Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Browser Hijacked
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 11-30-2006, 12:58 PM   #1 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 69
OS: Vista Home Premium


Browser Hijacked
Hi!

My Homepage does not load correctly anymore - it re-directs to porn sites. I've updated and run all my anti-virus programmes but the problem persists.

Hope you can help. Thanks in advance.

Here's my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 19:53:48, on 30/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julian\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R3 - URLSearchHook: (no name) - {5CBB43F0-686E-0431-3268-1D5C17AAC40B} - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [IE New Window Maximizer] "C:\Program Files\IE New Window Maximizer\iemaximizer.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Pictures - {C7486E80-B111-4768-995E-23CF307346FC} - C:\Program Files\UnH Solutions\Flash and Pics Control\FPCButton.dll (HKCU)
O15 - Trusted Zone: *.p0rt2.com
O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt2.com/files/777.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl48bf2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{642CC269-B0F6-46FE-9BEE-19402AED8BBF}: NameServer = 85.255.114.39 85.255.112.11
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: .NETSecurity - Unknown owner - C:\WINDOWS\system32\netsecurity.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
jooools is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-30-2006, 05:51 PM   #2 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,318
OS: XP SP3


Hello and welcome to TSF.

First you'll need to place HijackThis.exe in a folder of its own for it to function properly. Click on an empty space on the desktop, then go to New>Folder to create a folder. Name the folder HijackThis. Drag and drop the HijackThis.exe into the new folder.

You have a kind of infection that the infected files change and take a different name every time you reboot your computer. So, it's best if you don't reboot until we make sure the infection is removed. I also would like to find out if you have any malware disabled with selective start-up.


Copy/paste the following text in bold into a new notepad (not wordpad) document. Make sure that wordwrap is unchecked (via format).

regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt

Go to the menu at the top of the Notepad file and Save as msconfiglook.bat Save as Type: All files (not as a text document or it won't work)
Select the desktop icon on the left to save it on the desktop.

Locate msconfiglook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the cmd window will close automatically and the text file will be deleted.

================================================

We'll also need to disable Spyware Doctor so that it will not interfere with the fixes

To disable Spyware Doctor:
  • Click the Spyware Doctor icon in the System Tray.
  • Click Settings.
  • Click Startup Settings under Pick a Category.
  • Uncheck Run at Windows startup.
  • Click Apply and Exit Spyware Doctor
Once your log is clean you can re-enable Spyware Doctor.

================================================

Please save or print these instructions before beginning.

================================================

Open HijackThis. Please close all browsers, windows, applications, email, etc., except HijackThis. Then scan with HijackThis and put a checkmark against the following entries:

R3 - URLSearchHook: (no name) - {5CBB43F0-686E-0431-3268-1D5C17AAC40B} - (no file)
O1 - Hosts: localhost 127.0.0.1
O15 - Trusted Zone: *.p0rt2.com
O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt2.com/files/777.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl48bf2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{642CC269-B0F6-46FE-9BEE-19402AED8BBF}: NameServer = 85.255.114.39 85.255.112.11


Make sure that all browsers, etc. are closed and click on "fix checked". Exit HijackThis.
================================================

Please download FixWareout by LonnyRJones from one of these sites and save it to your desktop.

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe
  • Run Fixwareout.
  • Click Next,
  • then Install,
  • make sure Run fixit is checked
  • and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
When you run fixwareout , simply follow the prompts, you will need to restart when prompted.

CAUTION!: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you proceed to make the following changes or you may lose your internet connection. If you are sure you do not need a specific DNS address here, you may proceed.

Once back in Windows, close all web browsers.
  • Go into Control Panel>Network Connections.
  • Right click on your connection
  • and click Properties.
  • On the Properties page, highlight Internet Protocol(TCP/IP)
  • Click Properties. This will bring up another page.
  • Select Obtain DNS Server Automatically.
  • Click the ok button. The page will close.
  • Press ok on the page in front of you.
  • Go to Start > Run and type in cmd
  • Click OK.
  • This will open a command prompt.
  • Type or copy and paste the following line in the command window:
  • ipconfig /flushdns
  • Hit Enter
  • Exit the command window
  • Restart the computer.
  • Start the Internet and IE.
  • Open this file c:\fixwareout\report.txt and post the contents of it, along with the msconfiglook.bat, and a new HijackThis log please.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2006, 01:47 AM   #3 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 69
OS: Vista Home Premium


Hi - thanks for the response.

msconfiglook.bat reads as follows;

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
"backup"="C:\\WINDOWS\\pss\\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_SRCV02.EXE "
"item"="EPSON Status Monitor 3 Environment Check 2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\InterVideo\\Common\\Bin\\WinCinemaMgr.exe "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
"backup"="C:\\WINDOWS\\pss\\SpySubtract.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPYSUB~1\\SpySub.exe -autostart"
"item"="SpySubtract"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Julian^Start Menu^Programs^Startup^SpywareGuard.lnk]
"path"="C:\\Documents and Settings\\Julian\\Start Menu\\Programs\\Startup\\SpywareGuard.lnk"
"backup"="C:\\WINDOWS\\pss\\SpywareGuard.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\SPYWAR~1\\sgmain.exe "
"item"="SpywareGuard"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Admanager Controller]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdManCtl"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdStatus Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdStatServ"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\almgr.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="almgr"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\almgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CloneDVDElbyDelay]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ElbyCheck"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Elaborate Bytes\\CloneDVD\\ElbyCheck.exe\" /L ElbyDelay"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dmtwl.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dmtwl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dmtwl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DVD43]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDRegionFree"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DVD Region+CSS Free\\DVDRegionFree.exe\" /hidden"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Dvx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wsxsvc"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hyandex]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zantu"
"hkey"="HKCU"
"command"="zantu.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\install2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lpt"
"hkey"="HKCU"
"command"="lpt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MON76234]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="scanSYS"
"hkey"="HKCU"
"command"="scanSYS.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msag]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dePloy"
"hkey"="HKLM"
"command"="dePloy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="newdotnet6_38"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NewDotNet\\newdotnet6_38.dll,NewDotNetStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\pop06ap]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pop06ap2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\pop06ap2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"command"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeperUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\STManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="drst"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe\" -b"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kernels64"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\kernels64.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TrojanScanner]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Trjscan"
"hkey"="HKLM"
"command"="C:\\Program Files\\Trojan Remover\\Trjscan.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\typeconf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="backorif"
"hkey"="HKLM"
"command"="backorif.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UnSpyPC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UnSpyPC"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\UnSpyPC\\UnSpyPC.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UserFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -u"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -u"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VBundleOuterDL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BundleOuter"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VVSN]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VVSN"
"hkey"="HKLM"
"command"="C:\\Program Files\\VVSN\\VVSN.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows FormatAd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WinForm"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000000
"services"=dword:00000000
"startup"=dword:00000002




Followed your instructions and deleted the entries in Hijackthis.



I couldn't get Fixwareout to work properly and got this message:

Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
please post this at the forum



Also, when I click on Control Panel>Network Connections there is no "properties" option??


Thanks

Jooools
jooools is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2006, 12:40 PM   #4 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,318
OS: XP SP3


Hi,

You have a lot of dangerous malware disabled by msconfig, including some backdoor trojans. Your system may have been compromised. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

============================================

Please print these instructions before beginning. Read them carefully and follow them in the order they are presented.
============================================

Please can you download LSP-Fix. Do not run this tool! You must only run this tool if you cannot connect to the Internet later after removing NewDotNet. This should then repair your internet connection again.

============================================

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix) Do not use it yet, we'll do that later in Safe Mode.

=========================================

Please go to Start>Control Panel>Add/Remove Programs and remove the following, if present:

Trojan Remover
Admanager Controller
UnSpyPC
AdStatus Service
NewDotNet
VVSN

========================================

Make sure that you can see hidden files
· Click Start
· Open My Computer
· Select the Tools menu and click Folder Options
· Select the View Tab
· Under the Hidden files and folders heading select Show hidden files and folders
· Uncheck the Hide protected operating system files (recommended) option
· Click Yes to confirm
· Click OK
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

==========================================
Copy/paste the following text inside the quote box into a new notepad document. It must be Notepad, not wordpad. Make sure the "wordwrap" is unchecked in Format.

Quote:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Admanager Controller]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdStatus Service]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\almgr.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dmtwl.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hyandex]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Dvx]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\install2]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MON76234]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msag]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\pop06ap]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\typeconf]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UnSpyPC]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VBundleOuterDL]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VVSN]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows FormatAd]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
Save it to your desktop as fixme.reg Save it as File Type All Files. Double click fixme.reg and answer yes when asked to merge it into the registry.

