Problems with malware [Archive] - Safer-Networking Forums

View Full Version : Problems with malware

peaches

2006-10-12, 08:14

I posted in the forum a while back. I ran a online scan from Etrust which turned out clean. Spybot search and Destroy's scan was clean. I continue to get a page called my search page. Below is my Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:08:36 AM, on 10/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\All Users\Desktop\My Briefcase\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\All Users\Desktop\My Briefcase\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM (file missing)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM (file missing)
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
O19 - User stylesheet: (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Please help!

tashi

2006-10-16, 08:36

Hello,

If you have not resolved the problem, we do have this sticky topic:

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

tashi

2006-10-22, 03:41

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

LonnyRJones

2006-10-26, 11:33

Re-opened, member posted in our waiting topic.

Hi peaches
Download(save) then run the stand alone version of CWShredder

http://www.intermute.com/spysubtract/cwshredder_download.html
Fallow the prompts, post its report when finished.

peaches

2006-10-31, 06:05

Hi Lonny:
Thanks for your help! The CWshredder results is below:

**** Run Keys ****

RUN: [SystemTray] SysTray.Exe
RUN: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
RUN: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
RUN: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
RUN: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
RUN: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
RUN: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
RUN: [QuickTime Task] "C:\Documents and Settings\All Users\Desktop\My Briefcase\qttask.exe" -atboottime
RUN: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
RUN: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
RUN: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
RUN: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
RUN: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

**** Browser Helper Objects ****

BHO: [Yahoo! Toolbar Helper] C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
BHO: [AcroIEHlprObj Class] C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
BHO: [] C:\PROGRA~1\SPYBOT~1\SDHelper.dll
BHO: [Yahoo! IE Services Button] C:\Program Files\Yahoo!\Common\yiesrvc.dll
BHO: [SSVHelper Class] C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

**** IE Toolbars ****

TOOLBAR: [] C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx
TOOLBAR: [Yahoo! Toolbar] C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

**** IE Extensions ****

IEExt: [Web Browser Applet Control] C:\WINDOWS\System32\msjava.dll
IEExt: [Encarta Encyclopedia] C:\WINDOWS\System32\msjava.dll
IEExt: [Yahoo! Services] C:\WINDOWS\System32\msjava.dll
IEExt: [Define] C:\WINDOWS\System32\msjava.dll
IEExt: [Real.com] C:\WINDOWS\System32\msjava.dll

**** Hosts File Entries ****

**** IE Settings ****

Default Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default Search: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Local Page: C:\WINDOWS\System32\blank.htm
Search Bar: about:blank
Search Page: http://www.google.com

**** IE Context Menu (Right click) ****

IEContext: [&Define] C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
IEContext: [&Yahoo! Search] file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
IEContext: [Look Up in &Encyclopedia] C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
IEContext: [Yahoo! &Dictionary] file:///C:\Program Files\Yahoo!\Common/ycdict.htm
IEContext: [Yahoo! &Maps] file:///C:\Program Files\Yahoo!\Common/ycmap.htm
IEContext: [Yahoo! &SMS] file:///C:\Program Files\Yahoo!\Common/ycsms.htm

**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{67F05D55-C5D8-43D3-A1E5-8C0825385481}] SEQPACKET 9
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{67F05D55-C5D8-43D3-A1E5-8C0825385481}] DATAGRAM 9
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A0C392AC-903A-422D-A842-D0BAE19A3549}] SEQPACKET 8
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A0C392AC-903A-422D-A842-D0BAE19A3549}] DATAGRAM 8
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9DD7D22E-6E58-4B71-88E6-5419567A5E35}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9DD7D22E-6E58-4B71-88E6-5419567A5E35}] DATAGRAM 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{27E678A8-6D83-48C8-A320-B6B2E2F2C2BA}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{27E678A8-6D83-48C8-A320-B6B2E2F2C2BA}] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6F9E819E-67D0-4385-B9B3-CD6B14A8A8B8}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6F9E819E-67D0-4385-B9B3-CD6B14A8A8B8}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{74097B95-800B-4505-A053-0B307592FE19}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{74097B95-800B-4505-A053-0B307592FE19}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0075CFAC-E447-4109-9BC7-5454285EE4FB}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0075CFAC-E447-4109-9BC7-5454285EE4FB}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0DC9A87B-3C5B-4DB7-8A31-32E031DC6293}] SEQPACKET 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0DC9A87B-3C5B-4DB7-8A31-32E031DC6293}] DATAGRAM 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C753FE6C-68FB-436F-A2C2-F9BCA5C0150C}] SEQPACKET 7
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C753FE6C-68FB-436F-A2C2-F9BCA5C0150C}] DATAGRAM 7

