FixWareout Log:Username "user" - 01/01/2000 2:13:07 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdivz.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.118 85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4062C091-BA42-4D76-9356-89C52D2CE5B3}
"nameserver"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{67296F48-A252-434E-A81D-076EAA5DBA54}
"nameserver"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{802FB6B8-DC90-4084-A720-5FB4EEFCE2AF}
"nameserver"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F230753C-F5C4-42B1-882D-F152132F52FE}
"nameserver"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{67296F48-A252-434E-A81D-076EAA5DBA54}
"DhcpNameServer"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{802FB6B8-DC90-4084-A720-5FB4EEFCE2AF}
"DhcpNameServer"="85.255.113.118,85.255.112.101" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F230753C-F5C4-42B1-882D-F152132F52FE}
"DhcpNameServer"="85.255.113.118,85.255.112.101" <Value cleared.
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdivz.ren 60416 06/13/2007
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="C:\\Program Files\\PCI Audio Applications\\Mixer.exe /startup"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"70c5eaa4"="rundll32.exe \"C:\\WINDOWS\\system32\\vxndfcos.dll\",b"
"BM73f6d938"="Rundll32.exe \"C:\\WINDOWS\\system32\\mnrecgwh.dll\",s"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
Avira AntiVir PE Report:
Avira AntiVir Personal
Report file date: Friday, May 09, 2008 13:50
Scanning for 1165085 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: USER-BF5756DC9B
Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 03:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 02:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 02:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 02:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 04:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 07:08:58
ANTIVIR2.VDF : 7.0.3.62 337408 Bytes 3/21/2008 13:12:34
ANTIVIR3.VDF : 7.0.3.68 57856 Bytes 3/25/2008 02:27:50
Engineversion : 8.1.0.28
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 03:58:21
AESCRIPT.DLL : 8.1.0.19 229754 Bytes 4/7/2008 09:34:44
AESCN.DLL : 8.1.0.12 115060 Bytes 4/7/2008 09:34:44
AERDL.DLL : 8.1.0.19 418164 Bytes 4/7/2008 09:34:44
AEPACK.DLL : 8.1.1.0 364918 Bytes 3/18/2008 05:20:42
AEOFFICE.DLL : 8.1.0.15 192889 Bytes 4/7/2008 09:34:44
AEHEUR.DLL : 8.1.0.15 1147253 Bytes 4/7/2008 09:34:44
AEHELP.DLL : 8.1.0.11 115061 Bytes 4/7/2008 09:34:43
AEGEN.DLL : 8.1.0.15 299379 Bytes 4/7/2008 09:34:43
AEEMU.DLL : 8.1.0.5 430450 Bytes 4/7/2008 09:34:43
AECORE.DLL : 8.1.0.25 168309 Bytes 4/8/2008 03:58:32
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 11:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 04:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 07:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 11:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 02:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 02:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 11:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 11:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 06:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 08:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 06:02:11
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, E:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: Friday, May 09, 2008 13:50
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'Ares.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'WZCSLDR2.exe' - '1' Module(s) have been scanned
Scan process 'AirGCFG.exe' - '1' Module(s) have been scanned
Scan process 'Mixer.exe' - '1' Module(s) have been scanned
Scan process 'WgaTray.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
28 processes with 28 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!
Starting to scan the registry.
C:\WINDOWS\system32\xaqwbqpd.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\bwuffbrv.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4898e77b.qua'!
The registry was scanned ( '25' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\12UD83P2\yaypalassamosvala[1]
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '489ce801.qua'!
C:\System Volume Information\_restore{61551398-1387-45C8-B816-B8193A5D57EE}\RP86\A0076036.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4853fbe3.qua'!
C:\System Volume Information\_restore{61551398-1387-45C8-B816-B8193A5D57EE}\RP87\A0076053.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4853fbf9.qua'!
C:\System Volume Information\_restore{61551398-1387-45C8-B816-B8193A5D57EE}\RP89\A0076092.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4853fc10.qua'!
C:\System Volume Information\_restore{61551398-1387-45C8-B816-B8193A5D57EE}\RP89\A0076093.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '4853fc19.qua'!
C:\WINDOWS\system32\bueyydnr.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48890940.qua'!
C:\WINDOWS\system32\bwehxbyr.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48890954.qua'!
C:\WINDOWS\system32\fjnppfut.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48920e19.qua'!
C:\WINDOWS\system32\fthhiatn.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '488c1c2d.qua'!