Make sure that there is no space before REGEDIT4, and there is a single space after the last line.

===================================

Using Windows Explorer (right click on start, click on Explore), navigate to and delete these folders, if found:

C:\Program Files\Trojan Remover
C:\Program Files\Admanager Controller
C:\Program Files\UnSpyPC
C:\Program Files\AdStatus Service
C:\Program Files\NewDotNet
C:\Program Files\VVSN

====================================

For the missing AUTOEXEC.NT please do the following:

If you are having XP home download and use next:
http://homepage.ntlworld.com/spencer...PHomeFiles.exe

If you are having XP Professional download and use next:
http://homepage.ntlworld.com/spencer...XPProfiles.exe

its a self extracting file and will replace the necessary files!

========================================

disable Spyware Doctor so that it will not interfere with the fixes

To disable Spyware Doctor:
  • Click the Spyware Doctor icon in the System Tray.
  • Click Settings.
  • Click Startup Settings under Pick a Category.
  • Uncheck Run at Windows startup.
  • Click Apply and Exit Spyware Doctor
Once your log is clean you can re-enable Spyware Doctor.

================================================

Open HijackThis. Please close all browsers, windows, applications, email, etc., except HijackThis. Then scan with HijackThis and put a checkmark against the following entries:

R3 - URLSearchHook: (no name) - {5CBB43F0-686E-0431-3268-1D5C17AAC40B} - (no file)
O1 - Hosts: localhost 127.0.0.1
O15 - Trusted Zone: *.p0rt2.com
O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt2.com/files/777.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl48bf2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{642CC269-B0F6-46FE-9BEE-19402AED8BBF}: NameServer = 85.255.114.39 85.255.112.11


Make sure that all browsers, etc. are closed and click on "fix checked". Exit HijackThis.
============================================
Quote:
Also, when I click on Control Panel>Network Connections there is no "properties" option??
The step before that is to "right click on your connection". Usually Local Area Connection for Cable and DSL. Properties will not be available for Network Connections but will be for your connection.

============================================
  • Run Fixwareout.
  • Click Next,
  • then Install,
  • make sure Run fixit is checked
  • and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
When you run fixwareout , simply follow the prompts, you will need to restart when prompted.

CAUTION!: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you proceed to make the following changes or you may lose your internet connection. If you are sure you do not need a specific DNS address here, you may proceed.

Once back in Windows, close all web browsers.
  • Go into Control Panel>Network Connections.
  • Right click on your connection
  • and click Properties.
  • On the Properties page, highlight Internet Protocol(TCP/IP)
  • Click Properties. This will bring up another page.
  • Select Obtain DNS Server Automatically.
  • Click the ok button. The page will close.
  • Press ok on the page in front of you.
  • Go to Start > Run and type in cmd
  • Click OK.
  • This will open a command prompt.
  • Type or copy and paste the following line in the command window:
  • ipconfig /flushdns
  • Hit Enter
  • Exit the command window
  • Restart the computer.
  • Start the Internet and IE.
  • Open this file c:\fixwareout\report.txt and post the contents of it, along with the msconfiglook.bat, and a new HijackThis log please.

======================================

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. Click here if you don't know how to do that. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!
NOTE: Process.exe is detected by some antivirus programs (AntiVir, Dr.WEB, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

=====================================

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
======================================

Run SDFix that you downloaded earlier.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
=======================================

Finally, update your Java.

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 10.
  • Scroll down to where it says " Java Runtime Environment (JRE) 5.0 Update 10
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_010-windowsi586-p.exe to install the newest version.
=======================================

Post back :

rapport.txt
Report.txt
and a fresh HijackThis log. Let me know how things are now.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2006, 02:43 PM   #5 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 69
OS: Vista Home Premium


Hi - thanks for the instructions which I have now completed. My latest Hijackthis log is below together with 3 other reports. My browser is still being re-directed - grateful for any further advice.

Cheers

Jooools



Logfile of HijackThis v1.99.0
Scan saved at 21:34:54, on 01/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Documents and Settings\Julian\Desktop\New Folder\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Pictures - {C7486E80-B111-4768-995E-23CF307346FC} - C:\Program Files\UnH Solutions\Flash and Pics Control\FPCButton.dll (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{642CC269-B0F6-46FE-9BEE-19402AED8BBF}: NameServer = 85.255.114.39 85.255.112.11
O23 - Service: .NETSecurity - Unknown - C:\WINDOWS\system32\netsecurity.exe (file missing)
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

----------------------------------------------------------------------


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


---------------------------------------------------------------


SDFix: Version 1.44
********************

01/12/2006 - 21:12:33.71

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode
Checking Services...

Service Name:


File Path:



Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------


Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Authorized Applications Export:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
%windir%\system32\sessmgr.exe REG_SZ %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
C:\Program Files\WinMX\WinMX.exe REG_SZ C:\Program Files\WinMX\WinMX.exe:*:Enabled:WinMX Application
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp REG_SZ C:\Program Files\Kazaa Lite K++\KazaaLite.kpp:*:Enabled:KazaaLite
C:\Program Files\NapMX\NapMX.exe REG_SZ C:\Program Files\NapMX\NapMX.exe:*:Enabled:NapMX
C:\Program Files\BitTorrent\btdownloadgui.exe REG_SZ C:\Program Files\BitTorrent\btdownloadgui.exe:*:Enabled:btdownloadgui
C:\Program Files\MSN Messenger\msnmsgr.exe REG_SZ C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0
C:\Program Files\Grisoft\AVG Free\avginet.exe REG_SZ C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe REG_SZ C:\Program Files\Grisoft\AVG Free\avgemc.exe:*:Enabled:avgemc.exe
C:\Documents and Settings\Julian\Desktop\utorrent-1.4.2-beta-build-431.exe REG_SZ C:\Documents and Settings\Julian\Desktop\utorrent-1.4.2-beta-build-431.exe:*:Enabled:µTorrent
C:\Program Files\iTunes\iTunes.exe REG_SZ C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
C:\Program Files\Shareaza\Shareaza.exe REG_SZ C:\Program Files\Shareaza\Shareaza.exe:*:Enabled:Shareaza
C:\Program Files\LimeWire\LimeWire.exe REG_SZ C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
C:\Documents and Settings\Julian\Desktop\utorrent.exe REG_SZ C:\Documents and Settings\Julian\Desktop\utorrent.exe:*:Enabled:µTorrent


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
%windir%\system32\sessmgr.exe REG_SZ %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
C:\Program Files\MSN Messenger\msnmsgr.exe REG_SZ C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0

Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\Program Files\Common Files\Ahead\AudioPlugins\lpaccodec.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\lpac_codec_api.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\PNCRT.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\atrc3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\auth3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\cook3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv13260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv23260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv33260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv43260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnen3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnvi3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnxr3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\ramf3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rare3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rims3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmff3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmse3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmwr3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rnlt3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rorw3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtae3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtin3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtve3290.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv103260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv203260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv303260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv403260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rvre3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\sipr3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\smpl3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\vsrl3260.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\xmlp3261.dll
C:\Program Files\Common Files\Ahead\AudioPlugins\Common\zipf3260.dll
C:\Program Files\Microsoft Office\MSDE2000\SQLRESLD.DLL
C:\Program Files\Common Files\Ahead\AudioPlugins\AACMP4.EXE
C:\Program Files\Common Files\Ahead\AudioPlugins\OFR.EXE
C:\Program Files\Common Files\Ahead\AudioPlugins\RMADEC.EXE
C:\Program Files\Common Files\Ahead\AudioPlugins\MusePack\MPPDEC.EXE
C:\Program Files\Common Files\Ahead\AudioPlugins\MusePack\MPPENC.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\system32\B724F8875B.sys

FINISHED!



-------------------------------------------------------



SmitFraudFix v2.126

Scan done at 21:05:18.89, 01/12/2006
Run from C:\Documents and Settings\Julian\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Julian


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Julian\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Julian\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
jooools is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2006, 07:37 PM   #6 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,318
OS: XP SP3


Hi Jools,

You seem to be using several P2P file sharing programs like Kazaa, BitTorrent, Utorrent, Shareaza and LimeWire. The nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware. Please note that as long as you're using any form of peer-to-peer networking and downloading files from non-documented sources, the cleanliness of which has not been verified, you can expect infestations of malware to occur.

Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste this filepath:

C:\WINDOWS\system32\B724F8875B.sys
Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

==========================================

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it

==========================================

Please print the following instructions so that you'll have access to them when you're disconnected from the internet later.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive. This is important, please do not miss it.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Open AVG AS and click the Scanner icon at the top and then click the Settings Tab.
Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
You can now close AVG A-S.

==============================================

Open the SmitfraudFix folder you downloaded earlier and double-click smitfraudfix.cmd
Press "4" and then Enter to check for updates.
Don't forget to allow SmiUpdate.exe access through your firewall.
Once it has updated, or if there are no updates available, close the window and the folder.

==============================================

Make sure that you can still see hidden files as instructed before

==============================================

Log off from the internet and disconnect your modem cable for the duration of the fix.

==============================================

Now boot into Safe Mode.

==============================================

Scan with HijackThis and put a checkmark against the following entry and click on "fix checked".

O17 - HKLM\System\CCS\Services\Tcpip\..\{642CC269-B0F6-46FE-9BEE-19402AED8BBF}: NameServer = 85.255.114.39 85.255.112.11

Exit HijackThis.

===============================================
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Press "2" and then Enter to start the cleaning process.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted "Registry cleaning - Do you want to clean the registry ? Press "Y" and then Enter.
The tool will also check if wininet.dll is infected. You may be prompted to "Replace infected file ?" - press "Y" and then press Enter.
Your PC now needs to be rebooted - if this does not happen automatically, you will need to do so manually. Either way, your PC will need to be booted back INTO SAFE MODE.

===============================================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

================================================

Still in Safe Mode:

Make sure that ALL open Windows / Programs / Folders are closed and then run AVG A-S.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware.
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

==============================================

Reboot into Normal Mode.

==============================================

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Press "3" and then Enter to "Delete Trusted Zone".
When prompted "Restore Trusted Zone ?", press "Y" and then Enter.

* Please Note: If you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection *

==============================================
Please post back:
Jotti's results
The AVG A-S log
The text file rapport.txt which can be found in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
For most, this file can be found by double-clicking My Computer and then Local Disk (C:)
A fresh HijackThis log
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-01-2006, 08:19 PM   #7 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,318
OS: XP SP3


When you're done with the above instructions, please also do this:

Please download AVG Anti-Rootkit Beta here
  • Open AVG Anti-Rootkit Beta.
  • Select Perform in-depth search.
  • When the scan is completed select Save result to file (this is only possibly if a rootkit or rootkits were found).
  • Save the log as a .txt file to your desktop and post the log in your next reply.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2006, 04:34 AM   #8 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 69
OS: Vista Home Premium


Hi - followed the instructions and my latest hijackthis log and AVG Anti-Spyware log are below. The Anti-root kit prog. didn't find anything. My browser is still re-directing.

Grateful for your advice.

Logfile of HijackThis v1.99.0
Scan saved at 11:27:30, on 02/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Julian\Desktop\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Pictures - {C7486E80-B111-4768-995E-23CF307346FC} - C:\Program Files\UnH Solutions\Flash and Pics Control\FPCButton.dll (HKCU)
O23 - Service: .NETSecurity - Unknown - C:\WINDOWS\system32\netsecurity.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

------------------------------------------------------------



AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:10:04 02/12/2006

+ Scan result:



HKU\S-1-5-21-1202660629-2111687655-1957994488-1003\Software\Dvx -> Adware.Delfin : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP446\A0379256.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP446\A0379257.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP446\A0379258.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP446\A0379259.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP446\A0379260.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP446\A0379261.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\CKDEVCON.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\en4sl1h71.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ia50_qc.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\k6nolg5316.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kzdcz1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mmdadiag.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\o648lghu1648.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\oidbse32.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\qogrprxy.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\shrrun.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\t28ulcl91fq.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wa2_32.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xdob2res.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system\UpdInstall.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP446\A0377114.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP446\A0377115.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP446\A0377116.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SearchRelevancy -> Adware.SearchRelevancy : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SearchRelevancy\Update -> Adware.SearchRelevancy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\almgr.exe -> Adware.VB : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP428\A0356171.exe -> Downloader.Zlob : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP430\A0359293.exe -> Downloader.Zlob : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP446\A0377063.exe -> Downloader.Zlob : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP447\A0381701.exe -> Downloader.Zlob : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP430\A0359279.dll -> Hijacker.Agent.ac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP447\A0381712.dll -> Hijacker.Agent.ac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP417\A0345288.exe -> Hijacker.Agent.ie : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP419\A0349437.exe -> Hijacker.Agent.ie : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\SecTaskMan\AIRORS.006.q_8041400_q -> Not-A-Virus.Monitor.Win32.Ardamax.24 : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\SecTaskMan\AIRORS.007.q_8041200_q -> Not-A-Virus.Monitor.Win32.Ardamax.24 : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\SecTaskMan\AIRORS.exe.q_8047804_q -> Not-A-Virus.Monitor.Win32.Ardamax.24 : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Ahead\AudioPlugins\LS_Nero_mp3PRO_Encoder_Plugin.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Program Files\Microsoft Office\Office10\OfficeXP_Activator.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP412\A0336077.exe -> Trojan.Agent.rw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP412\A0337077.exe -> Trojan.Agent.rw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP412\A0338081.exe -> Trojan.Agent.rw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP432\A0362558.exe -> Trojan.Agent.rw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP411\A0335067.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP411\A0335070.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP447\A0383845.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\Documents and Settings\Julian\Local Settings\Tempmetasploit.exe -> Trojan.DNSChanger.en : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP428\A0356151.exe -> Trojan.DNSChanger.en : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP441\A0365859.exe -> Trojan.DNSChanger.en : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lqzdj.exe -> Trojan.DNSChanger.en : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP430\A0359281.exe -> Trojan.LipGame.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP430\A0359286.exe -> Trojan.LipGame.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP447\A0381715.exe -> Trojan.LipGame.bi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{667E42A4-B5CC-4DE4-8637-B76C14B7FFAF}\RP447\A0381720.exe -> Trojan.LipGame.bi : Cleaned with backup (quarantined).


::Report end
jooools is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2006, 05:26 AM   #9 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,318
OS: XP SP3


Jotti's results and the C:rapport.txt too please.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2006, 06:29 AM   #10 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 69
OS: Vista Home Premium


here are the results -


SmitFraudFix v2.126

Scan done at 8:53:06.02, 02/12/2006
Run from C:\Documents and Settings\Julian\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


------------------------------------------------------------




Service load: 0% 100%

File: B724F8875B.sys
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 882e487dab4f47bdb675bc4b482a6337
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Last file scanned at least one scanner reported something about: Dupe_1[1].11b.rar (MD5: 3e02b37de9513790a69509cba921c6e5), detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
F-Secure Anti-Virus X
Fortinet PossibleThreat
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
VirusBuster X
VBA32 X



»»»»»»»»»»»»»»»»»»»»»»»» End
jooools is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2006, 11:13 AM   #11 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,318
OS: XP SP3


Hi Jooools,

You are still running HijackThis.exe from the desktop. The backups will be all over your desktop. Please put it in a folder of its own.

Can you do me a favor please. Click on Start>Run and type or copy/paste the following text:

c:\fixwareout\findt\findt.bat Press Enter. Save the text to be posted here later.

===================================

Please open HijackThis.
Click on Open Misc Tools Section
Make sure that both boxes beside "Generate StartupList Log" are checked:
  • List all minor sections(Full)
  • List Empty Sections(Complete)
Click Generate StartupList Log.
Click Yes at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here

===================================

Download WinPFind2.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind2 on your desktop.
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings.
  • In the AddOn-Options group click the checkboxes for
    • HKCU_IEDesktop.def
    • Jobs.def
    • Policies.def
    • SID_Run_Policies.def
    to select them.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it. Copy and paste the contents of the report please.
=====================================

Reboot your computer and post a fresh HijackThis log along with the find.bat text, StartupListLog and the WinPFind log, please. You may need to make several posts if too long. Is your browser still being redirected?
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2006, 11:13 AM   #12 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 69
OS: Vista Home Premium


Hi!

Just thought I'd let you know that my sytem seems to be back to normal ie. my home page (Google) is now loading properly and my e-mail is back up and running properly.....here's hoping!


Jooools
jooools is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2006, 11:18 AM   #13 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,318
OS: XP SP3


Quote:
Just thought I'd let you know that my sytem seems to be back to normal ie. my home page (Google) is now loading properly and my e-mail is back up and running properly.....here's hoping!
Great!.... and here I was wondering why your browser was still being hijacked. You don't need to carry out the latest instructions then. Just reboot a couple of times and see how things are and let me know please.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2006, 11:26 AM   #14 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 69
OS: Vista Home Premium


Hi

It says c:\fixwareout\findt\findt.bat file not found.

