Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Need help please - sinking fast!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 04-10-2005, 01:32 AM   #1 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


Need help please - sinking fast!
I'll try to include as much info as possible in case it helps, apologies if it's irrelavent.

Upgraded out-of-date PCillin with brand new McAfee after suspicions of malicious infection messing up computer. McAfee ran and caught 24 files with various problems. Fixed.

On next reboot, one of 4 svchost.exe processes consumed 99% CPU indefinatly and numerous XP functions ceased to work (eg no start bar).

Tried stopping svchost from taskmanager, unfortunatly that caused a forced 30s countdown to reboot. Tried starting/stopping all other other services with no result.

Ran SpyBot - 5 more fixed, but no change.

Assuming somehow MCAfee at fault, proceeded to learn then utilise regedit to manually remove and regsrv32 to unhitch dlls and deleted McAfee folders after discovering the remove software process was one of those now broken.

Did not fix problem. Installed Starter and examined the voracious svchost process to try to fathom whether a dll had been corrupted or somehow altered. The following .dlls are unique to the svchost instance which is causing the problem - I don't know if that narrows it down at all...

rasadhlp rpcss rsaenh userenv winrnr

Discovered this forum, d/l HijackThis and ran it. Tried to remove the McAffe instances in there to no result - they return on reboot.

If any of that is of any additional help, great - if not I'm sorry to have wasted your time with it all! Logfile follows; any help very gratefully appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 8:12:46 AM, on 4/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\runservice.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Carl\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.3.122.17/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: TW_BrowserHook - {1E1B2879-88FF-11D2-8D96-FFFFAC95951F} - C:\Program Files\Macro ToolsWorks\mtwbho.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CesarFTP FTP Server (CesarFTP) - Unknown owner - C:\Program Files\CesarFTP\server.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Last edited by cjhsb; 04-10-2005 at 01:38 AM.
cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 04-10-2005, 01:51 PM   #2 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


Back again now still trying to tackle the problem, thought I'd add further findings in the hope they may help:

Attempted to unregister suspect dlls. rsaenh and userenv both unregister and re-registered sucessfully, no change to 99% cpu usage of svchost. Will try replacing those next with fresh versions.

rasadhlp rpcss winrnr all return entry point not found file cannot be registered.

Further, computer ignores attempts to start it in safe mode.

Attempted to d/l Ad-Aware but computer refuses to do so - can't even get save/run box to open for it, but I'm guessing since it takes about 20 mins to d/l a 200k file due to current cpu speed and multiple timeouts a 2.4mb d/l will be impossible even if I can open the box. :-(

Also, I'm unsure if it's pertinant but I origionally decided to remove McAfee as on the reboot it was telling me the virus shield could not start - probably due to lack of resources - and that when tried the control console could not initialize.

Lastly, I realised after posting this that my origional HJT log may well of had additional info in from programs in the background, so here's one done straight after reboot - sorry.

Logfile of HijackThis v1.99.1
Scan saved at 9:00:21 PM, on 4/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Carl\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.3.122.17/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: TW_BrowserHook - {1E1B2879-88FF-11D2-8D96-FFFFAC95951F} - C:\Program Files\Macro ToolsWorks\mtwbho.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CesarFTP FTP Server (CesarFTP) - Unknown owner - C:\Program Files\CesarFTP\server.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Last edited by cjhsb; 04-10-2005 at 02:19 PM.
cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2005, 02:41 PM   #3 (permalink)
Analyst, Security Team
 
kworley517's Avatar
 
Join Date: Feb 2005
Location: South Florida
Posts: 538
OS: XP Pro


Hmmm.... Interesting...
Hello Cjhsb and welcome to TSF...

In order to assist you better, we recommend that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

I realize that with your current situation that downloading some of our larger files is about impossible or should I say, hectic at the very least. Try rebooting into "Safe Mode with Networking" (by pressing F8 while you computer starts) and see if you can download some of the fixes that I am going to post. If not, then find another computer with hi-speed access and burn a CD with all of the files on it.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident and make sure that TeaTimer is checked. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation.

Download this, but wait to run it until later... Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Do not run it yet...

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode (without Networking) (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

Let's use a program to scan for any trojans that may exist. Run TDS-3, which you previously downloaded earlier. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.
Last edited by kworley517; 04-10-2005 at 02:43 PM.
kworley517 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2005, 05:06 PM   #4 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


Hi and many thanks for both the welcome and battle plan Kworley517!

Ok, results follow:

Ad_Aware - 71 objects removed
Vx2 Cleaner - clean
Spybot (new install and update) - 3 problems (MySoft) fixed
No DSO entries listed
Safe mode:
Only query was over something called xmasbus...sounds a bit odd, I let it continue
Safe mode displayed same problems as normal mode - no taskbar etc etc
HJT - 2 missing (the 09s), 1 checked and fixed (the 04)
Cleanup - 3509 files, 789.1MB removed. Wow.
HJT after normal reboot - no new services from Safe mode listed, various additional processes.
KRC HJTA result.txt:

================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:35:59 PM, on 4/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\runservice.exe
C:\Documents and Settings\Carl\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.3.122.17/
O2 - BHO: TW_BrowserHook - {1E1B2879-88FF-11D2-8D96-FFFFAC95951F} - C:\Program Files\Macro ToolsWorks\mtwbho.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O23 - Service: CesarFTP FTP Server (CesarFTP) - Unknown owner - C:\Program Files\CesarFTP\server.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)


End of KRC HijackThis Analyzer Log.
================================================================

TDS-3 - failed to run - although shown under WTM Applications as running rather than not responding, after 15 minutes it still has not completed it's first test I guess as no program box has appeared yet.

Hope all that gives more clues!
cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2005, 08:48 PM   #5 (permalink)
Analyst, Security Team
 
kworley517's Avatar
 
Join Date: Feb 2005
Location: South Florida
Posts: 538
OS: XP Pro


Safe Mode...
Good job so far.... Are things any better, yet???

See if you can try and run the TDS-3 scanner in safe mode and let it do its thing. Hopefully it will find a bunch of trojans for us to eliminate.

While in safe mode, run HJT and check/fix the following entry:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Give me an update on the TDS scan and a new HJT log when you have completed...
kworley517 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2005, 09:25 PM   #6 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


Many thanks for the help so far, but unfortunatly not, things no better...yet :-)

Ok, TDS-3 will not run in safe mode either. Before reading your last post I went and installed TrojanHunter - which after some 4 hours for a full scan told me it found nothing.

Went to fix the line in HJT while in safe - it's gone. Also no longer there in Normal mode either.

