Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
New log for you. New log for you.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 08-20-2005, 12:52 PM   #1 (permalink)
Member
 
Join Date: Jul 2004
Posts: 41
OS: XP


New log for you.
I think I have some crap by aurora. I emailed them and complained and they gave me an uninstaller but that didnt clean everything. I've run ad aware, spy bot, housecall, and hijack this i deleted what i could in hijack this, but here is my new log. thanks you guys rock.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:31:31 PM, on 8/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Documents and Settings\scott\My Documents\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ssgxld.exe reg_run
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: TEW-424UB Utility.lnk = ?
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} -
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\rgr20.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of KRC HijackThis Analyzer Log.
====================================================================
untruehero is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-20-2005, 03:26 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 20,794
OS: XP


Please do the following:

Download L2MFix
Double click L2mfix.exe & answer Yes when prompted. Then click the Install button to extract the files to a newly created folder named - L2mfix

Close all open programs
Double click L2mfix.bat
Select option #2 - Run Fix - by typing 2
Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Copy the contents of that log and paste it here, along with a new HJT log.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.

Please Do NOT run any other files in the l2mfix folder until you are told to
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-20-2005, 04:27 PM   #3 (permalink)
Member
 
Join Date: Jul 2004
Posts: 41
OS: XP


Thanks sUBs.

L2Mfix 1.03d

Running From:
C:\Documents and Settings\scott\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\scott\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\scott\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1464 'explorer.exe'
Killing PID 1464 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 212 'rundll32.exe'
Killing PID 432 'rundll32.exe'
Killing PID 476 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\decpcsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\decpcsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\isxrtmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\isxrtmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rgr20.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rgr20.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rir20.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rir20.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\decpcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\decpcsvc.dll
deleting: C:\WINDOWS\system32\decpcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\decpcsvc.dll
deleting: C:\WINDOWS\system32\isxrtmgr.dll
Successfully Deleted: C:\WINDOWS\system32\isxrtmgr.dll
deleting: C:\WINDOWS\system32\isxrtmgr.dll
Successfully Deleted: C:\WINDOWS\system32\isxrtmgr.dll
deleting: C:\WINDOWS\system32\rgr20.dll
Successfully Deleted: C:\WINDOWS\system32\rgr20.dll
deleting: C:\WINDOWS\system32\rgr20.dll
Successfully Deleted: C:\WINDOWS\system32\rgr20.dll
deleting: C:\WINDOWS\system32\rir20.dll
Successfully Deleted: C:\WINDOWS\system32\rir20.dll
deleting: C:\WINDOWS\system32\rir20.dll
Successfully Deleted: C:\WINDOWS\system32\rir20.dll


Zipping up files for submission:
adding: decpcsvc.dll (164 bytes security) (deflated 48%)
adding: isxrtmgr.dll (164 bytes security) (deflated 48%)
adding: rgr20.dll (164 bytes security) (deflated 48%)
adding: rir20.dll (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 46%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 80%)
adding: readme.txt (164 bytes security) (deflated 51%)
adding: test.txt (164 bytes security) (deflated 80%)
adding: test2.txt (164 bytes security) (deflated 27%)
adding: test3.txt (164 bytes security) (deflated 27%)
adding: test5.txt (164 bytes security) (deflated 27%)
adding: xfind.txt (164 bytes security) (deflated 77%)
adding: backregs/0D08722D-EA5E-4B56-B5DF-556D1D6FE8FA.reg (164 bytes security) (deflated 70%)
adding: backregs/6E720096-4D23-4BB3-B34B-08B36F96D15D.reg (164 bytes security) (deflated 70%)
adding: backregs/A7C85046-450F-4D00-9152-42189EE0133C.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: decpcsvc.dll
deleting local copy: decpcsvc.dll
deleting local copy: isxrtmgr.dll
deleting local copy: isxrtmgr.dll
deleting local copy: rgr20.dll
deleting local copy: rgr20.dll
deleting local copy: rir20.dll
deleting local copy: rir20.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\decpcsvc.dll
C:\WINDOWS\system32\decpcsvc.dll
C:\WINDOWS\system32\isxrtmgr.dll
C:\WINDOWS\system32\isxrtmgr.dll
C:\WINDOWS\system32\rgr20.dll
C:\WINDOWS\system32\rgr20.dll
C:\WINDOWS\system32\rir20.dll
C:\WINDOWS\system32\rir20.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6E720096-4D23-4BB3-B34B-08B36F96D15D}"=-
"{0D08722D-EA5E-4B56-B5DF-556D1D6FE8FA}"=-
"{A7C85046-450F-4D00-9152-42189EE0133C}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6E720096-4D23-4BB3-B34B-08B36F96D15D}]
[-HKEY_CLASSES_ROOT\CLSID\{0D08722D-EA5E-4B56-B5DF-556D1D6FE8FA}]
[-HKEY_CLASSES_ROOT\CLSID\{A7C85046-450F-4D00-9152-42189EE0133C}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 6:21:53 PM, on 8/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Documents and Settings\scott\My Documents\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ssgxld.exe reg_run
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: riku.exe
O4 - Global Startup: TEW-424UB Utility.lnk = ?
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} -
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of KRC HijackThis Analyzer Log.
====================================================================
untruehero is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-20-2005, 11:18 PM   #4 (permalink)
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,961
OS: Windows XP-Pro SP2


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Hi and Welcome to TSF

Next pass............