Hijackthis Start up List Log below;

StartupList report, 02/12/2006, 18:21:22
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Julian\Desktop\saturday folder\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\eMule\emule.exe
C:\Documents and Settings\Julian\Desktop\saturday folder\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Julian\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

IE New Window Maximizer = C:\Program Files\IE New Window Maximizer\iemaximizer.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{17C40175-E1AB-87AE-0503-030805060600}] *
StubPath = C:\WINDOWS\system32\scvhost.exe

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

SpeedTouch Dial-up.job

--------------------------------------------------

Enumerating Download Program Files:

[{00000055-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/fhg.CAB

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

.NETSecurity: C:\WINDOWS\system32\netsecurity.exe (autostart)
3dfxvs: System32\DRIVERS\3dfxvsm.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
SpeedTouch USB ADSL PPP Networking Driver (NDISWAN): System32\DRIVERS\alcan5wn.sys (manual start)
SpeedTouch ADSL Modem ATM Transport: System32\DRIVERS\alcaudsl.sys (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD AGP Bus Filter Driver: System32\DRIVERS\amdagp.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASPI32: System32\drivers\aspi32.sys (autostart)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Rootkit: System32\DRIVERS\anti_rkt.sys (system)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG Clean Driver: System32\DRIVERS\cleanDrv.sys (system)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\system32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Creative AC3 Software Decoder: System32\drivers\ctac32k.sys (manual start)
Creative Audio Driver (WDM): system32\drivers\ctaud2k.sys (manual start)
Creative SBLive! Gameport: System32\DRIVERS\ctljystk.sys (manual start)
Creative Proxy Driver: System32\drivers\ctprxy2k.sys (manual start)
Creative SoundFont Management Device Driver: System32\drivers\ctsfm2k.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
dwusbdnt: system32\DRIVERS\dwusbdnt.sys (manual start)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
ElbyDelay: System32\Drivers\ElbyDelay.sys (manual start)
Creative SB Live! (WDM): system32\drivers\emu10k1m.sys (manual start)
Creative Interface Manager Driver (WDM): system32\drivers\ctlfacem.sys (manual start)
E-mu Plug-in Architecture Driver: System32\drivers\emupia2k.sys (manual start)
EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Creative Hardware Abstract Layer Driver: system32\drivers\ha10kx2k.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NetGroup Packet Filter Driver: system32\drivers\npf.sys (manual start)
NT Apm/Legacy Interface Driver: System32\DRIVERS\NtApm.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Creative OS Services Driver: system32\drivers\ctoss2k.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
PfModNT: \??\C:\WINDOWS\system32\PfModNT.sys (autostart)
pgfilter: \??\C:\Program Files\PeerGuardian2\pgfilter.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
PrecSim: system32\DRIVERS\precsim.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Packet Capture Protocol v.0 (experimental): "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Creative SoundFont Manager Driver (WDM): system32\drivers\sfmanm.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
srescan: system32\ZoneLabs\srescan.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{882ACB86-C929-4BDB-830C-B5EDD1BF08DF} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
tmcomm: \??\C:\WINDOWS\system32\drivers\tmcomm.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TVICHW32: \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS (manual start)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (disabled)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
U.S. Robotics Voice Modem Driver 1806: System32\DRIVERS\USR1806V.SYS (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 33,352 bytes
Report generated in 0.771 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
jooools is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2006, 11:26 AM   #15 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 69
OS: Vista Home Premium


Logfile created on: 02/12/2006 18:25:50
WinPFind2 by OldTimer - Version 1.0.15 Folder = C:\Documents and Settings\Julian\Desktop\WinPFind2\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)


< Processes (Non-Microsoft Only) >
c:\progra~1\grisoft\avgfre~1\avgamsvr.exe - (GRISOFT, s.r.o. )
c:\progra~1\grisoft\avgfre~1\avgcc.exe - (GRISOFT, s.r.o. )
c:\progra~1\grisoft\avgfre~1\avgemc.exe - (GRISOFT, s.r.o. )
c:\progra~1\grisoft\avgfre~1\avgupsvc.exe - (GRISOFT, s.r.o. )
c:\program files\alcatel\speedtouch usb\dragdiag.exe - (THOMSON Telecom Belgium )
c:\program files\emule\emule.exe - (http://www.emule-project.net )
c:\program files\grisoft\avg anti-spyware 7.5\guard.exe - (Anti-Malware Development a.s. )
c:\program files\ie new window maximizer\iemaximizer.exe - (jiiSoft )
c:\program files\common files\epson\ebapi\sagent2.exe - (SEIKO EPSON CORPORATION )
c:\windows\system32\zonelabs\vsmon.exe - (Zone Labs, LLC )
c:\documents and settings\julian\desktop\winpfind2\winpfind2.exe - (OldTimer Tools )
c:\program files\zone labs\zonealarm\zlclient.exe - (Zone Labs, LLC )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM->Main\\Search Page - http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKLM->Main\\Default_Page_URL - http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
HKLM->Main\\Default_Search_URL - http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKLM->Main\\Local Page - C:\windows\system32\blank.htm
HKCU->Main\\Start Page - http://www.google.co.uk/
HKCU->Main\\Search Page - http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKCU->Main\\Default_Search_URL - http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKCU->Main\\Local Page - C:\windows\system32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )
HKCU->Internet Settings\\ProxyEnable - 0

[>> BHO's <<]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (Sun Microsystems, Inc. )
{AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper = c:\program files\google\googletoolbar2.dll (Google Inc. )

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer Bars]
{30D02401-6A81-11D0-8274-00C04FD5AE38} - Search Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{32683183-48a0-441b-a342-7c2a440a9478} - Reg Data - Key not found = Reg Data - Key not found (File not found)
{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )
{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )
{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )

[HKLM-> Internet Explorer ToolBars]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar2.dll (Google Inc. )

[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar2.dll (Google Inc. )
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar2.dll (Google Inc. )
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = Reg Data - Key not found (File not found)

[HKCU-> Internet Explorer CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8195 - Sun Java Console
{C7486E80-B111-4768-995E-23CF307346FC} - 8196 - Reg Data - Key not found
{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - 8197 - Reg Data - Value does not exist
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8193 - Windows Messenger
NextId - 8198

[HKLM-> Internet Explorer Extensions]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (Sun Microsystems, Inc. )
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (HKCU CLSID) - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (Sun Microsystems, Inc. )
{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - ButtonText: eBay - Homepage = C:\Program Files\IrfanView\Ebay\Ebay.htm ( )
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )

[HKCU-> Internet Explorer Menu Extensions]
E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation )
Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm (File not found)

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data - Key not found (File not found)
{1CA72BDF-E416-4599-961F-08DECD4127CC} - = Reg Data - Key not found (File not found)
{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} - dBpowerAMP Music Converter = Reg Data - Key not found (File not found)
{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data - Key not found (File not found)
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = Reg Data - Key not found (File not found)
{48CFB12C-B8CD-4636-A06F-55EEC53DA6D9} - = Reg Data - Key not found (File not found)
{516EC4D3-4AD9-11D5-AA6A-00E0189008B3} - The Core Media Player Shell Extension = Reg Data - Key not found (File not found)
{52B87208-9CCF-42C9-B88E-069281105805} - Trojan Remover Shell Extension = Reg Data - Key not found (File not found)
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data - Key not found (File not found)
{780BCB64-0CAF-473c-A9FC-E08C03D75515} - Matroska Shell Extension, Properties Page CLSID = Reg Data - Value does not exist (File not found)
{781395AF-A127-469f-A06F-59B482AF4F3F} - Matroska Shell Extension, Column Provider CLSID = Reg Data - Value does not exist (File not found)
{789111D8-68A3-46a3-9663-145A3FF4C9C9} - Matroska Shell Extension, ContextMenu CLSID = Reg Data - Value does not exist (File not found)
{78DC191E-EFC1-4532-9A71-224577A86A7D} - Matroska Shell Extension, Thumbnail Handler CLSID = Reg Data - Value does not exist (File not found)
{794D04CA-70AC-4020-80EB-FFD59DEF8027} - Matroska Shell Extension, Tooltip Provider CLSID = Reg Data - Value does not exist (File not found)
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data - Key not found (File not found)
{82D09733-4A04-45E7-9454-2597D5B49F97} - = Reg Data - Key not found (File not found)
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data - Key not found (File not found)
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} - PowerISO = C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc. )
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ( )
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc. )
{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc. )
{FED7043D-346A-414D-ACD7-550D052499A7} - dBpowerAMP Music Converter 1 = Reg Data - Key not found (File not found)