Oddly, when I try to remove any of the McAfee missing files or the FTP server in HJT it ignores my attempts and just lists them again next check. Again I don't know if thats working as intented or not.

Latest HJT output follows, in case it's any help:

Logfile of HijackThis v1.99.1
Scan saved at 4:20:19 AM, on 4/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Documents and Settings\Carl\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.3.122.17/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: TW_BrowserHook - {1E1B2879-88FF-11D2-8D96-FFFFAC95951F} - C:\Program Files\Macro ToolsWorks\mtwbho.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CesarFTP FTP Server (CesarFTP) - Unknown owner - C:\Program Files\CesarFTP\server.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2005, 09:31 PM   #7 (permalink)
Analyst, Security Team
 
kworley517's Avatar
 
Join Date: Feb 2005
Location: South Florida
Posts: 538
OS: XP Pro


Hmmm... Deeper we go...
Time to start looking deeper in the system.... Please complete and provide the following:

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Right click on http://www.greyknight17.com/spy/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.
kworley517 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2005, 10:02 PM   #8 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


Ok, StartDrek:

StartDreck (build 2.1.7 public stable) - 2005-04-11 @ 04:57:32 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Carl at OBSTINATE

»Registry
»Run Keys
»Current User
»Run
*RemoteCenter=C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
»RunOnce
*CTStartup="C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
*zBrowser Launcher=C:\Program Files\Logitech\iTouch\iTouch.exe
*Logitech Utility=Logi_MwX.Exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*nwiz=nwiz.exe /install
*NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
*CTSysVol=C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
*CTDVDDet=C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
*CTHelper=CTHELPER.EXE
*UpdReg=C:\WINDOWS\UpdReg.EXE
*CTStartup="C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
*THGuard="C:\Program Files\TrojanHunter 4.2\THGuard.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*TW_BrowserHook.TW_BHO.1/{1E1B2879-88FF-11D2-8D96-FFFFAC95951F}
`InprocServer32=C:\Program Files\Macro ToolsWorks\mtwbho.dll
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar2.dll
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\System32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://81.3.122.17/
+SearchUrl
*provider=
»Default User
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Carl\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\System32\drivers\etc\hosts
`127.0.0.1 localhost
`127.0.0.1 www.altnetp2p.com
`127.0.0.1 alpha.kazaa.com
`127.0.0.1 shop.kazaa.com
`127.0.0.1 www.bonzi.com
`127.0.0.1 www.brilliantdigital.com
`127.0.0.1 www.b3d.com
`127.0.0.1 media.altnet.com
`127.0.0.1 www.altnet.com
`127.0.0.1 dev.bde.com.au
`127.0.0.1 update.kazaa.com
`127.0.0.1 bravo.kazaa.com
`127.0.0.1 puma.kazaa.com
`127.0.0.1 www.kazaa-gold.com
`127.0.0.1 kazaagold.com
`127.0.0.1 www.kazaa-download.de
`127.0.0.1 www.mp3downloadhq.com
`127.0.0.1 www.easymusicdownload.com
`127.0.0.1 easymusicdownload.com
`127.0.0.1 www.mp3madeeasy.com
`127.0.0.1 www.monstershare.com
`127.0.0.1 monstershare.com
`127.0.0.1 www.kazaa-plus.net
`127.0.0.1 kazaa-plus.net
`127.0.0.1 www.kazaa-plus.com
`127.0.0.1 www.edonkey.com
`127.0.0.1 www.kazaa-file-sharing-downloads.com
`127.0.0.1 www.kazaaplatinum.com
`127.0.0.1 www.madeformusic.com
`127.0.0.1 www.ikazaa.net
`127.0.0.1 ikazaa.net
`127.0.0.1 www.mp3u.com
`127.0.0.1 www.mp3specialty.com
`127.0.0.1 music-download-world.com
`127.0.0.1 song-download-world.com
`127.0.0.1 www.flixs.net
`127.0.0.1 www.ishareit.net
`127.0.0.1 www.ishareit.com
`127.0.0.1 www.download-doctor.com
`127.0.0.1 www.ezmp3download.com
`127.0.0.1 www.kazaamedia.com
`127.0.0.1 mp3-network.com
`127.0.0.1 www.mp3-network.com
`127.0.0.1 www.mp3grandcentral.net
`127.0.0.1 www.mp333.com
`127.0.0.1 www.kazaamate.com
`127.0.0.1 www.emule.biz
`127.0.0.1 www.kazaam8.tk
`127.0.0.1 www.rippro.com
`127.0.0.1 www.kaaza.com
`127.0.0.1 secure.Webstartz.com
`127.0.0.1 www.kazaalite.de