Please DISABLE spybot's teatimer and LEAVE IT OFF until the fix is complete!


Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.
Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Download DelDomains.inf
Right-click and select..... Save Target As

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ssgxld.exe reg_run
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - Global Startup: riku.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} -

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\WINDOWS\System32\ssgxld.exe
C:\WINDOWS\seeve.exe
riku.exe
AUNPS2.DLL <--locate and delete these 2

Run CWShredder again and click FIX.

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted

Once back to normal mode.....

Please run an online scan at http://www.pandasoftware.com/actives..._principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with the Ewido log and the log's from the following tools...

Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!


Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log
Ewido log
Panda scan log
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!





Spyware/Adware Removal Tools
Hijackthis
Ad-aware SE
Spybot Search&Destroy
SpywareBlaster
CWShredder
Last edited by MicroBell : 08-20-2005 at 11:19 PM.
MicroBell is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-24-2005, 06:21 PM   #5 (permalink)
Member
 
Join Date: Jul 2004
Posts: 41
OS: XP


Thanks MicroBell. Here is all you asked for but Panda. I can't give you a Panda log, I scanned twice and once it was done the window closed, here are the other logs. Also I am having problems accessing some sites it is telling me that they timed out but I know they work because i use them at work. One is my ISP site for email and they haven't banned my IP so I don't know if any of this is related.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"ABIT uGuru"="C:\\Program Files\\ABIT\\ABIT uGuru\\uGuru.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"NvMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe"
"SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\SMARTB~1\\MotiveSB.exe"
"Media Gateway"="C:\\Program Files\\Media Gateway\\MediaGateway.exe"
"A Verizon App"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll

Subkey --- AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6}
C:\PROGRA~1\AlphaZIP\AlphaZip.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- mxnsfkns
{8f9e96ed-ec9f-47ad-b882-3bbd48cbe818}
C:\WINDOWS\System32\eanrj.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}
C:\Program Files\WinAce\arcext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Acrobat Speed Launcher.lnk
Adobe Gamma Loader.lnk
BlackICE PC Protection.lnk
desktop.ini
MUPS.lnk
TEW-424UB Utility.lnk
==============================
C:\Documents and Settings\scott\Start Menu\Programs\Startup