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s. )
* - AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
* - PowerISO - {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc. )
* - Trojan Remover - {52B87208-9CCF-42C9-B88E-069281105805} = Reg Data - Key not found (File not found)
* - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
* - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
Directory - AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s. )
Directory - PowerISO - {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc. )
Directory - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
Directory - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
Folder - AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o. )
Folder - PowerISO - {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc. )
Folder - Trojan Remover - {52B87208-9CCF-42C9-B88E-069281105805} = Reg Data - Key not found (File not found)
Folder - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
Folder - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]

[>> File Associations Keys <<]
HKLM->SOFTWARE\Classes\.bat\\'' - batfile
HKLM->SOFTWARE\Classes\batfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.cmd\\'' - cmdfile
HKLM->SOFTWARE\Classes\cmdfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.com\\'' - comfile
HKLM->SOFTWARE\Classes\comfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.exe\\'' - exefile
HKLM->SOFTWARE\Classes\exefile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.hta\\'' - htafile
HKLM->SOFTWARE\Classes\htafile\shell\open\command\\'' - C:\WINDOWS\System32\mshta.exe "%1" %*
HKLM->SOFTWARE\Classes\.js\\'' - JSFile
HKLM->SOFTWARE\Classes\jsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.jse\\'' - JSEFile
HKLM->SOFTWARE\Classes\jsefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.scr\\'' - scrfile
HKLM->SOFTWARE\Classes\scrfile\shell\open\command\\'' - "%1" /S
HKLM->SOFTWARE\Classes\.vbe\\'' - VBEFile
HKLM->SOFTWARE\Classes\vbefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.vbs\\'' - VBSFile
HKLM->SOFTWARE\Classes\vbsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsf\\'' - WSFFile
HKLM->SOFTWARE\Classes\wsffile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsh\\'' - WSHFile
HKLM->SOFTWARE\Classes\wshfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.txt\\'' - txtfile
HKLM->SOFTWARE\Classes\txtfile\shell\open\command\\'' - %SystemRoot%\system32\NOTEPAD.EXE %1

[>> Registry Run Keys <<]
HKLM->Run\\!AVG Anti-Spyware - "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized (Anti-Malware Development a.s. )
HKLM->Run\\AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP (GRISOFT, s.r.o. )
HKLM->Run\\SpeedTouch USB Diagnostics - "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon (THOMSON Telecom Belgium )
HKLM->Run\\Zone Labs Client - "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Zone Labs, LLC )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\IE New Window Maximizer - C:\Program Files\IE New Window Maximizer\iemaximizer.exe (jiiSoft )

[>> Miscellaneous Startup Keys <<]

[AppInit DLLs]
AppInit_DLL - (File not found)

[Image File Execution Options]
Your Image File Name Here without a path - Debugger = ntsd -d

[Shell Service Object Delay Load]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

[Shell Execute Hooks]
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s. )
{93994DE8-8239-4655-B1D1-5F4E91300429} - DVDIdleShell Class = C:\Program Files\DVD Region+CSS Free\DVDShell.dll (Fengtao Software Inc. )
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[Shared Task Scheduler]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

[SafeBoot Option]

[HKLM Command Processor AutoRun]
HKLM->Command Processor\\AutoRun -

[HKCU Command Processor AutoRun]

[Security Providers]
SecurityProviders\\SecurityProviders - msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[BootExecute]
Session Manager\\BootExecute - autocheck autochk *;

[PendingFileRenameOperations]

[FileRenameOperations]

[ExcludeFromKnownDlls]
Session Manager\\ExcludeFromKnownDlls -

[>> Disabled MSConfig Items <<]
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk - EPSON Status Monitor 3 Environment Check 2 = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE (SEIKO EPSON CORPORATION )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk - InterVideo WinCinema Manager = C:\PROGRA~1\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Inc. )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk - Microsoft Office = C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l (Microsoft Corporation )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk - SpySubtract = C:\PROGRA~1\INTERM~1\SPYSUB~1\SpySub.exe -autostart (File not found)
StartUpFolder\C:^Documents and Settings^Julian^Start Menu^Programs^Startup^SpywareGuard.lnk - SpywareGuard = C:\PROGRA~1\SPYWAR~1\sgmain.exe (File not found)
StartUpReg\CloneCDTray - CloneCDTray = "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s (File not found)
StartUpReg\CloneDVDElbyDelay - ElbyCheck = "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay (Elaborate Bytes AG )
StartUpReg\DVD43 - DVDRegionFree = "C:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" /hidden (Fengtao Software Inc. )
StartUpReg\iTunesHelper - iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Computer, Inc. )
StartUpReg\Jet Detection - ADGJDet = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" ( )
StartUpReg\KernelFaultCheck - dumprep 0 -k = %systemroot%\system32\dumprep 0 -k (File not found)
StartUpReg\MsnMsgr - msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (Microsoft Corporation )
StartUpReg\NBJ - NBJ = "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" (Ahead Software AG )
StartUpReg\NeroFilterCheck - NeroCheck = C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh )
StartUpReg\PWRISOVM.EXE - PWRISOVM = C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc. )
StartUpReg\QuickTime Task - qttask = "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
StartUpReg\RemoteControl - PDVDServ = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (File not found)
StartUpReg\STManager - drst = "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b ( )
StartUpReg\SunJavaUpdateSched - jusched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (File not found)
StartUpReg\TrojanScanner - Trjscan = C:\Program Files\Trojan Remover\Trjscan.exe (File not found)
StartUpReg\UserFaultCheck - dumprep 0 -u = %systemroot%\system32\dumprep 0 -u (File not found)
StartUpReg\WINDVDPatch - CTHELPER = CTHELPER.EXE (Creative Technology Ltd )

[>> User Agent Post Platform <<]

[>> Winlogon <<]
HMLM->AltDefaultDomainName - JOOOOLS-PC
HMLM->AltDefaultUserName - Julian
HMLM->AutoAdminLogon - Reg Data - Value does not exist
HMLM->DefaultDomainName - JOOOOLS-PC
HMLM->DefaultUserName - Julian
HKLM->Shell - Explorer.exe (Microsoft Corporation )
HKLM->System - (File not found)
HMLM->UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
HKLM->VMApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

[>> DNS Name Servers <<]

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 (Tcpip) - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 (NTDS) - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 (Network Location Awareness (NLA) Namespace) - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found)
msdaipp - (File not found)

[>> Protocol Filters (Non-Microsoft only) <<]

< Services (Non-Microsoft Only) >
AVG Anti-Spyware Guard (AVG Anti-Spyware Guard) - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (Anti-Malware Development a.s. ) [Automatic - Running - Win32, running in it's own process]
AVG7 Alert Manager Server (Avg7Alrt) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (GRISOFT, s.r.o. ) [Automatic - Running - Win32, running in it's own process]
AVG7 Update Service (Avg7UpdSvc) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (GRISOFT, s.r.o. ) [Automatic - Running - Win32, running in it's own process]
AVG E-mail Scanner (AVGEMS) - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (GRISOFT, s.r.o. ) [Automatic - Running - Win32, running in it's own process]
EPSON Printer Status Agent2 (EPSONStatusAgent2) - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION ) [Automatic - Running - Win32, running in it's own process]
TrueVector Internet Monitor (vsmon) - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (Zone Labs, LLC ) [Automatic - Running - Win32, running in it's own process]

< Files >

Auto-Start Folders

HKLM->Explorer\Shell Folders\\Common Startup = C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 09/01/2005 18:51:58 | Attr = HS])

HKLM->Explorer\User Shell Folders\\Common Startup = %ALLUSERSPROFILE%\Start Menu\Programs\Startup

HKLM->Explorer\Shell Folders\\Startup = C:\Documents and Settings\Julian\Start Menu\Programs\Startup
C:\Documents and Settings\Julian\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 09/01/2005 18:51:58 | Attr = HS])

HKCU->Explorer\User Shell Folders\\Startup = %USERPROFILE%\Start Menu\Programs\Startup

Miscellaneous Auto-Start Files
System.ini->[Boot]\\Shell - Explorer.exe
Wininit.ini: Line 1 - [RENAME]
Wininit.ini: Line 2 - NUL=C:\DOCUME~1\Julian\LOCALS~1\Temp\nstmp\uninstall.exe
Wininit.ini: Line 3 - NUL=C:\DOCUME~1\Julian\LOCALS~1\Temp\nstmp\uninstall.ini
Wininit.ini: Line 4 - NUL=C:\DOCUME~1\Julian\LOCALS~1\Temp\nstmp