`127.0.0.1 www.kazza.de
`127.0.0.1 kazza.com
`127.0.0.1 www.kazaalite.at
`127.0.0.1 www.kazaalite.ch
`127.0.0.1 www.kazaa-hilfe.de
`127.0.0.1 www.edonkey-2000.de
`127.0.0.1 www.edonkey-bot.de
`127.0.0.1 www.edonkey-edonkey2000.de
`127.0.0.1 www.edonkey-hilfe.de
`127.0.0.1 www.edonkey-morpheus-forum.de
`127.0.0.1 www.emule-hilfe.de
`127.0.0.1 www.file-sharing-forum.de
`127.0.0.1 www.filesharing-forum.de
`127.0.0.1 www.imesh-download.de
`127.0.0.1 www.kazaa-kaza.de
`127.0.0.1 www.kazaa-lite.info
`127.0.0.1 www.kazaa-lite-download.de
`127.0.0.1 www.1md.de
`127.0.0.1 www.mariodolzer.de
`127.0.0.1 www.morpheus-forum.de
`127.0.0.1 www.overnet-download.de
`127.0.0.1 www.overnet-hilfe.de
`127.0.0.1 www.winmx-download.de
`127.0.0.1 www.winmx-hilfe.de
`127.0.0.1 www.download-und-hilfe.de
`127.0.0.1 www.filesharing-hilfe-forum.de
`127.0.0.1 www.musik-download.biz
`127.0.0.1 www.mp3downloads.ch
`127.0.0.1 www.songfly.com
`127.0.0.1 www.kazaa.nl
`127.0.0.1 1stsoftwaredownloads.com
`127.0.0.1 morpheus-download-morpheus.com
`127.0.0.1 www.icisnet.org
`127.0.0.1 software.global-netcom.de
`127.0.0.1 www.filesharing-download.de
`127.0.0.1 www.p2p.tm
`127.0.0.1 www.filesharing-center.de
`127.0.0.1 www.filesharing-tools.de
`127.0.0.1 kazaa-download-kazaa.com
`127.0.0.1 www.interscilsa.com
`127.0.0.1 www.dvd-download-free.com
`127.0.0.1 www.howtominibooks.com
`127.0.0.1 www.internetmovies.com
`127.0.0.1 www.rippro.net
`127.0.0.1 www.musicmoviesbooks.com
`127.0.0.1 www.kazaalite.org
`127.0.0.1 www.getmp3music.com
`127.0.0.1 www1.ishareit.com
`127.0.0.1 www.filesharing-software.de
`127.0.0.1 www.firewarez.com
`127.0.0.1 www.k-lite.co.uk
`127.0.0.1 kazzaa.info
`127.0.0.1 www.morpheusp2p.com
`127.0.0.1 www.mudima.com
`127.0.0.1 www.download-central.com
`127.0.0.1 kazaaplatinum.com
`127.0.0.1 www.dingosoft.net
`127.0.0.1 www.kazaa-advance.com
`127.0.0.1 www.downloads-unlimited.com
`127.0.0.1 klserver.port5.com
`127.0.0.1 rippro.net
`127.0.0.1 www.findkazaalite.com
`127.0.0.1 www.freegoldkazaa.com
`127.0.0.1 www.freekazaalite.com
`127.0.0.1 www.kazaalitekpp.com
`127.0.0.1 kazaa.filez.ws
`127.0.0.1 www.kazaalite-download.com
`127.0.0.1 www.every.biz
`127.0.0.1 123banners.com
`127.0.0.1 ad.adsmart.net
`127.0.0.1 ad.ca.doubleclick.net
`127.0.0.1 ad.de.doubleclick.net
`127.0.0.1 ad.doubleclick.net
`127.0.0.1 ad.es.doubleclick.net
`127.0.0.1 ad.fr.doubleclick.net
`127.0.0.1 ad.free6.com
`127.0.0.1 ad.it.doubleclick.net
`127.0.0.1 ad.iwin.com
`127.0.0.1 ad.jp.doubleclick.net
`127.0.0.1 ad.kr.doubleclick.net
`127.0.0.1 ad.linkexchange.com
`127.0.0.1 ad.linksynergy.com
`127.0.0.1 ad.nl.doubleclick.net
`127.0.0.1 ad.no.doubleclick.net
`127.0.0.1 ad.preferences.com
`127.0.0.1 ad.se.doubleclick.net
`127.0.0.1 ad.sma.punto.net
`127.0.0.1 ad.trafficmp.com
`127.0.0.1 ad.uk.doubleclick.net
`127.0.0.1 ad.webprovider.com
`127.0.0.1 ad08.focalink.com
`127.0.0.1 ad1.adcept.net
`127.0.0.1 ad1.icorp.net
`127.0.0.1 ad1.looksmart.com
`127.0.0.1 ad1.peel.com
`127.0.0.1 ad2.adcept.net
`127.0.0.1 ad2.looksmart.com
`127.0.0.1 ad2.peel.com
`127.0.0.1 ad3.adcept.net
`127.0.0.1 ad3.peel.com
`127.0.0.1 ad4.peel.com
`127.0.0.1 ad-adex3.flycast.com
`127.0.0.1 adcontroller.unicast.com
`127.0.0.1 adcreatives.imaginemedia.com
`127.0.0.1 addb.looksmart.com
`127.0.0.1 adevents.msn.com
`127.0.0.1 adex3.flycast.com
`127.0.0.1 adfarm.mediaplex.com
`127.0.0.1 adforce.ads.imgis.com
`127.0.0.1 adforce.imgis.com
`127.0.0.1 adfu.blockstackers.com
`127.0.0.1 adimage.blm.net
`127.0.0.1 adimages.earthweb.com
`127.0.0.1 adimages.go.com
`127.0.0.1 adimages.imaginemedia.com
`127.0.0.1 adimg.egroups.com
`127.0.0.1 admedia.xoom.com
`127.0.0.1 admonitor.net
`127.0.0.1 adpick.switchboard.com
`127.0.0.1 adproject.net
`127.0.0.1 adremote.pathfinder.com
`127.0.0.1 adres.internet.com
`127.0.0.1 ads.adflight.com
`127.0.0.1 ads.ad-flow.com
`127.0.0.1 ads.admaximize.com
`127.0.0.1 ads.admonitor.net
`127.0.0.1 ads.adroar.com
`127.0.0.1 ads.astalavista.us
`127.0.0.1 ads.bfast.com
`127.0.0.1 ads.box.sk
`127.0.0.1 ads.burstnet.com
`127.0.0.1 ads.cdfreaks.com
`127.0.0.1 ads.chrbanner.com
`127.0.0.1 ads.clickagents.com
`127.0.0.1 ads.clickhouse.com
`127.0.0.1 ads.dai.net
`127.0.0.1 ads.datais.com
`127.0.0.1 ads.enliven.com
`127.0.0.1 ads.eu.msn.com
`127.0.0.1 ads.fairfax.com.au
`127.0.0.1 ads.fool.com
`127.0.0.1 ads.fortunecity.com
