Thread: Multiple infections HELP!
View Single Post
Old 03-03-2007, 03:21 PM   #23 (permalink)
tsf1jay
Registered User
 
Join Date: Feb 2007
Posts: 21
OS: XP home edition


Here are the logs..
===winlogon.exe.txt====
Process PID CPU Description Company Name
System Idle Process 0 91.43
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 416 Windows NT Session Manager Microsoft Corporation
csrss.exe 464 Client Server Runtime Process Microsoft Corporation
winlogon.exe 488
services.exe 532 2.86 Services and Controller app Microsoft Corporation
svchost.exe 696 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 752 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 820 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 864 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 984 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1164 Spooler SubSystem App Microsoft Corporation
Mcdetect.exe 1664 McAfee WSC Integration Service McAfee, Inc
McShield.exe 1684 On-Access Scanner service McAfee Inc.
McTskshd.exe 1732 McAfee Task Scheduler McAfee, Inc
svchost.exe 1856 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 544 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1348 Windows Explorer Microsoft Corporation
zHotkey.exe 1460 Chicony Multimedia Driver Chicony
mcvsshld.exe 1484 McAfee VirusScan ActiveShield Resource McAfee, Inc.
McVSEscn.exe 1524 McAfee VirusScan E-mail Scan Module McAfee, Inc.
oasclnt.exe 1492 McAfee VirusScan OAS Client McAfee, Inc.
jusched.exe 1528 Java(TM) Platform SE binary Sun Microsystems, Inc.
googletalk.exe 1552 Google Talk Google
iexplore.exe 3148 Internet Explorer Microsoft Corporation
procexp.exe 2772 5.71 Sysinternals Process Explorer Sysinternals

Process: winlogon.exe Pid: 488

Name Description Company Name Version
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.2180
apphelp.dll Application Compatibility Client Library Microsoft Corporation 5.01.2600.2180
authz.dll Authorization Framework Microsoft Corporation 5.01.2600.2180
clbcatq.dll Microsoft Corporation 2001.12.4414.0258
comctl32.dll Common Controls Library Microsoft Corporation 5.82.2900.2180
comctl32.dll User Experience Controls Library Microsoft Corporation 6.00.2900.2180
comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180
comres.dll Microsoft Corporation 2001.12.4414.0258
crypt32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180
cscdll.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180
cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180
ctype.nls
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.2180
imagehlp.dll Windows NT Image Helper Microsoft Corporation 5.01.2600.2180
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2180
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.2180
locale.nls
midimap.dll Microsoft MIDI Mapper Microsoft Corporation 5.01.2600.2180
mpr.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180
msacm32.dll Microsoft ACM Audio Filter Microsoft Corporation 5.01.2600.2180
msacm32.drv Microsoft Sound Mapper Microsoft Corporation 5.01.2600.0000
msasn1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180
msgina.dll Windows NT Logon GINA DLL Microsoft Corporation 5.01.2600.2180
msv1_0.dll Microsoft Authentication Package v1.0 Microsoft Corporation 5.01.2600.2180
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.2180
nddeapi.dll Network DDE Share Management APIs Microsoft Corporation 5.01.2600.2180
netapi32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2180
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180
ntmarta.dll Windows NT MARTA provider Microsoft Corporation 5.01.2600.2180
odbc32.dll Microsoft Data Access - ODBC Driver Manager Microsoft Corporation 3.525.1117.0000
odbcint.dll Microsoft Data Access - ODBC Resources Microsoft Corporation 3.525.1117.0000
ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2180
oleaut32.dll Microsoft Corporation 5.01.2600.2180
profmap.dll Userenv Microsoft Corporation 5.01.2600.2180
psapi.dll Process Status Helper Microsoft Corporation 5.01.2600.2180
R000000000008.clb
regapi.dll Registry Configuration APIs Microsoft Corporation 5.01.2600.2180
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.2180
rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft Corporation 5.01.2600.2161
samlib.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180
SASWINLO.dll SUPERAntiSpyware WinLogon Processor SUPERAntiSpyware.com 1.00.0000.1028
secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.2180
setupapi.dll Windows Setup API Microsoft Corporation 5.01.2600.2180
sfc.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
sfc_os.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
shell32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.2180
shlwapi.dll Shell Light-weight Utility Library Microsoft Corporation 6.00.2900.2180
shsvcs.dll Windows Shell Services Dll Microsoft Corporation 6.00.2900.2180
sortkey.nls
sorttbls.nls
sxs.dll Fusion 2.5 Microsoft Corporation 5.01.2600.2180
unicode.nls
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.2180
userenv.dll Userenv Microsoft Corporation 5.01.2600.2180
uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180
version.dll Version Checking and File Installation Libraries Microsoft Corporation 5.01.2600.2180
wdmaud.drv WDM Audio driver mapper Microsoft Corporation 5.01.2600.2180
wininet.dll Internet Extensions for Win32 Microsoft Corporation 6.00.2900.2518
winlogon.exe
winmm.dll MCI API DLL Microsoft Corporation 5.01.2600.2180
winscard.dll Microsoft Smart Card API Microsoft Corporation 5.01.2600.2180
winspool.drv Windows Spooler Driver Microsoft Corporation 5.01.2600.2180
winsta.dll Winstation Library Microsoft Corporation 5.01.2600.2180
wintrust.dll Microsoft Trust Verification APIs Microsoft Corporation 5.131.2600.2180
wldap32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180
wlnotify.dll Common DLL to receive Winlogon notifications Microsoft Corporation 5.01.2600.2180
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.2180
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.2180
wtsapi32.dll Windows Terminal Server SDK APIs Microsoft Corporation 5.01.2600.2180
xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180