Miscellaneous Folders

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 09/01/2005 18:38:24 | Attr = HS])

CurrentUser ApplicationData Folder
C:\Documents and Settings\Julian\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 09/01/2005 18:38:24 | Attr = HS])
C:\Documents and Settings\Julian\Application Data\GDIPFONTCACHEV1.DAT - ( [Ver = | Size = 36248 bytes | Date = 02/10/2006 14:26:02 | Attr = ])

Program Files Folder
C:\Program Files\(APP) Cool Mp3 Splitter 1.2 + crack (splits full albums int.zip - ( [Ver = | Size = 1425786 bytes | Date = 05/02/2005 13:27:00 | Attr = ])
C:\Program Files\15.03.Nero.v6.6.0.8a.zip - ( [Ver = | Size = 133764 bytes | Date = 23/03/2005 10:27:54 | Attr = ])
C:\Program Files\aawsepersonal.exe - ( [Ver = | Size = 2855080 bytes | Date = 07/10/2005 07:25:54 | Attr = ])
C:\Program Files\adawarepersonal.exe - ( [Ver = | Size = 2636408 bytes | Date = 17/01/2005 14:34:42 | Attr = ])
C:\Program Files\AlbumWrap_Extractor.zip - ( [Ver = | Size = 376146 bytes | Date = 09/01/2005 22:44:30 | Attr = ])
C:\Program Files\Apr2005_d3dx9_25_x64.cab - ( [Ver = | Size = 1348242 bytes | Date = 18/03/2005 17:40:20 | Attr = ])
C:\Program Files\Apr2005_d3dx9_25_x86.cab - ( [Ver = | Size = 1079850 bytes | Date = 18/03/2005 17:40:20 | Attr = ])
C:\Program Files\Apr2006_d3dx9_30_x64.cab - ( [Ver = | Size = 1398718 bytes | Date = 31/03/2006 12:56:52 | Attr = ])
C:\Program Files\Apr2006_d3dx9_30_x86.cab - ( [Ver = | Size = 1116109 bytes | Date = 31/03/2006 12:56:52 | Attr = ])
C:\Program Files\Apr2006_MDX1_x86.cab - ( [Ver = | Size = 917318 bytes | Date = 31/03/2006 12:56:52 | Attr = ])
C:\Program Files\Apr2006_MDX1_x86_Archive.cab - ( [Ver = | Size = 4163518 bytes | Date = 31/03/2006 12:56:54 | Attr = ])
C:\Program Files\Apr2006_xact_x64.cab - ( [Ver = | Size = 180021 bytes | Date = 31/03/2006 12:56:48 | Attr = ])
C:\Program Files\Apr2006_xact_x86.cab - ( [Ver = | Size = 133991 bytes | Date = 31/03/2006 12:56:44 | Attr = ])
C:\Program Files\Apr2006_xinput_x64.cab - ( [Ver = | Size = 87989 bytes | Date = 31/03/2006 12:56:46 | Attr = ])
C:\Program Files\Apr2006_xinput_x86.cab - ( [Ver = | Size = 46898 bytes | Date = 31/03/2006 12:56:46 | Attr = ])
C:\Program Files\Ashampoo Burning Studio v5.0.2.rar - ( [Ver = | Size = 5065321 bytes | Date = 10/02/2005 02:30:08 | Attr = ])
C:\Program Files\Aug2005_d3dx9_27_x64.cab - ( [Ver = | Size = 1351430 bytes | Date = 22/07/2005 19:14:08 | Attr = ])
C:\Program Files\Aug2005_d3dx9_27_x86.cab - ( [Ver = | Size = 1078532 bytes | Date = 22/07/2005 19:14:08 | Attr = ])
C:\Program Files\auxsetup.exe - ( [Ver = 1.4 | Size = 16384 bytes | Date = 12/08/2006 14:50:00 | Attr = ])
C:\Program Files\BDA.cab - ( [Ver = | Size = 703080 bytes | Date = 27/09/2004 11:29:46 | Attr = ])
C:\Program Files\BDANT.cab - ( [Ver = | Size = 1156363 bytes | Date = 27/09/2004 11:29:46 | Attr = ])
C:\Program Files\BDAXP.cab - ( [Ver = | Size = 976020 bytes | Date = 27/09/2004 11:29:46 | Attr = ])
C:\Program Files\BitTorrent-3.4.2.exe - ( [Ver = | Size = 2278771 bytes | Date = 31/01/2005 18:41:16 | Attr = ])
C:\Program Files\cdwav190.exe - ( [Ver = | Size = 629290 bytes | Date = 18/01/2005 21:33:22 | Attr = ])
C:\Program Files\copying - ( [Ver = | Size = 18321 bytes | Date = 19/12/2005 22:52:04 | Attr = ])
C:\Program Files\CRACK.BAT - ( [Ver = | Size = 27 bytes | Date = 08/08/2002 17:00:00 | Attr = ])
C:\Program Files\Dec2005_d3dx9_28_x64.cab - ( [Ver = | Size = 1358864 bytes | Date = 05/12/2005 18:31:22 | Attr = ])
C:\Program Files\Dec2005_d3dx9_28_x86.cab - ( [Ver = | Size = 1080344 bytes | Date = 05/12/2005 18:31:22 | Attr = ])
C:\Program Files\Dec2005_MDX1_x86.cab - ( [Ver = | Size = 916806 bytes | Date = 05/12/2005 18:28:00 | Attr = ])
C:\Program Files\Dec2005_MDX1_x86_Archive.cab - ( [Ver = | Size = 3673932 bytes | Date = 05/12/2005 18:28:30 | Attr = ])
C:\Program Files\DirectX.cab - ( [Ver = | Size = 15493481 bytes | Date = 27/09/2004 11:29:48 | Attr = ])
C:\Program Files\DivX521XP2K.exe - ( [Ver = | Size = 7741336 bytes | Date = 25/01/2005 22:27:26 | Attr = ])
C:\Program Files\DSETUP.dll - (Microsoft Corporation [Ver = 4.9.0.0904 | Size = 74448 bytes | Date = 31/03/2006 12:39:32 | Attr = ])
C:\Program Files\dsetup32.dll - (Microsoft Corporation [Ver = 4.9.0.0904 | Size = 2248912 bytes | Date = 31/03/2006 12:40:58 | Attr = ])
C:\Program Files\DVD-Author.exe - (Cucusoft, Inc. [Ver = | Size = 2593456 bytes | Date = 23/02/2005 19:33:40 | Attr = ])
C:\Program Files\dxdllreg_x86.cab - ( [Ver = | Size = 41890 bytes | Date = 31/03/2006 12:56:44 | Attr = ])
C:\Program Files\dxnt.cab - ( [Ver = | Size = 13265040 bytes | Date = 27/09/2004 11:29:52 | Attr = ])
C:\Program Files\DXSETUP.exe - (Microsoft Corporation [Ver = 4.9.0.0904 | Size = 484560 bytes | Date = 31/03/2006 12:40:32 | Attr = ])
C:\Program Files\dxupdate.cab - ( [Ver = | Size = 81733 bytes | Date = 31/03/2006 12:41:12 | Attr = ])
C:\Program Files\dxwebsetup.exe - (Microsoft Corporation [Ver = 6.00.2600.0000 | Size = 315624 bytes | Date = 08/07/2005 17:54:42 | Attr = ])
C:\Program Files\everesthome200.exe - (Lavalys, Inc. [Ver = | Size = 2995547 bytes | Date = 23/07/2005 09:36:52 | Attr = ])
C:\Program Files\exportformat.txt - ( [Ver = | Size = 137 bytes | Date = 02/10/2006 22:59:46 | Attr = ])
C:\Program Files\ezcddax7.exe - ( [Ver = 6.0.1.4 | Size = 5834988 bytes | Date = 23/01/2005 13:58:24 | Attr = ])
C:\Program Files\ezMP3WAVCONVERTER.exe - ( [Ver = | Size = 456788 bytes | Date = 18/01/2005 20:30:10 | Attr = ])
C:\Program Files\Feb2005_d3dx9_24_x64.cab - ( [Ver = | Size = 1248387 bytes | Date = 05/02/2005 20:03:26 | Attr = ])
C:\Program Files\Feb2005_d3dx9_24_x86.cab - ( [Ver = | Size = 1014113 bytes | Date = 05/02/2005 20:03:24 | Attr = ])
C:\Program Files\Feb2006_d3dx9_29_x64.cab - ( [Ver = | Size = 1363684 bytes | Date = 03/02/2006 09:00:54 | Attr = ])
C:\Program Files\Feb2006_d3dx9_29_x86.cab - ( [Ver = | Size = 1085608 bytes | Date = 03/02/2006 09:00:50 | Attr = ])
C:\Program Files\Feb2006_xact_x64.cab - ( [Ver = | Size = 179247 bytes | Date = 03/02/2006 09:00:48 | Attr = ])
C:\Program Files\Feb2006_xact_x86.cab - ( [Ver = | Size = 133297 bytes | Date = 03/02/2006 09:00:48 | Attr = ])
C:\Program Files\ffdshow-20041012.exe - ( [Ver = | Size = 2030080 bytes | Date = 04/02/2005 19:47:26 | Attr = ])
C:\Program Files\FILE_ID.DIZ - ( [Ver = | Size = 58 bytes | Date = 08/08/2002 17:00:00 | Attr = ])
C:\Program Files\Firefox Setup 1.0.exe - (Mozilla [Ver = 3, 12, 0, 0 | Size = 4915119 bytes | Date = 03/02/2005 21:10:22 | Attr = ])