**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No
BLOCKED: [snd.cpl] no
BLOCKED: [joystick.cpl] no
BLOCKED: [midimap.drv] no

**** Downloaded Program Files ****

DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso.cab]
{0335A685-ED24-4F7B-A08E-3BD15D84E668} [http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab]
{32564D57-0000-0010-8000-00AA00389B71} [http://codecs.microsoft.com/codecs/i386/wmv8ax.cab]
{32564D57-9980-0010-8000-00AA00389B71} [http://codecs.microsoft.com/codecs/i386/wmv8dmo.cab]
{3334504D-0000-0010-8000-00AA00389B71} [http://codecs.microsoft.com/codecs/i386/mpeg4ax.cab]
{33564D57-0000-0010-8000-00AA00389B71} [http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB]
{33564D57-9980-0010-8000-00AA00389B71} [http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab]
{3CC943C7-3C99-11D4-8135-0050041A5144} [file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB] C:\WINDOWS\Downloaded Program Files\RunExeActiveX.ocx C:\WINDOWS\SYSTEM32\ASYCFILT.DLL C:\WINDOWS\SYSTEM32\COMCAT.DLL C:\WINDOWS\SYSTEM32\COMDLG32.OCX C:\WINDOWS\SYSTEM32\MSSTKPRP.DLL C:\WINDOWS\SYSTEM32\MSVBVM60.DLL C:\WINDOWS\SYSTEM32\MSVCRT.DLL C:\WINDOWS\SYSTEM32\OLEAUT32.DLL C:\WINDOWS\SYSTEM32\OLEPRO32.DLL C:\WINDOWS\SYSTEM32\SCRRUN.DLL C:\WINDOWS\SYSTEM32\STDOLE2.TLB
{41F17733-B041-4099-A042-B518BB6A408C} [http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe]
{50564D57-9980-0010-8000-00AA00389B71} [http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab]
{8AD9C840-044E-11D1-B3E9-00805F499D93} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab]
{A17E30C4-A9BA-11D4-8673-60DB54C10000} [http://download.yahoo.com/dl/installs/ymail/ymmapi.dll]
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab]

**** Windows Services ****

[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[Avg7Alrt] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
[Avg7UpdSvc] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
[AVGEMS] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[CiSvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[Fax] %systemroot%\system32\fxssvc.exe
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[ImapiService] C:\WINDOWS\System32\imapi.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\System32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[PlugPlay] %SystemRoot%\system32\services.exe
[Pml Driver HPZ12] C:\WINDOWS\System32\HPZipm12.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{A380D21C-FA59-46F2-B3F4-23CA4999C97A}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost.exe -k netsvcs
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[UMWdf] C:\WINDOWS\System32\wdfmgr.exe
[uploadmgr] %SystemRoot%\System32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WANMiniportService] "C:\WINDOWS\wanmpsvc.exe"
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs

**** Custom IE Search Items ****

SEARCH: [SearchAssistant] about:blank
SEARCH: [] http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%73%72%63%68%61%73%73%74%2E%68%74%6D%6C
SEARCH: [CustomizeSearch] about:blank
SEARCH: [SearchAssistant] about:blank
SEARCH: [CustomizeSearch] about:blank
SEARCH: [CustomSearch] http://rd.yahoo.com/customize/sbcydsl/defaults/cs/*http://www.yahoo.com/search/ie.html

**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\System32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://yahoo.com/
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://www.google.com
IEOPT: [Search Bar] about:blank
IEOPT: [Use Custom Search URL]
IEOPT: [FullScreen] no
IEOPT: [LastCheckedHi] T®Ã
IEOPT: [Window_Placement] ,
IEOPT: [Check_Associations] No
IEOPT: [NotifyDownloadComplete] no
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [Use FormSuggest] no
IEOPT: [AddToFavoritesExpanded]
IEOPT: [HistoryViewType]
IEOPT: [HistoryTopNSitesView]
IEOPT: [Show_ChannelBand] No
IEOPT: [HomeSet] ya
IEOPT: [Save Directory] C:\Documents and Settings\Valerie\My Documents\
IEOPT: [Default_Search_URL] about:blank
IEOPT: [SearchURL] http://www.google.com
IEOPT: [Default_Page_URL] about:blank
IEOPT: [Use Search Assistant] yes
IEOPT: [Use Search Asst] no
IEOPT: [Cache_Update_Size] 256000
IEOPT: [AutoSearch]
IEOPT: [HomeOldSP] about:blank
IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
IEOPT: [Default_Search_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IEOPT: [Search Page] http://www.google.com
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] C:\WINDOWS\SYSTEM\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] about:blank
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Search Bar] about:blank
IEOPT: [Use Search Assistant] yes