======explorer.exe.txt======
Process PID CPU Description Company Name
System Idle Process 0 84.00
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 416 Windows NT Session Manager Microsoft Corporation
csrss.exe 464 1.33 Client Server Runtime Process Microsoft Corporation
winlogon.exe 488
explorer.exe 1348 1.33 Windows Explorer Microsoft Corporation
zHotkey.exe 1460 Chicony Multimedia Driver Chicony
mcvsshld.exe 1484 McAfee VirusScan ActiveShield Resource McAfee, Inc.
McVSEscn.exe 1524 McAfee VirusScan E-mail Scan Module McAfee, Inc.
oasclnt.exe 1492 McAfee VirusScan OAS Client McAfee, Inc.
jusched.exe 1528 Java(TM) Platform SE binary Sun Microsystems, Inc.
googletalk.exe 1552 Google Talk Google
iexplore.exe 3148 Internet Explorer Microsoft Corporation
procexp.exe 2772 10.67 Sysinternals Process Explorer Sysinternals

Process: explorer.exe Pid: 1348

Name Description Company Name Version
abg_plugin.dll 2.01.0000.0001
acgenral.dll Windows Compatibility DLL Microsoft Corporation 5.01.2600.2180
AcroIEHelper.dll Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated 7.00.0009.0050
AcroIEHelper.dll Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated 7.00.0009.0050
actxprxy.dll ActiveX Interface Marshaling Library Microsoft Corporation 6.00.2900.2180
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.2180
AlbuDBps.dll Album Database Proxy/Stub DLL Logitech Inc. 8.02.0000.1192
apphelp.dll Application Compatibility Client Library Microsoft Corporation 5.01.2600.2180
atl.dll ATL Module for Windows XP (Unicode) Microsoft Corporation 3.05.2284.0000
batmeter.dll Battery Meter Helper DLL Microsoft Corporation 6.00.2900.2180
browselc.dll Shell Browser UI Library Microsoft Corporation 6.00.2900.2180
browseui.dll Shell Browser UI Library Microsoft Corporation 6.00.2900.2518
cfgmgr32.dll Configuration Manager Forwarder DLL Microsoft Corporation 5.01.2600.2180
clbcatq.dll Microsoft Corporation 2001.12.4414.0258
comctl32.dll User Experience Controls Library Microsoft Corporation 6.00.2900.2180
comctl32.dll Common Controls Library Microsoft Corporation 5.82.2900.2180
comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180
comres.dll Microsoft Corporation 2001.12.4414.0258
cp1041.nls
credui.dll Credential Manager User Interface Microsoft Corporation 5.01.2600.2180
crypt32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180
cryptnet.dll Crypto Network Related API Microsoft Corporation 5.131.2600.2180
cryptui.dll Microsoft Trust UI Provider Microsoft Corporation 5.131.2600.2180
cscdll.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180
cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180
ctype.nls
davclnt.dll Web DAV Client DLL Microsoft Corporation 5.01.2600.2180
dnsapi.dll DNS Client API DLL Microsoft Corporation 5.01.2600.2180
drprov.dll Microsoft Terminal Server Network Provider Microsoft Corporation 5.01.2600.2180
explorer.exe Windows Explorer Microsoft Corporation 6.00.2900.2180
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.2180
GdiPlus.dll Microsoft GDI+ Microsoft Corporation 5.01.3102.2180
hccutils.dll hccutils Module Intel Corporation 3.00.0000.2104
HKNTDLL.dll
hnetcfg.dll Home Networking Configuration Manager Microsoft Corporation 5.01.2600.2180
igfxdev.dll igfxdev Module Intel Corporation 3.00.0000.2104
igfxpph.dll igfxpph Module Intel Corporation 3.00.0000.2104
igfxres.dll xxxxres Module Intel Corporation 3.00.0000.2104
igfxsrvc.dll igfxsrvc Module Intel Corporation 3.00.0000.2104
imagehlp.dll Windows NT Image Helper Microsoft Corporation 5.01.2600.2180
index.dat
index.dat
index.dat
index.dat
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2180
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.2180
linkinfo.dll Windows Volume Tracking Microsoft Corporation 5.01.2600.2180
locale.nls
McVSSkt.Dll McAfee VirusScan Winsock Helper DLL McAfee, Inc. 10.00.0000.0026
midimap.dll Microsoft MIDI Mapper Microsoft Corporation 5.01.2600.2180
mpr.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180
msacm32.dll Microsoft ACM Audio Filter Microsoft Corporation 5.01.2600.2180
msacm32.drv Microsoft Sound Mapper Microsoft Corporation 5.01.2600.0000
msasn1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180
msgina.dll Windows NT Logon GINA DLL Microsoft Corporation 5.01.2600.2180
msi.dll Windows Installer Microsoft Corporation 3.00.3790.2180
msimg32.dll GDIEXT Client DLL Microsoft Corporation 5.01.2600.2180
msv1_0.dll Microsoft Authentication Package v1.0 Microsoft Corporation 5.01.2600.2180
Msvcr71.dll Microsoft® C Runtime Library Microsoft Corporation 7.10.3052.0004
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.2180
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.01.2600.2180
netapi32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2180