C:\Program Files\fix for eventid 4226 (unlimited concurrent tcp connect attempts).zip - ( [Ver = | Size = 200185 bytes | Date = 25/01/2005 19:09:36 | Attr = ])
C:\Program Files\freeripmp3.exe - (MGShareware [Ver = | Size = 1606469 bytes | Date = 29/01/2005 18:24:44 | Attr = ])
C:\Program Files\GoogleToolbarInstaller.exe - (Google [Ver = 3, 0, 126, 3 | Size = 559776 bytes | Date = 11/10/2005 16:33:06 | Attr = ])
C:\Program Files\GSpot.exe - (GSpot Appliance Corp, a unit of GSp0t Heavy Industries [Ver = 2, 6, 0, 1 | Size = 892928 bytes | Date = 08/10/2006 18:02:08 | Attr = ])
C:\Program Files\GSpot26.dat - ( [Ver = | Size = 95008 bytes | Date = 01/10/2006 21:47:42 | Attr = R ])
C:\Program Files\hijackthis.zip - ( [Ver = | Size = 198230 bytes | Date = 30/01/2005 00:57:12 | Attr = ])
C:\Program Files\Howto.txt - ( [Ver = | Size = 889 bytes | Date = 30/12/2002 22:21:24 | Attr = ])
C:\Program Files\IrfanView.exe - ( [Ver = | Size = 877056 bytes | Date = 27/01/2005 19:33:04 | Attr = ])
C:\Program Files\Jun2005_d3dx9_26_x64.cab - ( [Ver = | Size = 1336890 bytes | Date = 26/05/2005 14:49:30 | Attr = ])
C:\Program Files\Jun2005_d3dx9_26_x86.cab - ( [Ver = | Size = 1065813 bytes | Date = 26/05/2005 14:49:30 | Attr = ])
C:\Program Files\kazaalite243.exe - ( [Ver = | Size = 3366186 bytes | Date = 08/05/2004 06:46:40 | Attr = ])
C:\Program Files\license.txt - ( [Ver = | Size = 3615 bytes | Date = 29/09/2006 07:29:56 | Attr = R ])
C:\Program Files\loader8400x.iso - ( [Ver = | Size = 2152448 bytes | Date = 08/03/2005 13:54:32 | Attr = ])
C:\Program Files\Microsoft_Office_XP_Activation_Killer.zip - ( [Ver = | Size = 39790 bytes | Date = 27/01/2005 16:53:36 | Attr = ])
C:\Program Files\mkvinst_b94.exe - (LD-Anime [Ver = 0.93.002 | Size = 1267124 bytes | Date = 04/02/2005 19:49:58 | Attr = ])
C:\Program Files\ModemUpgrade_Windows_R3.0.1.2.zip - ( [Ver = | Size = 4198827 bytes | Date = 26/01/2005 19:45:46 | Attr = ])
C:\Program Files\MP3CDRipper.exe - ( [Ver = | Size = 3433401 bytes | Date = 23/01/2005 13:21:40 | Attr = ])
C:\Program Files\napmx300b3.exe - ( [Ver = | Size = 590501 bytes | Date = 20/01/2005 21:05:00 | Attr = ])
C:\Program Files\Nero-6.6.0.8a.exe - ( [Ver = | Size = 31607334 bytes | Date = 23/03/2005 10:34:58 | Attr = ])
C:\Program Files\Oct2005_xinput_x64.cab - ( [Ver = | Size = 86925 bytes | Date = 05/12/2005 18:31:12 | Attr = ])
C:\Program Files\Oct2005_xinput_x86.cab - ( [Ver = | Size = 46247 bytes | Date = 05/12/2005 18:31:12 | Attr = ])
C:\Program Files\Office XP SP1-2 Slipstreaming.htm - ( [Ver = | Size = 38870 bytes | Date = 30/12/2002 21:21:50 | Attr = ])
C:\Program Files\OFF_XP.SP - ( [Ver = | Size = 189 bytes | Date = 08/08/2002 17:00:00 | Attr = ])
C:\Program Files\OggDS0995.exe - ( [Ver = | Size = 475844 bytes | Date = 04/02/2005 19:48:20 | Attr = ])
C:\Program Files\PCBugDoctor_newsetup.exe - ( [Ver = | Size = 586903 bytes | Date = 17/01/2005 19:18:18 | Attr = ])
C:\Program Files\PLCFULL_PCAPP_3_02_70.exe - (Creative Technology Ltd [Ver = 1,0,0,1 | Size = 24451404 bytes | Date = 24/01/2005 23:01:14 | Attr = ])
C:\Program Files\Plug-ins Nero 6 (mp4.acc, MP3 & MP3 Pro, MPEG2 DVD, MPEG2 SVCD, WMA, OGG Vorbis)(4).rar - ( [Ver = | Size = 2893467 bytes | Date = 04/02/2005 21:07:52 | Attr = ])
C:\Program Files\plvx2cleaner.exe - ( [Ver = | Size = 586335 bytes | Date = 01/02/2005 19:15:12 | Attr = ])
C:\Program Files\RealPlayer10-5GOLD.exe - (RealNetworks, Inc. [Ver = 6.0.12.1056 | Size = 10479136 bytes | Date = 25/01/2005 22:31:06 | Attr = ])
C:\Program Files\ripsetup.exe - ( [Ver = | Size = 304640 bytes | Date = 23/01/2005 13:46:28 | Attr = ])
C:\Program Files\server.met - ( [Ver = | Size = 11755 bytes | Date = 26/01/2005 20:52:06 | Attr = ])
C:\Program Files\SetupDVDDecrypter_3.5.4.0.exe - ( [Ver = | Size = 899414 bytes | Date = 23/03/2005 20:17:34 | Attr = ])
C:\Program Files\Shareaza_2.1.0.0.exe - (Shareaza Development Team [Ver = 2.1.0.0 | Size = 3304944 bytes | Date = 25/01/2005 18:54:42 | Attr = ])
C:\Program Files\sis-usbdetect.exe - ( [Ver = | Size = 55296 bytes | Date = 12/10/2005 15:30:40 | Attr = ])
C:\Program Files\SP.EXE - ( [Ver = | Size = 6553 bytes | Date = 27/08/1997 17:17:32 | Attr = ])
C:\Program Files\spybotsd13.exe - (Safer Networking Limited [Ver = | Size = 4354084 bytes | Date = 27/01/2005 15:09:54 | Attr = ])
C:\Program Files\spysubtract.exe - (InterMute [Ver = 1.0.0.1 | Size = 2179792 bytes | Date = 01/02/2005 20:18:40 | Attr = ])
C:\Program Files\spywareblastersetup.exe - (Javacool Software LLC [Ver = 3.2.0 | Size = 2247855 bytes | Date = 01/02/2005 20:07:18 | Attr = ])
C:\Program Files\spywareguardsetup.exe - ( [Ver = | Size = 2062665 bytes | Date = 05/02/2005 16:38:38 | Attr = ])
C:\Program Files\Thumbs.db - ( [Ver = | Size = 5632 bytes | Date = 14/04/2006 11:21:12 | Attr = HS])
C:\Program Files\trjsetup.exe - (Simply Super Software [Ver = | Size = 3921424 bytes | Date = 30/01/2005 01:39:16 | Attr = ])
C:\Program Files\vdicmdrv.dll - ( [Ver = 1.3 | Size = 7168 bytes | Date = 12/08/2006 14:49:54 | Attr = ])
C:\Program Files\vdremote.dll - ( [Ver = 1.5.10-sp1 | Size = 7168 bytes | Date = 12/08/2006 14:49:58 | Attr = ])
C:\Program Files\vdsvrlnk.dll - ( [Ver = 1.5.10-sp1 | Size = 5120 bytes | Date = 12/08/2006 14:49:56 | Attr = ])
C:\Program Files\vdub.exe - ( [Ver = 1.6.5 | Size = 7738 bytes | Date = 12/08/2006 14:50:38 | Attr = ])
C:\Program Files\VirtualDub.chm - ( [Ver = | Size = 210421 bytes | Date = 12/08/2006 14:49:48 | Attr = ])
C:\Program Files\VirtualDub.exe - ( [Ver = 1.6.16 | Size = 757760 bytes | Date = 12/08/2006 14:51:44 | Attr = ])
C:\Program Files\VirtualDub.vdi - ( [Ver = | Size = 120235 bytes | Date = 12/08/2006 14:51:44 | Attr = ])
C:\Program Files\Windows System Information.exe - (Gabriel Topala [Ver = 1, 52, 0, 0 | Size = 1440768 bytes | Date = 22/07/2005 17:07:56 | Attr = ])
C:\Program Files\wrar342.exe - ( [Ver = | Size = 1163643 bytes | Date = 03/02/2005 22:54:22 | Attr = ])
C:\Program Files\xscsetup.exe - (Seventh String Software [Ver = 0.7.0.11 | Size = 1628816 bytes | Date = 17/02/2005 21:49:44 | Attr = ])
C:\Program Files\zlsSetup_55_062_011.exe - ( [Ver = | Size = 6670952 bytes | Date = 11/02/2005 22:47:40 | Attr = ])
C:\Program Files\zlsSetup_60_667_000.exe - ( [Ver = | Size = 9346664 bytes | Date = 15/09/2005 20:23:50 | Attr = ])
C:\Program Files\ZONEALARMSetup_55_062_004.exe - ( [Ver = | Size = 6655600 bytes | Date = 02/02/2005 19:00:48 | Attr = ])