`127.0.0.1 ads.fortunecity.fr
`127.0.0.1 ads.freeze.com
`127.0.0.1 ads.freshmeat.net
`127.0.0.1 ads.god.co.uk
`127.0.0.1 ads.guardianunlimited.co.uk
`127.0.0.1 ads.hitcents.com
`127.0.0.1 ads.hollywood.com
`127.0.0.1 ads.i12.de
`127.0.0.1 ads.i33.com
`127.0.0.1 ads.ign.com
`127.0.0.1 ads.imaginemedia.com
`127.0.0.1 ads.indya.com
`127.0.0.1 ads.infi.net
`127.0.0.1 ads.irover.com
`127.0.0.1 ads.ixo.com
`127.0.0.1 ads.jpost.com
`127.0.0.1 ads.jwtt3.com
`127.0.0.1 ads.killerapp.com
`127.0.0.1 ads.link4ads.com
`127.0.0.1 ads.linksponsor.com
`127.0.0.1 ads.looksmart.com
`127.0.0.1 ads.lycos.com
`127.0.0.1 ads.lycos.de
`127.0.0.1 ads.madison.com
`127.0.0.1 ads.mediaodyssey.com
`127.0.0.1 ads.mediaturf.net
`127.0.0.1 ads.msn.com
`127.0.0.1 ads.musiccity.com
`127.0.0.1 ads.netomia.com
`127.0.0.1 ads.netpumper.com
`127.0.0.1 ads.newcity.com
`127.0.0.1 ads.newcitynet.com
`127.0.0.1 ads.ninemsn.com.au
`127.0.0.1 ads.rediff.com
`127.0.0.1 ads.satyamonline.com
`127.0.0.1 ads.seattletimes.com
`127.0.0.1 ads.smartclicks.com
`127.0.0.1 ads.smartclicks.net
`127.0.0.1 ads.sptimes.com
`127.0.0.1 ads.startpath.com
`127.0.0.1 ads.station.sony.com
`127.0.0.1 ads.tiscali.fr
`127.0.0.1 ads.tripod.com
`127.0.0.1 ads.tucows.com
`127.0.0.1 ads.vcommunities.com
`127.0.0.1 ads.web.aol.com
`127.0.0.1 ads.x10.com
`127.0.0.1 ads.xtra.co.nz
`127.0.0.1 ads.zdnet.com
`127.0.0.1 ads01.focalink.com
`127.0.0.1 ads02.focalink.com
`127.0.0.1 ads03.focalink.com
`127.0.0.1 ads04.focalink.com
`127.0.0.1 ads05.focalink.com
`127.0.0.1 ads06.focalink.com
`127.0.0.1 ads07.focalink.com
`127.0.0.1 ads08.focalink.com
`127.0.0.1 ads09.focalink.com
`127.0.0.1 ads1.activeagent.at
`127.0.0.1 ads1.ad-flow.com
`127.0.0.1 ads1.speedbit.com
`127.0.0.1 ads10.focalink.com
`127.0.0.1 ads11.focalink.com
`127.0.0.1 ads12.focalink.com
`127.0.0.1 ads13.focalink.com
`127.0.0.1 ads14.focalink.com
`127.0.0.1 ads15.focalink.com
`127.0.0.1 ads16.focalink.com
`127.0.0.1 ads17.focalink.com
`127.0.0.1 ads18.focalink.com
`127.0.0.1 ads19.focalink.com
`127.0.0.1 ads2.speedbit.com
`127.0.0.1 ads2.zdnet.com
`127.0.0.1 ads20.focalink.com
`127.0.0.1 ads21.focalink.com
`127.0.0.1 ads22.focalink.com
`127.0.0.1 ads23.focalink.com
`127.0.0.1 ads24.focalink.com
`127.0.0.1 ads25.focalink.com
`127.0.0.1 ads3.speedbit.com
`127.0.0.1 ads3.zdnet.com
`127.0.0.1 ads4.speedbit.com
`127.0.0.1 ads5.gamecity.net
`127.0.0.1 ads5.speedbit.com
`127.0.0.1 ads6.speedbit.com
`127.0.0.1 ads7.speedbit.com
`127.0.0.1 ads8.speedbit.com
`127.0.0.1 adserv.bravenet.com
`127.0.0.1 adserv.iafrica.com
`127.0.0.1 adserv.internetfuel.com
`127.0.0.1 adserv.quality-channel.de
`127.0.0.1 adserver.adtech.de
`127.0.0.1 adserver.affiliation.com
`127.0.0.1 adserver.akqa.net
`127.0.0.1 adserver.dbusiness.com
`127.0.0.1 adserver.directforce.net
`127.0.0.1 adserver.garden.com
`127.0.0.1 adserver.gorillanation.com
`127.0.0.1 adserver.humanux.com
`127.0.0.1 adserver.imaginemedia.com
`127.0.0.1 adserver.isonews.com
`127.0.0.1 adserver.janes.com
`127.0.0.1 adserver.lunarpages.com
`127.0.0.1 adserver.merc.com
`127.0.0.1 adserver.monster.com
`127.0.0.1 adserver.track-star.com
`127.0.0.1 adserver.tweakers.net
`127.0.0.1 adserver.ugo.com
`127.0.0.1 adserver.webads.nl
`127.0.0.1 adserver1.ogilvy-interactive.de
`127.0.0.1 adserver2.imaginemedia.com
`127.0.0.1 adsubstract
`127.0.0.1 ads-ussj1.focalink.com
`127.0.0.1 adtegrity.spinbox.net
`127.0.0.1 adulttds.com
`127.0.0.1 aglink.mircx.com
`127.0.0.1 antfarm-ad.flycast.com
`127.0.0.1 asm3.z1.adserver.com
`127.0.0.1 au.ads.link4ads.com
`127.0.0.1 bach.aureate.com
`127.0.0.1 badservant.guj.de
`127.0.0.1 banner.50megs.com
`127.0.0.1 banner.adverity.com
`127.0.0.1 banner.commissionpartner.com
`127.0.0.1 banner.de
`127.0.0.1 banner.easyspace.com
`127.0.0.1 banner.free6.com
`127.0.0.1 banner.i-3.de
`127.0.0.1 banner.media-system.de
`127.0.0.1 banner.orb.net
`127.0.0.1 banner.relcom.ru
`127.0.0.1 bannerad.ipgnet.com
`127.0.0.1 bannerads.de
`127.0.0.1 bannerfarm.ace.advertising.com
`127.0.0.1 bannerimages.0catch.com
`127.0.0.1 bannermaster.geektech.com
`127.0.0.1 banner-net.com
`127.0.0.1 bannerpower.com
`127.0.0.1 banners.adultfriendfinder.com
`127.0.0.1 banners.easydns.com
`127.0.0.1 banners.free6.com
`127.0.0.1 banners.hotlinks.net
`127.0.0.1 banners.looksmart.com
`127.0.0.1 banners.nextcard.com