Adobe Acrobat Speed Launcher.lnk
Adobe Gamma Loader.lnk
BlackICE PC Protection.lnk
desktop.ini
MUPS.lnk
TEW-424UB Utility.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
MBLLNK.CPL AvantGo, Inc.
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plugincpl131_04.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 8/26/2004 11:51:48 PM 27262976 C:\VIRTPART.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 4/27/2005 10:34:16 PM 34304 C:\WINDOWS\cnmirri.exe
UPX! 4/27/2005 10:34:16 PM 34304 C:\WINDOWS\cygjtam.exe
UPX! 6/1/2005 7:13:28 PM 35328 C:\WINDOWS\cygz.dll
UPX! 3/15/2004 7:28:50 PM 69120 C:\WINDOWS\daemon.bak
PECompact2 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\LPT$VPN.604
qoologic 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\LPT$VPN.604
SAHAgent 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\LPT$VPN.604
web-nex 8/18/2005 11:11:12 PM 3965 C:\WINDOWS\mzorj.dll
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 4/28/2005 5:41:48 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\VPTNFILE.604
qoologic 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\VPTNFILE.604
SAHAgent 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\VPTNFILE.604
UPX! 4/28/2005 9:13:04 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 4/28/2005 9:13:04 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
SAHAgent 8/21/2005 9:38:58 PM 3557 C:\WINDOWS\SYSTEM32\37h52g2c.ini
SAHAgent 6/1/2005 7:55:28 PM 35 C:\WINDOWS\SYSTEM32\7obevefj.ini
SAHAgent 8/21/2005 1:28:20 PM 35 C:\WINDOWS\SYSTEM32\9uniq4jm.ini
UPX! 4/27/2005 10:34:26 PM 32256 C:\WINDOWS\SYSTEM32\aaodogso.exe
UPX! 6/1/2005 7:13:28 PM 35328 C:\WINDOWS\SYSTEM32\cygz.dll
PEC2 8/23/2001 11:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
69.59.186.63 8/21/2005 12:37:04 PM 10240 C:\WINDOWS\SYSTEM32\eanrj.dll
209.66.67.134 8/21/2005 12:37:04 PM 10240 C:\WINDOWS\SYSTEM32\eanrj.dll
web-nex 8/21/2005 12:37:04 PM 10240 C:\WINDOWS\SYSTEM32\eanrj.dll
winsync 8/21/2005 12:37:04 PM 10240 C:\WINDOWS\SYSTEM32\eanrj.dll
69.59.186.63 8/21/2005 9:49:16 PM 46080 C:\WINDOWS\SYSTEM32\fsjfsdj.dll
209.66.67.134 8/21/2005 9:49:16 PM 46080 C:\WINDOWS\SYSTEM32\fsjfsdj.dll
web-nex 8/21/2005 9:49:16 PM 46080 C:\WINDOWS\SYSTEM32\fsjfsdj.dll
winsync 8/21/2005 9:49:16 PM 46080 C:\WINDOWS\SYSTEM32\fsjfsdj.dll
SAHAgent 8/21/2005 1:28:20 PM 35 C:\WINDOWS\SYSTEM32\gtrtk8e9.ini
SAHAgent 6/1/2005 7:55:28 PM 35 C:\WINDOWS\SYSTEM32\lj7k29es.ini
UPX! 4/27/2005 10:34:16 PM 34304 C:\WINDOWS\SYSTEM32\mqhmaaaa.exe
UPX! 5/23/2002 9:40:44 PM 110080 C:\WINDOWS\SYSTEM32\nlame.dll
UPX! 2/21/2004 3:16:38 AM 654336 C:\WINDOWS\SYSTEM32\pqdvdf.exe
Umonitor 8/29/2002 6:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
SAHAgent 6/1/2005 7:56:08 PM 3458 C:\WINDOWS\SYSTEM32\rb10dolf.ini
UPX! 11/11/2003 10:36:10 AM 412672 C:\WINDOWS\SYSTEM32\vbskpro2.ocx
winsync 8/23/2001 11:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 8/24/2005 7:50:58 PM 2048 C:\WINDOWS\bootstat.dat
H 8/20/2005 6:26:20 PM 54156 C:\WINDOWS\QTFont.qfn
H 8/18/2005 9:31:40 PM 0 C:\WINDOWS\LastGood\INF\oem26.inf
H 8/18/2005 9:31:42 PM 0 C:\WINDOWS\LastGood\INF\oem26.PNF
H 8/24/2005 7:50:06 PM 890 C:\WINDOWS\system32\vsconfig.xml
H 8/24/2005 7:50:54 PM 8192 C:\WINDOWS\system32\config\default.LOG
H 8/24/2005 7:51:06 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
H 8/24/2005 7:50:58 PM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
H 8/24/2005 7:52:02 PM 86016 C:\WINDOWS\system32\config\software.LOG
H 8/24/2005 7:50:58 PM 1159168 C:\WINDOWS\system32\config\system.LOG
SH 8/19/2005 11:51:18 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e0bb3dce-73a5-42d7-bd73-7877e708d74b
SH 8/19/2005 11:51:18 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
SH 8/24/2005 7:49:44 PM 190 C:\WINDOWS\Tasks\RUTASK.job
H 8/24/2005 7:49:40 PM 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/23/2001 11:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/10/2004 8:09:52 PM 49262 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
AvantGo, Inc. 2/21/2003 5:58:26 AM 69632 C:\WINDOWS\SYSTEM32\MBLLNK.CPL
Microsoft Corporation 8/23/2001 11:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 4/1/2005 4:16:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 4:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
NVIDIA Corporation 7/30/2002 11:50:00 AM 118784 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\nvtuicpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/24/2005 4:50:00 PM 2335 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
8/24/2004 7:08:50 PM 1924 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/18/2004 8:48:42 PM 1652 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlackICE PC Protection.lnk
9/16/2004 632 PM 1633 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MUPS.lnk
2/21/2005 1:02:10 PM 597 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TEW-424UB Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
4/5/2005 7:59:36 PM 1568 C:\Documents and Settings\scott\Application Data\mpauth.dat
1/12/2005 8:29:12 PM 91 C:\Documents and Settings\scott\Application Data\Sskdmns.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
MyIE2 = IEAK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6} = C:\PROGRA~1\AlphaZIP\AlphaZip.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mxnsfkns
{8f9e96ed-ec9f-47ad-b882-3bbd48cbe818} = C:\WINDOWS\System32\eanrj.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6} = C:\PROGRA~1\AlphaZIP\AlphaZip.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6} = C:\PROGRA~1\AlphaZIP\AlphaZip.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
ButtonText = Create Mobile Favorite :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0\bin\jusched.exe
ABIT uGuru C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
NvMixerTray "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
DAEMON Tools-1033 "C:\Program Files\D-Tools\daemon.exe" -lang 1033
Acrobat Assistant 7.0 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
Profiler C:\Program Files\Saitek\Software\Profiler.exe
SaiSmart C:\Program Files\Saitek\Software\SaiSmart.exe
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
Motive SmartBridge C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
Media Gateway C:\Program Files\Media Gateway\MediaGateway.exe
A Verizon App C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
H/PC Connection Agent "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoDispAppearancePage 0
NoColorChoice 0
NoSizeChoice 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/24/2005 8:00:54 PM