Common Files Folder

DPF files
{00000055-9980-0010-8000-00AA00389B71} - - CodeBase = http://codecs.microsoft.com/codecs/i386/fhg.CAB
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

Hosts file = 686 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright © 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a "#" symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
# -
127.0.0.1 localhost -

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 5
Desktop\General -
Desktop\General\\BackupWallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\WallpaperFileTime - 90 04 E4 44 06 16 C7 01
Desktop\General\\WallpaperLocalFileTime - 90 04 E4 44 06 16 C7 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 2
Desktop\General\\Wallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\ComponentsPositioned - 1
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 00 04 00 00 DE 02 00 00
Desktop\SafeMode -
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Jobs.def<<<<

DIR - C:\WINDOWS\tasks\*.* - Parameters = Include SubFolders
C:\WINDOWS\tasks\desktop.ini - ( [Ver = | Size = 65 bytes | Date = 09/01/2005 13:58:22 | Attr = RH ])
C:\WINDOWS\tasks\SA.DAT - ( [Ver = | Size = 6 bytes | Date = 02/12/2006 13:22:06 | Attr = H ])
C:\WINDOWS\tasks\SpeedTouch Dial-up.job - ( [Ver = | Size = 298 bytes | Date = 02/12/2006 13:22:06 | Attr = ])

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\explorer -
policies\explorer\run -
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

KEY - HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer - Include SUBKEYS
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer not found. -

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\ActiveDesktop -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 145
policies\System -
policies\System\\DisableRegistryTools - 0

KEY - HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer - Include SUBKEYS
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer not found. -

>>>>Output for AddOn file SID_Run_Policies.def<<<<

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\CTFMON.EXE - C:\WINDOWS\System32\CTFMON.EXE
Run\\AVG7_Run - C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\CTFMON.EXE - C:\WINDOWS\System32\CTFMON.EXE
Run\\AVG7_Run - C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145

< End of report >
jooools is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-02-2006, 11:30 AM   #16 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 69
OS: Vista Home Premium


Woops! Our posts seem to be crossing!

I won't post anything further if you think everything's OK. Just to say thank you for all your help and advice - another happy customer here!!
jooools is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-03-2006, 02:01 PM   #17 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,318
OS: XP SP3


Hi Jooools,

The the WinPFind log and the StartUp log also look good. You can go ahead and delete the following from your desktop now:

WinPFind
SmitFraudFix
AVG AntirootKit Beta
SDFix
FixWareout
LSP Fix

Delete the following files too:

c:\fixwareout\report.txt
c:\rapport.txt

Enable your Spyware Doctor again.

Since AVG Anti Spyware is a trial version, the realtime guard and automatic update will stop functioning after the trial period. That is why we are not installing the guard so it will not interfere with the cleanup or the malware removal process. You can use AVG-AS as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan.

Ccleaner is also a useful tool to keep. You can clean your cookies and temp files on a regular basis.

Remember to hide your system files again.

Start>My Computer>Tools>Folder Options>View
Under the Hidden files and Folders heading uncheck Show hidden files and folders.
check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
check the Hide file extensions for known file types.
Click OK.

Disable and Enable System Restore It's a good idea to Flush your System Restore points after ridding yourself of malware to make sure there are no infected files found in a restore point. Because Windows regularly sets restorepoints, it's very possible that the malware, you have removed, is still present in the System Restore. If you put Windows back to such a restorepoint, this malware will be put back, as well.
  • Click Start | Help and Support | Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name, and then click Create, then Close.
  • Close the Help and Support Center box.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.

This will remove all previous restore points except the newly created one.

You can also find instructions on how to disable and re enable system restore here:
Windows XP System Restore Guide

And that's all. But to help protect you against further infections, and also to help prevent criminals using your computer to infect other people's computers on the web, I recommend the following: (You may already have some of the items)

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.
If you haven't got an antivirus, you can download and install one of the following ones wh;ich are free for personal use: Make sure that you have only ONE antivirus running on your computer as more than one would cause conflict and render the computer vulnerable.

AVG Free here
AntiVir here
Avast here

It is essential to keep the anti-virus program fully updated.
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site <http://windowsupdate.microsoft.com/> to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site <http://office.microsoft.com/officeupdate/maincatalog.aspx?lc=en-us> and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Keep your pestware-scanners up-to-date and do regular scans with them.

To keep your computer free of Spyware, Adware, Hijackers etc., download and install the following free pestware-scanners (if you haven't installed them already):
AdAware here
Spybot here Remember to "immunize" after each update
Windows Defender here

Install realtime pestware-scanners and keep them up-to-date.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster here Remember to "enable all protection" after each update.
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet.
If there is no firewall installed on your computer, you can download and install one of the following free firewalls:
ZoneAlarm here
Kerio Personal Firewall here
Outpost here
Important: (Windows XP only) If you install a firewall, be sure to turn off the WinXP-firewall!

Test your firewall here to make sure that it's working properly

Install these programs, to make surfing with Internet Explorer safer:

A popup-blocker, f.e. Google Toolbar here: A popup-blocker prevents popup-windows from opening, when you come along a websites that uses them, during internet-surfing.

IE-SPYAD here: This utility adds a long list of known bad sites to Internet Explorer's Restricted Sites zone. This prevents those sites from executing their malicious programs on your computer.

SiteHound by Firetrust
here:

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer.
SiteHound will alert you when you enter a site which is known to contain:
· Fraudulent claims or scams
· Offensive material
· Security vulnerabilities
· Spyware or Adware
· Spam related material
· or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

o Adult o Spyware o Spam Advertising o Phishing o Possible scam or fraud o Misleading or False Advertising
o Pharming o Rogue or Suspect Product o Adware o Malware or Virus

Install and use an alternative browser to surf on the internet.

Because Internet Explorer is the most-used browser on the planet, most of the hijackers, adware and spyware are made to abuse your computer thru Internet Explorer.
Here are some good alternative browsers:
Mozilla Suite here
Mozilla Firefox here
Opera here
Netscape here
Important: You can not uninstall Internet Explorer.
First of all, it's part of Windows and you'll need it to download and install Windows Updates.
Secondly, There are some sites that are only accessable with Internet Explorer, e.g. most of the Online Malware-scanners.

But above all, keep all your software UP-TO-DATE at all time!!

Also, I would recommend reading the excellent advice by Tony Klein: So how did I get infected in the first place

Happy and safe surfing.

Please take the time to visit Malware Complaints and register your complaint.
The infection you had was Wareout
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:55 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85