`127.0.0.1 banners.pennyweb.com
`127.0.0.1 banners.valuead.com
`127.0.0.1 banners.webmasterplan.com
`127.0.0.1 banners.wunderground.com
`127.0.0.1 bannervip.webjump.com
`127.0.0.1 banzai.moodlogic.com
`127.0.0.1 barnesandnoble.bfast.com
`127.0.0.1 beseen.com
`127.0.0.1 beseen.looksmart.com
`127.0.0.1 beseen5.looksmart.com
`127.0.0.1 beseenad.looksmart.com
`127.0.0.1 beseenad1.looksmart.com
`127.0.0.1 beseenad2.looksmart.com
`127.0.0.1 beseenad3.looksmart.com
`127.0.0.1 beseenadx.looksmart.com
`127.0.0.1 bfast.com
`127.0.0.1 bins.lop.com
`127.0.0.1 bizad.nikkeibp.co.jp
`127.0.0.1 bn.bfast.com
`127.0.0.1 botw.topbucks.com
`127.0.0.1 bsads.looksmart.com
`127.0.0.1 by.advertising.com
`127.0.0.1 c1.thecounter.com
`127.0.0.1 c2.thecounter.com
`127.0.0.1 c3.xxxcounter.com
`127.0.0.1 califia.imaginemedia.com
`127.0.0.1 cash4banner.com
`127.0.0.1 cash4banner.de
`127.0.0.1 cds.mediaplex.com
`127.0.0.1 cgi.sexlist.com
`127.0.0.1 click.avenuea.com
`127.0.0.1 click.go2net.com
`127.0.0.1 click.linksynergy.com
`127.0.0.1 clickagents.com
`127.0.0.1 clicks.about.com
`127.0.0.1 clicks.nastydollars.com
`127.0.0.1 clicks.oxcash.com
`127.0.0.1 clit5.sextracker.com
`127.0.0.1 code02.pbtech.net
`127.0.0.1 commonwealth.riddler.com
`127.0.0.1 connect.online-dialer.com
`127.0.0.1 cookies.cmpnet.com
`127.0.0.1 cornflakes.pathfinder.com
`127.0.0.1 counter.hitbox.com
`127.0.0.1 counter1.sextracker.com
`127.0.0.1 counter10.sextracker.com
`127.0.0.1 counter11.sextracker.com
`127.0.0.1 counter12.sextracker.com
`127.0.0.1 counter13.sextracker.com
`127.0.0.1 counter14.sextracker.com
`127.0.0.1 counter15.sextracker.com
`127.0.0.1 counter16.sextracker.com
`127.0.0.1 counter2.sextracker.com
`127.0.0.1 counter3.sextracker.com
`127.0.0.1 counter4.sextracker.com
`127.0.0.1 counter5.sextracker.com
`127.0.0.1 counter6.sextracker.com
`127.0.0.1 counter7.sextracker.com
`127.0.0.1 counter8.sextracker.com
`127.0.0.1 counter9.sextracker.com
`127.0.0.1 crs.akamai.com
`127.0.0.1 crux.songline.com
`127.0.0.1 ct.iac-online.de
`127.0.0.1 de.netstatpro.net
`127.0.0.1 desktop.grokster.com
`127.0.0.1 dialer.offshoreclicks.com
`127.0.0.1 doubleclick.net
`127.0.0.1 download1.0190-dialer.com
`127.0.0.1 download1.libereco.net
`127.0.0.1 download2.0190-dialer.com
`127.0.0.1 econnect.libereco.net
`127.0.0.1 ehg.hitbox.com
`127.0.0.1 ehg-commjun.hitbox.com
`127.0.0.1 erie.smartage.com
`127.0.0.1 etad.telegraph.co.uk
`127.0.0.1 everyone.net
`127.0.0.1 exchange-it.com
`127.0.0.1 exitfuel.com
`127.0.0.1 exitmoney.com
`127.0.0.1 fast.mediacharger.com
`127.0.0.1 focalink.com
`127.0.0.1 fp.valueclick.com
`127.0.0.1 fragmentserv.iac-online.de
`127.0.0.1 free.****-portal.com
`127.0.0.1 freeadultlottery.com
`127.0.0.1 freeasiahardcore.com
`127.0.0.1 freebieclub.com
`127.0.0.1 freebigcocks.net
`127.0.0.1 freecelebnudity.com
`127.0.0.1 freefarmpics.com
`127.0.0.1 freegaybears.net
`127.0.0.1 freegaylottery.com
`127.0.0.1 freenaughtyteens.com
`127.0.0.1 freepass.elitecities.com
`127.0.0.1 fs.dai.net
`127.0.0.1 gadgeteer.pdamart.com
`127.0.0.1 global.msads.net
`127.0.0.1 gm.preferences.com
`127.0.0.1 go.ezgreen.com
`127.0.0.1 got2goshop.com
`127.0.0.1 goto.trafficmultiplier.com
`127.0.0.1 gp.dejanews.com
`127.0.0.1 hacker-spider.de
`127.0.0.1 hc2.humanclick.com
`127.0.0.1 hg1.hitbox.com
`127.0.0.1 hit.hotlog.ru
`127.0.0.1 hitbox.com
`127.0.0.1 hitmatic.com
`127.0.0.1 hitsfrom.popuprush.com
`127.0.0.1 hotfreewebcams.com
`127.0.0.1 hypercount.com
`127.0.0.1 ifcol.exitfuel.com
`127.0.0.1 image.click2net.com
`127.0.0.1 image.eimg.com
`127.0.0.1 images.sexlist.com
`127.0.0.1 images2.nytimes.com
`127.0.0.1 imageserv.adtech.de
`127.0.0.1 img.lop.com
`127.0.0.1 img.mediaplex.com
`127.0.0.1 impnl.tradedoubler.com
`127.0.0.1 internetfuel.com
`127.0.0.1 itn.adbureau.net
`127.0.0.1 jcms.cydoor.com
`127.0.0.1 jeeves.flycast.com
`127.0.0.1 jobkeys.ngadcenter.net
`127.0.0.1 kansas.valueclick.com
`127.0.0.1 leader.linkexchange.com
`127.0.0.1 linkbuddies.com
`127.0.0.1 liquidad.narrowcastmedia.com
`127.0.0.1 liveadvert.com
`127.0.0.1 ln.doubleclick.net
`127.0.0.1 looksmartclicks.com
`127.0.0.1 lop.com
`127.0.0.1 lsads.looksmart.com.au
`127.0.0.1 m.doubleclick.net
`127.0.0.1 macaddictads.snv.futurenet.com
`127.0.0.1 marketing-internet.com
`127.0.0.1 maxexp.com
`127.0.0.1 maximumcash.com