netrap.dll Net Remote Admin Protocol DLL Microsoft Corporation 5.01.2600.2180
netshell.dll Network Connections Shell Microsoft Corporation 5.01.2600.2180
netui0.dll NT LM UI Common Code - GUI Classes Microsoft Corporation 5.01.2600.2180
netui1.dll NT LM UI Common Code - Networking classes Microsoft Corporation 5.01.2600.2180
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180
ntlanman.dll Microsoft® Lan Manager Microsoft Corporation 5.01.2600.2180
ntshrui.dll Shell extensions for sharing Microsoft Corporation 5.01.2600.2180
odbc32.dll Microsoft Data Access - ODBC Driver Manager Microsoft Corporation 3.525.1117.0000
odbcint.dll Microsoft Data Access - ODBC Resources Microsoft Corporation 3.525.1117.0000
ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2180
oleaut32.dll Microsoft Corporation 5.01.2600.2180
olepro32.dll Microsoft Corporation 5.01.2600.2180
pdfshell.dll PDF Shell Extension Adobe Systems, Inc. 7.00.0000.0000
powrprof.dll Power Profile Helper DLL Microsoft Corporation 6.00.2900.2180
R000000000008.clb
rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation 5.01.2600.2180
rasapi32.dll Remote Access API Microsoft Corporation 5.01.2600.2180
rasman.dll Remote Access Connection Manager Microsoft Corporation 5.01.2600.2180
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.2180
rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft Corporation 5.01.2600.2161
rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180
samlib.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180
SASSEH.DLL ShellExecuteHook SuperAdBlocker.com 1.00.0000.1008
secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.2180
sensapi.dll SENS Connectivity API DLL Microsoft Corporation 5.01.2600.2180
setupapi.dll Windows Setup API Microsoft Corporation 5.01.2600.2180
sfc_os.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
shdoclc.dll Shell Doc Object and Control Library Microsoft Corporation 6.00.2900.2180
shdocvw.dll Shell Doc Object and Control Library Microsoft Corporation 6.00.2900.2518
shell32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.2180
shimeng.dll Shim Engine DLL Microsoft Corporation 5.01.2600.2180
shlwapi.dll Shell Light-weight Utility Library Microsoft Corporation 6.00.2900.2180
sortkey.nls
sorttbls.nls
ssdpapi.dll SSDP Client API DLL Microsoft Corporation 5.01.2600.2180
sti.dll Still Image Devices client DLL Microsoft Corporation 5.01.2600.2180
stobject.dll Systray shell service object Microsoft Corporation 5.01.2600.2180
sxs.dll Fusion 2.5 Microsoft Corporation 5.01.2600.2180
tapi32.dll Microsoft® Windows(TM) Telephony API Client DLL Microsoft Corporation 5.01.2600.2180
themeui.dll Windows Theme API Microsoft Corporation 6.00.2900.2180
unicode.nls
upnp.dll Universal Plug and Play API Microsoft Corporation 5.01.2600.2180
upnpui.dll UPNP Tray Monitor and Folder Microsoft Corporation 5.01.2600.2180
urlmon.dll OLE32 Extensions for Win32 Microsoft Corporation 6.00.2900.2518
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.2180
userenv.dll Userenv Microsoft Corporation 5.01.2600.2180
uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180
version.dll Version Checking and File Installation Libraries Microsoft Corporation 5.01.2600.2180
wdmaud.drv WDM Audio driver mapper Microsoft Corporation 5.01.2600.2180
webcheck.dll Web Site Monitor Microsoft Corporation 6.00.2900.2180
winhttp.dll Windows HTTP Services Microsoft Corporation 5.01.2600.2180
wininet.dll Internet Extensions for Win32 Microsoft Corporation 6.00.2900.2518
winmm.dll MCI API DLL Microsoft Corporation 5.01.2600.2180
winrnr.dll LDAP RnR Provider DLL Microsoft Corporation 5.01.2600.2180
winspool.drv Windows Spooler Driver Microsoft Corporation 5.01.2600.2180
winsta.dll Winstation Library Microsoft Corporation 5.01.2600.2180
wintrust.dll Microsoft Trust Verification APIs Microsoft Corporation 5.131.2600.2180
wldap32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180
wmpband.dll Windows Media Player Microsoft Corporation 9.00.0000.3250
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.2180
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.2180
wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.2180
wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation 5.01.2600.2180
wtsapi32.dll Windows Terminal Server SDK APIs Microsoft Corporation 5.01.2600.2180
wuapi.dll Windows Update Client API Microsoft Corporation 5.04.3790.2182
wzcdlg.dll Wireless Zero Configuration Service UI Microsoft Corporation 5.01.2600.2180
wzcsapi.dll Wireless Zero Configuration service API Microsoft Corporation 5.01.2600.2180
xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180
zipfldr.dll Compressed (zipped) Folders Microsoft Corporation 6.00.2900.2180