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:50:08 PM, 8/21/2005
+ Report-Checksum: FC07C19

+ Scan result:

HKLM\SOFTWARE\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
:mozilla.7:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.9:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.12:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.15:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.16:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.19:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.23:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.30:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.46:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.47:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.48:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.49:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.50:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.51:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.52:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.53:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.61:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Linkbuddies : Cleaned with backup
:mozilla.65:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.66:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.67:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.68:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.72:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.73:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.74:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.76:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.81:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.82:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.83:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.86:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.87:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.101:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.105:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\scott\Desktop\l2mfix\backup.zip/decpcsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\scott\Desktop\l2mfix\backup.zip/isxrtmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\scott\Desktop\l2mfix\backup.zip/rgr20.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\scott\Desktop\l2mfix\backup.zip/rir20.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Application Data\Wildtangent\Cdacache\00\00\2B.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\4HEBOD2V\MediaGateway[1].exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\4HEBOD2V\SSK3_B5[1].exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\4HEBOD2V\stubinstaller5975[1].exe -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\4HEBOD2V\ysb_regular[1].cab/ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\8RATCDWF\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\8RATCDWF\thin-143-1-x-x[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\9SK3D5OP\Bridge-c139[1].cab/MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\9SK3D5OP\optimize[1].exe -> TrojanDownloader.Dyfuca.dk : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\BJLJB9CW\installer_SIAC[1].exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\BJLJB9CW\website[1].ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\FV5FGNFP\pcs_0026[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\FV5FGNFP\recinst[1].exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\FV5FGNFP\SYSsfitb[1].cab/d_loader.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\GZ0J234N\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\GZ0J234N\bundle_mediamotor1004[1].exe -> Adware.Saha : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\O7QRSTUV\joysaver[1].cab/m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\O7QRSTUV\mm15201518.Stub[1].exe -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\O7QRSTUV\seeve[1].exe -> Spyware.MediaMotor : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\O7QRSTUV\trk_0026[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\U53GPSRE\shop1005[1].exe -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\U53GPSRE\thin-114-1-x-x[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\d_loader.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\website.ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\gtrtk8e9.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\9uniq4jm.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\wkagp.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Error during cleaning
C:\WINDOWS\Temp\ICD1.tmp\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\Temp\ICD2.tmp\d_loader.exe -> TrojanDownloader.IstBar : Cleaned with backup


::Report End
untruehero is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-24-2005, 07:15 PM   #6 (permalink)
Member
 
Join Date: Jul 2004
Posts: 41
OS: XP


Thanks MicroBell. Here is all you asked for but Panda. I can't give you a Panda log, I scanned twice and once it was done the window closed, here are the other logs. Also I am having problems accessing some sites it is telling me that they timed out but I know they work because i use them at work. One is my ISP site for email and they haven't banned my IP so I don't know if any of this is related.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"ABIT uGuru"="C:\\Program Files\\ABIT\\ABIT uGuru\\uGuru.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"NvMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe"
"SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\SMARTB~1\\MotiveSB.exe"
"Media Gateway"="C:\\Program Files\\Media Gateway\\MediaGateway.exe"
"A Verizon App"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll

Subkey --- AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6}
C:\PROGRA~1\AlphaZIP\AlphaZip.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- mxnsfkns
{8f9e96ed-ec9f-47ad-b882-3bbd48cbe818}
C:\WINDOWS\System32\eanrj.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}
C:\Program Files\WinAce\arcext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Acrobat Speed Launcher.lnk
Adobe Gamma Loader.lnk
BlackICE PC Protection.lnk
desktop.ini
MUPS.lnk
TEW-424UB Utility.lnk
==============================
C:\Documents and Settings\scott\Start Menu\Programs\Startup

Adobe Acrobat Speed Launcher.lnk
Adobe Gamma Loader.lnk
BlackICE PC Protection.lnk
desktop.ini
MUPS.lnk
TEW-424UB Utility.lnk
desktop.ini
===========