`127.0.0.1 maximumpcads.imaginemedia.com
`127.0.0.1 media.carpediem.fr
`127.0.0.1 media.expedia.com
`127.0.0.1 media.fastclick.net
`127.0.0.1 media.popuptraffic.com
`127.0.0.1 media.preferences.com
`127.0.0.1 media20.fastclick.net
`127.0.0.1 mediacharger.com
`127.0.0.1 mediamgr.ugo.com
`127.0.0.1 mediaplex.com
`127.0.0.1 megacash.de
`127.0.0.1 megawebcams.tv
`127.0.0.1 mercury.rmuk.co.uk
`127.0.0.1 millenium-hitz.com
`127.0.0.1 mjxads.internet.com
`127.0.0.1 mojofarm.sjc.mediaplex.com
`127.0.0.1 monitor.looksmart.com
`127.0.0.1 monsterhitz.to
`127.0.0.1 musiccity.streamcastnetwork.com
`127.0.0.1 n24.de
`127.0.0.1 nbc.adbureau.net
`127.0.0.1 network.realmedia.com
`127.0.0.1 newads.cmpnet.com
`127.0.0.1 newsticker.shortnews.de
`127.0.0.1 ng3.ads.warnerbros.com
`127.0.0.1 ngads.smartage.com
`127.0.0.1 nitrous.exitfuel.com
`127.0.0.1 nsads.hotwired.com
`127.0.0.1 ntbanner.digitalriver.com
`127.0.0.1 oad.realmedia.com
`127.0.0.1 oas.benchmark.fr
`127.0.0.1 onresponse.com
`127.0.0.1 oz.valueclick.com
`127.0.0.1 p.wtlive.com
`127.0.0.1 paycounter.com
`127.0.0.1 ph-ad04.focalink.com
`127.0.0.1 ph-ad05.focalink.com
`127.0.0.1 ph-ad07.focalink.com
`127.0.0.1 ph-ad16.focalink.com
`127.0.0.1 ph-ad17.focalink.com
`127.0.0.1 ph-ad18.focalink.com
`127.0.0.1 php.offshoreclicks.com
`127.0.0.1 pluto.beseen.com
`127.0.0.1 pop.mircx.com
`127.0.0.1 popup.found404.com
`127.0.0.1 porn-attack.com
`127.0.0.1 portal.hostultra.com
`127.0.0.1 proxy.ladot.com
`127.0.0.1 pub.epiknet.org
`127.0.0.1 pub.infiniland.com
`127.0.0.1 pub.ketix.com
`127.0.0.1 pub.telmedia.fr
`127.0.0.1 pub.weborama.fr
`127.0.0.1 publish.hometown.aol.co.uk
`127.0.0.1 realads.realmedia.com
`127.0.0.1 redherring.ngadcenter.net
`127.0.0.1 redirect.click2net.com
`127.0.0.1 redirect.iac-online.de
`127.0.0.1 regio.adlink.de
`127.0.0.1 ResponseMedia-ad.flycast.com
`127.0.0.1 retaildirect.realmedia.com
`127.0.0.1 rmads.eu.msn.com
`127.0.0.1 rs.webmasterplan.com
`127.0.0.1 s0.bluestreak.com
`127.0.0.1 s1.bluestreak.com
`127.0.0.1 s2.bluestreak.com
`127.0.0.1 s2.focalink.com
`127.0.0.1 s3.bluestreak.com
`127.0.0.1 s4.bluestreak.com
`127.0.0.1 s5.bluestreak.com
`127.0.0.1 s6.bluestreak.com
`127.0.0.1 s7.bluestreak.com
`127.0.0.1 s8.bluestreak.com
`127.0.0.1 sbee.com
`127.0.0.1 script.weborama.fr
`127.0.0.1 search.kazaa.com
`127.0.0.1 secserv.imgis.com
`127.0.0.1 servedby.advertising.com
`127.0.0.1 servedby.advertwizard.com
`127.0.0.1 server.hamster.com
`127.0.0.1 server-uk.imrworldwide.com
`127.0.0.1 sexpromote.com
`127.0.0.1 sextracker.com
`127.0.0.1 sh4banner.de
`127.0.0.1 sh4sure-images.adbureau.net
`127.0.0.1 shop.freepush.com
`127.0.0.1 shortwin.de
`127.0.0.1 specialoffers.aol.com
`127.0.0.1 spezialreporte.de
`127.0.0.1 spin.spinbox.net
`127.0.0.1 sprinks-clicks.about.com
`127.0.0.1 spylog.com
`127.0.0.1 srv1.bannercommunity.de
`127.0.0.1 srv2.bannercommunity.de
`127.0.0.1 srv3.bannercommunity.de
`127.0.0.1 static.admaximize.com
`127.0.0.1 stats.superstats.com
`127.0.0.1 stats3.porntrack.com
`127.0.0.1 statse.webtrendslive.com
`127.0.0.1 Suissa-ad.flycast.com
`127.0.0.1 survey.proactive.nl
`127.0.0.1 sview.avenuea.com
`127.0.0.1 t0.extreme-dm.com
`127.0.0.1 thinknyc.eu-adcenter.net
`127.0.0.1 tour01.bangbus.com
`127.0.0.1 tpl1.realtracker.com
`127.0.0.1 tracker.clicktrade.com
`127.0.0.1 trinityacquisitions.com
`127.0.0.1 tsms-ad.tsms.com
`127.0.0.1 tuerck.de.counted.com
`127.0.0.1 twistedhumor.com
`127.0.0.1 ugo.eu-adcenter.net
`127.0.0.1 uk1.linksynergy.com
`127.0.0.1 uk2.linksynergy.com
`127.0.0.1 uk3.linksynergy.com
`127.0.0.1 uk4.linksynergy.com
`127.0.0.1 uk5.linksynergy.com
`127.0.0.1 us.adserver.yahoo.com
`127.0.0.1 v0.extreme-dm.com
`127.0.0.1 v1.extreme-dm.com
`127.0.0.1 valueclick.com
`127.0.0.1 van.ads.link4ads.com
`127.0.0.1 vant.guj.de
`127.0.0.1 venus.goclick.com
`127.0.0.1 view.accendo.com
`127.0.0.1 view.avenuea.com
`127.0.0.1 vis1.sexlist.com
`127.0.0.1 vis2.sexlist.com
`127.0.0.1 vis3.sexlist.com
`127.0.0.1 vis4.sexlist.com
`127.0.0.1 vis5.sexlist.com
`127.0.0.1 visit.referralware.com
`127.0.0.1 visite.weborama.fr
`127.0.0.1 VNU.eu-adcenter.net
`127.0.0.1 w0.extreme-dm.com
`127.0.0.1 w113.hitbox.com
`127.0.0.1 w117.hitbox.com
`127.0.0.1 w25.hitbox.com
`127.0.0.1 web2.deja.com
`127.0.0.1 webads.bizservers.com
`127.0.0.1 weblist.de
`127.0.0.1 webpdp.gator.com