LonnyRJones

2006-10-31, 07:44

Hi

Did you use its fix option ? if so was anything detected?

tashi

2006-11-07, 17:46

peaches?

peaches

2006-11-11, 07:34

Lonnie, I only did the scan with the CW shredder. I was waiting to see what needed to be deleted by the Spybot team! I didn't want to delete anything that shouldn't be deleted. Sorry for the delay in responding!
Thanks

LonnyRJones

2006-11-11, 07:39

Run CWShredder and choose the fix option, Fallow the prompts.

Post a new hijackthis log and a combofix report please
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

peaches

2006-11-11, 08:05

Logfile of HijackThis v1.99.1
Scan saved at 12:59:39 AM, on 11/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\All Users\Desktop\My Briefcase\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2portalmon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\All Users\Desktop\My Briefcase\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM (file missing)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM (file missing)
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
O19 - User stylesheet: (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

peaches

2006-11-11, 08:09

Valerie - 06-11-11 1:06:43.00 Service Pack 1
ComboFix 06.11.9 - Running from: "C:\Program Files"

((((((((((((((((((((((((((((((( Files Created from 2006-10-11 to 2006-11-11 ))))))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-11 00:43 277182 --a------ C:\Program Files\combofix.exe
2006-10-31 00:00 532480 --a------ C:\Program Files\cwshredder.exe
2006-10-12 01:04 -------- d-------- C:\Program Files\SpywareBlaster
2006-10-12 01:03 2566736 --a------ C:\Program Files\spywareblastersetup351.exe
2006-09-28 09:56 778656 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2006-09-28 01:21 76560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2006-09-05 00:07 17815448 --a------ C:\Program Files\avg71free_405a791.exe
2006-09-04 21:57 5037072 --a------ C:\Program Files\spybotsd14.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SystemTray"="SysTray.Exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"2wSysTray"="C:\\Program Files\\2Wire\\Gateway\\2portalmon.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"C:\\Documents and Settings\\All Users\\Desktop\\My Briefcase\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://sweeet.com/wallpapers/notenough1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/notenough1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,10,03,00,00,0d,01,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,85,05,01,10,04,80,74,8a,85,05,56,76,\
00,00,48,4f,b9,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="http://sweeet.com/wallpapers/wolverine1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/wolverine1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,10,02,00,00,1f,00,00,00,00,04,00,00,00,03,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,10,02,00,00,1f,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,81,0b,01,10,04,80,74,8a,81,0b,56,76,\
00,00,10,8c,bc,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\10]
"Source"="http://sweeet.com/wallpapers/sleep1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/sleep1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,f0,02,00,00,3f,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,fc,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,f0,02,00,00,3f,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,db,0b,01,10,04,80,74,8a,db,0b,56,76,\
00,00,70,d7,b2,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\11]
"Source"="http://sweeet.com/wallpapers/manga3d1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/manga3d1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,f0,02,00,00,2d,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff,fe,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,f0,02,00,00,2d,01,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,db,0b,01,10,04,80,74,8a,db,0b,56,76,\
00,00,44,92,ba,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\12]
"Source"="http://sweeet.com/wallpapers/fatrix1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/fatrix1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,f0,01,00,00,3f,00,00,00,00,04,00,00,00,03,00,00,00,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,f0,01,00,00,3f,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,db,0b,01,10,04,80,74,8a,db,0b,56,76,\
00,00,90,2c,c3,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\13]
"Source"="http://sweeet.com/wallpapers/darthmaul1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/darthmaul1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,f0,01,00,00,2d,01,00,00,00,04,00,00,00,03,00,00,02,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,f0,01,00,00,2d,01,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,db,0b,01,10,04,80,74,8a,db,0b,56,76,\
00,00,68,65,ba,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\14]
"Source"="http://sweeet.com/wallpapers/blade1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/blade1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,f0,00,00,00,2d,01,00,00,00,04,00,00,00,03,00,00,04,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,f0,00,00,00,2d,01,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,db,0b,01,10,04,80,74,8a,db,0b,56,76,\
00,00,18,02,b7,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\15]
"Source"="http://sweeet.com/wallpapers/shiny1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/shiny1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,e0,02,00,00,4f,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,06,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,e0,02,00,00,4f,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,db,0b,01,10,04,80,74,8a,db,0b,56,76,\
00,00,d0,19,ba,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\16]
"Source"="http://sweeet.com/wallpapers/episode11024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/episode11024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,e0,02,00,00,3d,01,00,00,00,04,00,00,00,03,00,00,08,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,e0,02,00,00,3d,01,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,ed,0b,01,10,04,80,74,8a,ed,0b,56,76,\
00,00,98,cd,cb,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\17]
"Source"="http://sweeet.com/wallpapers/jedibattle1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/jedibattle1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,e0,01,00,00,4f,00,00,00,00,04,00,00,00,03,00,00,0a,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,e0,01,00,00,4f,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,95,0b,01,10,04,80,74,8a,95,0b,56,76,\
00,00,48,4f,b9,02

