqpez.exe CORN003"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="System"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\System Files\\System.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfg32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\cfg32.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cuyqk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ghowjx"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ghowjx.exe reg_run"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndref_7"
"hkey"="HKLM"
"command"="C:\\\\dfndref_7.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftexc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mptft"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\mptft.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gysojv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ghowjx"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ghowjx.exe reg_run"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hhl7RfpJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ssn6tuu"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\system32\\ssn6tuu.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ipwins"
"hkey"="HKLM"
"command"="C:\\Program Files\\ipwins\\ipwins.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdef_7"
"hkey"="HKLM"
"command"="C:\\\\kybrdef_7.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kokehbfA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kokehbfA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\kokehbfA.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~2"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSHope]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSHope"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSHope\\PSHope.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SYSC00"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SYSC00.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win3208352-1065141]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win3208352-1065141"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win3208352-1065141.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wmwpy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bxlwxc"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\bxlwxc.exe reg_run"
"inimapping"="0"
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
Ghp`amfUbrhLds REG_DWORD 0 (0x0)
DisableTaskMgr REG_DWORD 0 (0x0)
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (DC8G5921-Owner).job
C:\WINDOWS\tasks\McAfee.com Update Check (DELL-Matt Stout).job
Completion time: Sun 07/30/2006 20:42:49.95
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt
Good, thanks, what's next?
LonnyRJones
2006-07-31, 09:31
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
;
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bppoxa]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAS2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cuyqk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftexc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gysojv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hhl7RfpJ]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kokehbfA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSHope]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win3208352-1065141]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wmwpy]
;
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Restart your PC.
delete these files, be carefull of spelling
C:\Program Files\Messenger\kyzen.html
C:\Program Files\Windows NT\howylyh.html
C:\Program Files\Common Files\Microsoft Shared\Web Components\vupdman32.exe
2006-07-29 01:19 183,296 C:\WINDOWS\NDNuninstall7_22.exe
2006-07-25 23:45 45,056 C:\WINDOWS\system32ghynf.exe
2006-07-25 23:45 36,864 C:\WINDOWS\system32n9nyb.exe
2006-07-25 23:45 36,864 C:\WINDOWS\system32\zqskw.exe
2006-07-25 23:45 36,864 C:\WINDOWS\system32\n9nyb.exe
2006-07-25 23:45 28,672 C:\WINDOWS\system32bez6n4r21.exe
2006-07-25 23:45 28,672 C:\WINDOWS\system32\bez6n4r21.exe
2006-07-25 23:45 1,163,264 C:\WINDOWS\system32\wfxqhv.exe
2006-07-21 22:29 397,312 C:\WINDOWS\cfg32p.dll
2006-07-21 22:01 32,768 C:\WINDOWS\qjtohnkd.exe
2006-07-21 22:00 1,392,640 C:\WINDOWS\cfg32a.exe
2006-07-21 21:56 69,632 C:\WINDOWS\system32\enndmmec.dll
2006-07-21 21:56 48,167 C:\WINDOWS\system32\VSL05.exe
2006-07-21 21:56 45,068 C:\WINDOWS\system32\ZICORN003.exe
2006-07-21 21:55 69,632 C:\WINDOWS\system32\fmkkaiga.dll
2006-07-21 21:55 61,440 C:\WINDOWS\system32\cyrd874f.dll
2006-07-21 21:55 436 C:\WINDOWS\fcuea.dll
2006-07-21 21:55 32,976 C:\WINDOWS\system32\uninstIcn.exe
2006-07-21 21:55 159,744 C:\WINDOWS\system32\redist.dll
2006-07-21 21:55 126,464 C:\WINDOWS\system32\redistributor.exe
2006-07-21 21:55 1,064 C:\WINDOWS\system32\cyrd874f.sys
2006-07-21 21:54 483,728 C:\WINDOWS\kokehbf.exe
2006-07-21 21:54 474,304 C:\WINDOWS\kokehbfA.exe
2006-07-21 21:54 45,056 C:\WINDOWS\system32tfthot.exe
2006-07-21 21:54 28,672 C:\WINDOWS\system32ftuninst.exe
2006-07-21 21:54 24,576 C:\WINDOWS\system32\nr1rnqm8.exe
2006-07-21 21:54 232,749 C:\WINDOWS\pf78.exe
2006-07-21 21:54 21,504 C:\WINDOWS\offun.exe
2006-06-29 07:07 61,440 C:\WINDOWS\system32\BattyRun.dll
2006-06-20 17:55 389,120 C:\WINDOWS\system32\nodeipproc.dll
folders
C:\Program Files\System Files
C:\Program Files\ipwins
C:\PROGRAM FILES\NEWDOTNET
c:\Program Files\PSHope
C:\Program Files\Common Files\{C0833B98-0952-1033-1022-020816020001
c:\Program Files\Common Files\kiqq
C:\Program Files\TClock
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
Let us know of any problems over the next few days
alehouserock
2006-07-31, 20:56
Ok, thanks. I did what you said.
I wasn't able to find:
2006-07-21 21:54 483,728 C:\WINDOWS\kokehbf.exe
2006-07-21 21:54 474,304 C:\WINDOWS\kokehbfA.exe
C:\Program Files\ipwins
C:\PROGRAM FILES\NEWDOTNET
c:\Program Files\PSHope
Hopefully I already took care of those.
When I ran Spybot, I still found some things. Again, I wasn't able to remove 2 "cmdService" files. What now?
LonnyRJones
2006-07-31, 21:24
Please download and unzip Ren-cmdservice to your desktop.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run SpyBot check for and fix any problems found.
When next you check for problems it wont or shouldnt be there.
Let us know of any problems
alehouserock
2006-08-01, 04:31
Running from C:\Documents and Settings\Matt Stout\Desktop\ren-cmdservice\ren-cmdservice
No Image Path Listed in Registry
-----------------
Deleting cmdservice key
cmdservice key deleted
..
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
Finised, Post this text then
Please Restart your PC
ren-cmdservice.bat edited 6-25-2006
-----------------
Restarting now!
alehouserock
2006-08-01, 05:36
:laugh: Ran Spybot and NO IMMEDIATE THREATS FOUND!!! :bigthumb:
Thanks for all your help! I'll let you know if I notice any problems in the next few days.
Here's a new HJT, to be safe:
Logfile of HijackThis v1.99.1
Scan saved at 7:30:28 PM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt Stout\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://mail.yahoo.com/"); (C:\Documents and Settings\Matt Stout\Application Data\Mozilla\Profiles\default\wz076phi.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matt Stout\Application Data\Mozilla\Profiles\default\wz076phi.slt\prefs.js)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {73A8D51E-578B-4E4E-8FF8-112E51DBFBE3} (ADPConn Class) - http://caf.oeconnection.com/ActiveX/DMSISM.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Thanks so much!
-Matt
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.
Glad we could help. :)