`127.0.0.1 webxprod.qualcomm.com
`127.0.0.1 www.0190-dialer.com
`127.0.0.1 www.12traffic.de
`127.0.0.1 www.1for1.com
`127.0.0.1 www.3turtles.com
`127.0.0.1 www.404errorpage.com
`127.0.0.1 www.7adpower.com
`127.0.0.1 www.7host.com
`127.0.0.1 www.activeannonce.com
`127.0.0.1 www.adbucks.com
`127.0.0.1 www.adexit.com
`127.0.0.1 www.adexit.de
`127.0.0.1 www.adforce.com
`127.0.0.1 www.admex.com
`127.0.0.1 www.adnetz.net
`127.0.0.1 www.adserver.com
`127.0.0.1 www.adserver.net
`127.0.0.1 www.adsmart.com
`127.0.0.1 www.adsmart.net
`127.0.0.1 www.adultbizvoice.com
`127.0.0.1 www.adultclicks.com
`127.0.0.1 www.ad-up.com
`127.0.0.1 www.adverity.com
`127.0.0.1 www.adverlead.com
`127.0.0.1 www.adverline.com
`127.0.0.1 www.adverline.fr
`127.0.0.1 www.advertising.com
`127.0.0.1 www.advertwizard.com
`127.0.0.1 www.adviews-sponsor.de
`127.0.0.1 www.alexchiu.com
`127.0.0.1 www.alladvantage.com
`127.0.0.1 www.allclicks.com
`127.0.0.1 www.amateur-galleries.com
`127.0.0.1 www.amazingpops.com
`127.0.0.1 www.at-nude-teens.net
`127.0.0.1 www.bannerads.de
`127.0.0.1 www.beseen.com
`127.0.0.1 www.bfast.com
`127.0.0.1 www.boonsolutions.com
`127.0.0.1 www.brutalextreme.com
`127.0.0.1 www.burstnet.com
`127.0.0.1 www.cash1x1.de
`127.0.0.1 www.cash2002.de
`127.0.0.1 www.cash4banner.com
`127.0.0.1 www.cash4banner.de
`127.0.0.1 www.cashcount.com
`127.0.0.1 www.cashfiesta.com
`127.0.0.1 www.cashradio.com
`127.0.0.1 www.cashsurfers.com
`127.0.0.1 www.casinoglamour.com
`127.0.0.1 www.cellularphones.com
`127.0.0.1 www.cibleclick.com
`127.0.0.1 www.cj.com
`127.0.0.1 www.click2sexy.com
`127.0.0.1 www.click-fr.com
`127.0.0.1 www.clickxchange.com
`127.0.0.1 www.clictrafic.com
`127.0.0.1 www.coinpromo.com
`127.0.0.1 www.cometcursor.com
`127.0.0.1 www.cometsystems.net
`127.0.0.1 www.commission-junction.com
`127.0.0.1 www.cr4.com
`127.0.0.1 www.crazypopups.com
`127.0.0.1 www.crxwarez.net
`127.0.0.1 www.cydoor.com
`127.0.0.1 www.daz.com
`127.0.0.1 www.dgm2.com
`127.0.0.1 www.directvalue.nl
`127.0.0.1 www.drawnsex.com
`127.0.0.1 www.eads.com
`127.0.0.1 www.e-bannerx.com
`127.0.0.1 www.eclic.net
`127.0.0.1 www.fastclick.net
`127.0.0.1 www.fastmetasearch.com
`127.0.0.1 www.flycast.co.uk
`127.0.0.1 www.flycast.com
`127.0.0.1 www.found404.com
`127.0.0.1 www.fpctraffic.com
`127.0.0.1 www.freeadultlottery.com
`127.0.0.1 www.freeasiahardcore.com
`127.0.0.1 www.free-banners.com
`127.0.0.1 www.freebigcocks.net
`127.0.0.1 www.freecelebnudity.com
`127.0.0.1 www.freefarmpics.com
`127.0.0.1 www.freegaybears.net
`127.0.0.1 www.freegaylottery.com
`127.0.0.1 www.freenaughtyteens.com
`127.0.0.1 www.freestats.com
`127.0.0.1 www.frontpagecash.com
`127.0.0.1 www.****-portal.com
`127.0.0.1 www.gamingclub.com
`127.0.0.1 www.gator.co.uk
`127.0.0.1 www.gator.com
`127.0.0.1 www.gator.net
`127.0.0.1 www.genhit.com
`127.0.0.1 www.getsearches.com
`127.0.0.1 www.gopopup.com
`127.0.0.1 www.greetingwishes.com
`127.0.0.1 www.grokster.com
`127.0.0.1 www.hardcorepornos.org
`127.0.0.1 www.hightrafficads.com
`127.0.0.1 www.hit-parade.com
`127.0.0.1 www.hitsme.com
`127.0.0.1 www.hotfreewebcams.com
`127.0.0.1 www.imaginemedia.com
`127.0.0.1 www.lastconsole.com
`127.0.0.1 www.linkshare.com
`127.0.0.1 www.liveadvert.com
`127.0.0.1 www.lo-litas.com
`127.0.0.1 www.looksmartclicks.com
`127.0.0.1 www.lop.com
`127.0.0.1 www.lottoforever.com
`127.0.0.1 www.mediaplex.com
`127.0.0.1 www.megacash.de
`127.0.0.1 www.megawebcams.tv
`127.0.0.1 www.milfhunter.com
`127.0.0.1 www.modchip.com
`127.0.0.1 www.mod-chip.com
`127.0.0.1 www.money4exit.de
`127.0.0.1 www.my-stats.com
`127.0.0.1 www.netbroadcaster.com
`127.0.0.1 www.netflip.com
`127.0.0.1 www.netgravity.com
`127.0.0.1 www.newtopsites.com
`127.0.0.1 www.nic.co.il
`127.0.0.1 www.nudelinkz.com
`127.0.0.1 www.oneandonlynetwork.com
`127.0.0.1 www.onresponse.com
`127.0.0.1 www.paidpopup.de
`127.0.0.1 www.piratos.de
`127.0.0.1 www.popdown.de
`127.0.0.1 www.popupad.net
`127.0.0.1 www.popuptraffic.com
`127.0.0.1 www.PostMasterBannerNet.com
`127.0.0.1 www.prepaidliving.com
`127.0.0.1 www.qksrv.net
`127.0.0.1 www.qualityhitz.com
`127.0.0.1 www.qualypromos.com
`127.0.0.1 www.radiate.com
`127.0.0.1 www.radiofreecash.com
`127.0.0.1 www.rankyou.com
`127.0.0.1 www.reference-sexe.com
`127.0.0.1 www.sbee.com
`127.0.0.1 www.sbvr.com
`127.0.0.1 www.searchtraffic.com
`127.0.0.1 www.service-url.de