peaches

2006-11-11, 08:10

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\18]
"Source"="http://sweeet.com/wallpapers/diehard1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/diehard1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,e0,01,00,00,3d,01,00,00,00,04,00,00,00,03,00,00,0c,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,e0,01,00,00,3d,01,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,95,0b,01,10,04,80,74,8a,95,0b,56,76,\
00,00,48,4f,b9,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\19]
"Source"="http://sweeet.com/wallpapers/austinpowers1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/austinpowers1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,e0,00,00,00,4f,00,00,00,00,04,00,00,00,03,00,00,0e,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,e0,00,00,00,4f,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,95,0b,01,10,04,80,74,8a,95,0b,56,76,\
00,00,48,4f,b9,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="http://sweeet.com/wallpapers/scream1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/scream1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,10,02,00,00,0d,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,10,02,00,00,0d,01,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,81,0b,01,10,04,80,74,8a,81,0b,56,76,\
00,00,78,8a,bc,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\20]
"Source"="http://sweeet.com/wallpapers/saving1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/saving1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,e0,00,00,00,3d,01,00,00,00,04,00,00,00,03,00,00,10,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,e0,00,00,00,3d,01,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,95,0b,01,10,04,80,74,8a,95,0b,56,76,\
00,00,48,4f,b9,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\21]
"Source"="http://sweeet.com/wallpapers/fiction1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/fiction1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,d0,02,00,00,5f,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,12,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,d0,02,00,00,5f,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,95,0b,01,10,04,80,74,8a,95,0b,56,76,\
00,00,48,4f,b9,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\22]
"Source"="http://sweeet.com/wallpapers/chicken1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/chicken1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,d0,02,00,00,4d,01,00,00,00,04,00,00,00,03,00,00,14,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,d0,02,00,00,4d,01,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,95,0b,01,10,04,80,74,8a,95,0b,56,76,\
00,00,44,92,ba,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\23]
"Source"="http://sweeet.com/images/sv1024.gif"
"SubscribedURL"="http://sweeet.com/images/sv1024.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,d0,01,00,00,5f,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,16,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,d0,01,00,00,5f,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,95,0b,01,10,04,80,74,8a,95,0b,56,76,\
00,00,44,92,ba,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\24]
"Source"="http://sweeet.com/wallpapers/cartmanshot1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/cartmanshot1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,d0,01,00,00,4d,01,00,00,00,04,00,00,00,03,00,00,18,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,d0,01,00,00,4d,01,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,95,0b,01,10,04,80,74,8a,95,0b,56,76,\
00,00,48,4f,b9,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\25]
"Source"="http://sweeet.com/wallpapers/cartmanfire1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/cartmanfire1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,d0,00,00,00,5f,00,00,00,00,04,00,00,00,03,00,00,1a,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,d0,00,00,00,5f,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,95,0b,01,10,04,80,74,8a,95,0b,56,76,\
00,00,c8,75,ca,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\26]
"Source"="http://sweeet.com/wallpapers/profsweeet1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/profsweeet1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,af,ff,ff,ff,60,00,00,00,00,04,00,00,ef,02,00,00,1c,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,00,02,00,00,2f,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,b7,0b,01,10,04,80,74,8a,b7,0b,56,76,\
00,00,98,3f,b8,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\27]
"Source"="http://sweeet.com/wallpapers/devilsadvocate1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/devilsadvocate1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,9b,ff,ff,ff,42,00,00,00,00,04,00,00,00,03,00,00,1e,\
04,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,f0,00,00,00,3f,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,db,0b,01,10,04,80,74,8a,db,0b,56,76,\
00,00,fc,95,ba,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\28]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,68,02,00,00,1f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
"Source"="http://sweeet.com/wallpapers/professort1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/professort1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,10,01,00,00,1f,00,00,00,00,04,00,00,00,03,00,00,ee,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,10,01,00,00,1f,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,93,0b,01,10,04,80,74,8a,93,0b,56,76,\
00,00,98,3f,b8,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
"Source"="http://sweeet.com/wallpapers/gladiator1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/gladiator1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,10,01,00,00,0d,01,00,00,00,04,00,00,00,03,00,00,f0,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,10,01,00,00,0d,01,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,a5,0b,01,10,04,80,74,8a,a5,0b,56,76,\
00,00,98,3f,b8,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
"Source"="http://sweeet.com/wallpapers/ericpotter1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/ericpotter1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,00,03,00,00,2f,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,f2,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,03,00,00,2f,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,a5,0b,01,10,04,80,74,8a,a5,0b,56,76,\
00,00,b8,c7,b8,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\6]
"Source"="http://sweeet.com/wallpapers/jlc1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/jlc1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,00,03,00,00,1d,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff,f4,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,03,00,00,1d,01,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,b7,0b,01,10,04,80,74,8a,b7,0b,56,76,\
00,00,98,3f,b8,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\7]
"Source"="http://sweeet.com/wallpapers/mi21024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/mi21024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,00,02,00,00,1d,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff,f6,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,02,00,00,1d,01,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,db,0b,01,10,04,80,74,8a,db,0b,56,76,\
00,00,44,4b,bd,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\8]
"Source"="http://sweeet.com/wallpapers/thecook1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/thecook1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,00,01,00,00,2f,00,00,00,00,04,00,00,00,03,00,00,f8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,2f,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,db,0b,01,10,04,80,74,8a,db,0b,56,76,\
00,00,44,92,ba,02