=====notify.txt======

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon
DllName REG_SZ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
Logon REG_SZ SABWINLOLogon
Logoff REG_SZ SABWINLOLogoff
Startup REG_SZ SABWINLOStartup
Shutdown REG_SZ SABWINLOShutdown
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ crypt32.dll
Logoff REG_SZ ChainWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ cryptnet.dll
Logoff REG_SZ CryptnetWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
DLLName REG_SZ cscdll.dll
Logon REG_SZ WinlogonLogonEvent
Logoff REG_SZ WinlogonLogoffEvent
ScreenSaver REG_SZ WinlogonScreenSaverEvent
Startup REG_SZ WinlogonStartupEvent
Shutdown REG_SZ WinlogonShutdownEvent
StartShell REG_SZ WinlogonStartShellEvent
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
<NO NAME> REG_SZ
DLLName REG_SZ igfxsrvc.dll
Asynchronous REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Unlock REG_SZ WinlogonUnlockEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
DLLName REG_SZ wlnotify.dll
Logon REG_SZ SCardStartCertProp
Logoff REG_SZ SCardStopCertProp
Lock REG_SZ SCardSuspendCertProp
Unlock REG_SZ SCardResumeCertProp
Enabled REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
StartShell REG_SZ SchedStartShell
Logoff REG_SZ SchedEventLogOff

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Logoff REG_SZ WLEventLogoff
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1
DllName REG_EXPAND_SZ sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
DLLName REG_SZ WlNotify.dll
Lock REG_SZ SensLockEvent
Logon REG_SZ SensLogonEvent
Logoff REG_SZ SensLogoffEvent
Safe REG_DWORD 0x1
MaxWait REG_DWORD 0x258
StartScreenSaver REG_SZ SensStartScreenSaverEvent
StopScreenSaver REG_SZ SensStopScreenSaverEvent
Startup REG_SZ SensStartupEvent
Shutdown REG_SZ SensShutdownEvent
StartShell REG_SZ SensStartShellEvent
PostShell REG_SZ SensPostShellEvent
Disconnect REG_SZ SensDisconnectEvent
Reconnect REG_SZ SensReconnectEvent
Unlock REG_SZ SensUnlockEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
Logoff REG_SZ TSEventLogoff
Logon REG_SZ TSEventLogon
PostShell REG_SZ TSEventPostShell
Shutdown REG_SZ TSEventShutdown
StartShell REG_SZ TSEventStartShell
Startup REG_SZ TSEventStartup
MaxWait REG_DWORD 0x258
Reconnect REG_SZ TSEventReconnect
Disconnect REG_SZ TSEventDisconnect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
DLLName REG_SZ wlnotify.dll
Logon REG_SZ RegisterTicketExpiredNotificationEvent
Logoff REG_SZ UnregisterTicketExpiredNotificationEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

====awf.txt====

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\keytool.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\kinit.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\klist.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\ktab.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\orbd.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\pack200.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\policytool.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\rmid.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\rmiregistry.exe"
25600 "C:\_OTMoveIt\MovedFiles\Program Files\Java\jre1.6.0\bin\servertool.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"


end of report

====HJt log======
Logfile of HijackThis v1.99.1
Scan saved at 5:18:25 PM, on 3/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} - http://www.snapfish.com/SnapfishUpload.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
tsf1jay is offline