C:\WINDOWS\system32\kvamvicm.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48851c63.qua'!
C:\WINDOWS\system32\mnrecgwh.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48961c73.qua'!
C:\WINDOWS\system32\nndetcmm.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48881cd6.qua'!
C:\WINDOWS\system32\ojphqisl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48941cf0.qua'!
C:\WINDOWS\system32\ojtppkwa.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48981cf2.qua'!
C:\WINDOWS\system32\ssqPihIc.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
C:\WINDOWS\system32\svcaggmj.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48871d5b.qua'!
C:\WINDOWS\system32\vxndfcos.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
C:\WINDOWS\system32\xaqwbqpd.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
Begin scan in 'E:\'
End of the scan: Friday, May 09, 2008 17:52
Used time: 4:04:25 min
The scan has been done completely.
2001 Scanning directories
142707 Files were scanned
20 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
16 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
142687 Files not concerned
607 Archives were scanned
6 Warnings
16 Notes
ComboFix Report:
ComboFix 08-05-07.1 - user 2008-05-09 18:49:51.1 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\NetProject
C:\Program Files\NetProject\Thumbs.db
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\717305\717305.dll
C:\WINDOWS\system32\cIhiPqss.ini
C:\WINDOWS\system32\cIhiPqss.ini2
C:\WINDOWS\system32\dpqbwqax.ini
C:\WINDOWS\system32\dshnxwwg.ini
C:\WINDOWS\system32\efechrcn.ini
C:\WINDOWS\system32\kyxiwngi.ini
C:\WINDOWS\system32\lsiqhpjo.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\socfdnxv.ini
C:\WINDOWS\system32\ssqQiifG.dll
C:\WINDOWS\system32\vounokkx.ini
.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.
2008-05-09 13:35 . 2008-05-09 13:35 <DIR> d-------- C:\Program Files\Avira
2008-05-09 13:35 . 2008-05-09 13:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-07 14:17 . 2008-05-07 14:17 50,688 --a------ C:\ATF-Cleaner.exe
2008-05-04 03:25 . 2008-05-09 13:04 109,816 --a------ C:\WINDOWS\BM73f6d938.xml
2008-05-04 03:19 . 2008-05-04 03:19 281,600 --a------ C:\WINDOWS\system32\ssqPihIc.VIR
2008-05-04 03:13 . 2008-05-07 18:42 <DIR> d-------- C:\WINDOWS\system32\527631
2008-04-27 22:29 . 2004-08-04 20:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-27 05:32 . 2008-04-27 22:56 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-27 05:32 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-26 21:33 . 2008-05-07 23:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-26 21:31 . 2008-05-09 19:07 <DIR> d-------- C:\WINDOWS\system32\717305
2008-04-21 02:38 . 2008-04-21 02:38 <DIR> d-------- C:\WINDOWS\Sun
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 15:12 --------- d-----w C:\Program Files\Yahoo!
2008-04-25 12:58 --------- d-----w C:\Documents and Settings\user\Application Data\mIRC
2008-04-25 12:57 --------- d-----w C:\Program Files\mIRC
2008-03-30 18:05 --------- d-----w C:\Program Files\Java
2008-03-30 17:41 --------- d-----w C:\Program Files\Common Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
1999-12-31 17:09 1,491,592 ----a-w C:\Program Files\install_flash_player.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F8E8CCB-55D2-440C-BFB5-4B3180BA7A5C}]
C:\WINDOWS\system32\ssqPihIc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-12-31 22:29 962560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="C:\Program Files\PCI Audio Applications\Mixer.exe" [2000-09-14 04:02 1077248]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-24 07:04 1544192]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-20 10:19 49152]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-09 09:35 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 08:50 33792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-10 02:50 155648]
"70c5eaa4"="C:\WINDOWS\system32\xaqwbqpd.dll" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 19:52:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
.
**************************************************************************
.
Completion time: 2008-05-09 20:01:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 12:01:17
Pre-Run: 11,857,731,584 bytes free
Post-Run: 11,832,512,512 bytes free
101 --- E O F --- 1999-12-31 16:16:43
HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:18 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O2 - BHO: (no name) - {1F8E8CCB-55D2-440C-BFB5-4B3180BA7A5C} - C:\WINDOWS\system32\ssqPihIc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - (no file)
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [70c5eaa4] rundll32.exe "C:\WINDOWS\system32\xaqwbqpd.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
--
End of file - 4839 bytes