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\9]
"Source"="http://sweeet.com/wallpapers/wizofoz1024x768.jpg"
"SubscribedURL"="http://sweeet.com/wallpapers/wizofoz1024x768.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,00,01,00,00,1d,01,00,00,ff,ff,ff,ff,ff,ff,ff,ff,fa,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,1d,01,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,01,00,00,00
"RestoredStateInfo"=hex:f1,00,00,00,64,8a,db,0b,01,10,04,80,74,8a,db,0b,56,76,\
00,00,20,c8,bc,02

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Printing Migration"="rundll32.exe C:\\WINDOWS\\System32\\spool\\migrate.dll,ProcessWin9xNetworkPrinters"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"Printing Migration"="rundll32.exe C:\\WINDOWS\\System32\\spool\\migrate.dll,ProcessWin9xNetworkPrinters"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=hex:00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"OEMRUNONCE"="c:\\windows\\options\\cabs\\oemrun.exe"
"AtiPTA"="Atiptaxx.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE"
"Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID:*PNP0320 /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\""
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"Speed racer"="C:\\Program Files\\Creative\\PlayCenter\\CTSRReg.exe"
"Norton Auto-Protect"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE /LOADQUIET"
"SystemTasks"="C:\\SEXYPICS.EXE"
"CC2KUI"="C:\\PROGRA~1\\COMET\\BIN\\CSTRAY.EXE"
"Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"2wSysTray"="C:\\PROGRAM FILES\\2WIRE\\GATEWAY\\2PORTALMON.EXE"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM32\\qttask.exe\" -atboottime"
"Internat Conf"="C:\\WINDOWS\\SYSTEM32\\bootconf.exe"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,NewDotNetStartup"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1071446542.job
C:\WINDOWS\tasks\WebReg 20040316180711.job

Completion time: 06-11-11 1:07:58.06
C:\ComboFix2.txt ... 06-11-11 00:47
C:\ComboFix.txt ... 06-11-11 01:08

LonnyRJones

2006-11-11, 17:26

Close all browsers Start Hijackthis and place a check next to these items If there.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O19 - User stylesheet: (file missing)

====================================
Hit fix checked and close Hijackthis.

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

Windows Registry Editor Version 5.00
;
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"SystemTasks"=-
"CC2KUI"=-
"Internat Conf"=-
"New.net Startup"=-
;

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Restart your PC.

Let us know of any problems

LonnyRJones

2006-11-19, 02:47

Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.