`127.0.0.1 www.sexfranco.com
`127.0.0.1 www.sexfreelist.com
`127.0.0.1 www.sexlist.com
`127.0.0.1 www.sexpromote.com
`127.0.0.1 www.sexspy.com
`127.0.0.1 www.sexstudio24.de
`127.0.0.1 www.sextracker.com
`127.0.0.1 www.sextraffic.org
`127.0.0.1 www.sexyfreehost.com
`127.0.0.1 www.sexyplugin.com
`127.0.0.1 www.simplecounter.net
`127.0.0.1 www.slutzoo.com
`127.0.0.1 www.sonixwarez.com
`127.0.0.1 www.sponsor2002.de
`127.0.0.1 www.targetshop.com
`127.0.0.1 www.techiwarehouse.com
`127.0.0.1 www.teknosurf.com
`127.0.0.1 www.teknosurf2.com
`127.0.0.1 www.teknosurf3.com
`127.0.0.1 www.theadultwire.com
`127.0.0.1 www.topwarez-fr.com
`127.0.0.1 www.toys-galleries.com
`127.0.0.1 www.trafficbox.net
`127.0.0.1 www.trafficmonetizer.com
`127.0.0.1 www.unionwarez.com
`127.0.0.1 www.valueclick.com
`127.0.0.1 www.valuesponsor.com
`127.0.0.1 www.warez33.com
`127.0.0.1 www.warezfield.com
`127.0.0.1 www.web3000.co.uk
`127.0.0.1 www.web3000.com
`127.0.0.1 www.webads.nl
`127.0.0.1 www.webferret.com
`127.0.0.1 www.webhancer.com
`127.0.0.1 www.webhancer.net
`127.0.0.1 www.weblist.de
`127.0.0.1 www.websitefinancing.com
`127.0.0.1 www.wedoo.com
`127.0.0.1 www.win24.de
`127.0.0.1 www.wingowin.com
`127.0.0.1 www.wtlive.com
`127.0.0.1 www.xiti.com
`127.0.0.1 www.xpostx.com
`127.0.0.1 www.xxxdisplay.com
`127.0.0.1 www.xxxfreeamateurs.com
`127.0.0.1 www.xxxteenclub.de
`127.0.0.1 www.youmakemoney.com
`127.0.0.1 www.zeloop.net
`127.0.0.1 www2.burstnet.com
`127.0.0.1 www2.consumercreditusa.com
`127.0.0.1 www3.netgravity.com
`127.0.0.1 www4.netgravity.com
`127.0.0.1 www4.trix.net
`127.0.0.1 www80.valueclick.com
`127.0.0.1 xads.infospace.com
`127.0.0.1 xads.zedo.com
`127.0.0.1 xxxfreeamateurs.com
`127.0.0.1 z.extreme-dm.com
`127.0.0.1 z0.extreme-dm.com
`127.0.0.1 z1.extreme-dm.com
`127.0.0.1 zac.netgravity.com
`127.0.0.1 img.thebugs.ws
`127.0.0.1 pet.thebugs.ws
`127.0.0.1 mt45.mtree.com
`127.0.0.1 www.porncow.com
`127.0.0.1 download.alexa.com
`127.0.0.1 count.exit.exchange.com
`127.0.0.1 www.classmates.com
`127.0.0.1 bidclix.net
`127.0.0.1 www.media-ads.org
`127.0.0.1 www.aitsafe.com
`127.0.0.1 service.bfast.com
`127.0.0.1 spweb.whenu.com
`127.0.0.1 www.getweathercast.com
`127.0.0.1 www.clock-sync.com
`127.0.0.1 secure.goodthinxx.com
`127.0.0.1 port.goodthinxx.com
`127.0.0.1 chochux.offshoreclicks.com
`127.0.0.1 go.offshoreclicks.com
`127.0.0.1 click.atdmt.com
`127.0.0.1 dropcharge.stardialer.de
`127.0.0.1 download.stardialer.de
`127.0.0.1 www.outwar.com
`127.0.0.1 outwar.com
`127.0.0.1 www.pornstarguru.com
`127.0.0.1 www.popstarwar.com
`127.0.0.1 www.monsterwar.net
`127.0.0.1 www.gangsterwar.com
`127.0.0.1 srch.lop.com
`127.0.0.1 clickcash.webpower.com
`127.0.0.1 install.serviceurl.de
`127.0.0.1 aim1.radiate.com
`127.0.0.1 aim2.radiate.com
`127.0.0.1 aim3.radiate.com
`127.0.0.1 www.flyswat.com
`127.0.0.1 www.flyswat.net
`127.0.0.1 www.flyswat.org
`127.0.0.1 www.flyswat.co.uk
`127.0.0.1 www.cometsystems.com
`127.0.0.1 www.cometzone.com
`127.0.0.1 www.livecursors.com
`127.0.0.1 aim1.adsoftware.com
`127.0.0.1 aim2.adsoftware.com
`127.0.0.1 aim3.adsoftware.com
`127.0.0.1 aim4.adsoftware.com
`127.0.0.1 aim5.adsoftware.com
`127.0.0.1 www.conducent.com
`127.0.0.1 www.conducent.co.uk
`127.0.0.1 www.mathlogic.com
`127.0.0.1 www.adsoftware.com
`127.0.0.1 www.gohip.com
`127.0.0.1 www.lolitafree.de
`127.0.0.1 www.exitblaze.com
`127.0.0.1 hop.clickbank.net
`127.0.0.1 www.w3exit.com
`127.0.0.1 ads.flabber.nl
`127.0.0.1 servlets.kliks.nl
`127.0.0.1 affiliates.kliks.nl
`127.0.0.1 ads.revenue.net
`127.0.0.1 pops.freeze.com
`127.0.0.1 adlog.com.com
`127.0.0.1 ads.techtv.com
`127.0.0.1 ads.tripod.lycos.co.uk
`127.0.0.1 adserv.happypuppy.com
`127.0.0.1 ads.ipowerweb.com
`127.0.0.1 www.hitboss.com
`127.0.0.1 dbbsrv.com
`127.0.0.1 download.globaldialer.net
`127.0.0.1 www.passthison.com
`127.0.0.1 tafmaster.com
`127.0.0.1 www.xtra.fm
`127.0.0.1 www.mp3bank.nl
`127.0.0.1 www.paypopup.com
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\tasklist.exe
*C:\WINDOWS\System32\tasklist.exe
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+428=\SystemRoot\System32\smss.exe
+492=\??\C:\WINDOWS\system32\csrss.exe
+520=\??\C:\WINDOWS\system32\winlogon.exe
+564=C:\WINDOWS\system32\services.exe
+576=C:\WINDOWS\system32\lsass.exe
+864=C:\WINDOWS\system32\svchost.exe
+900=C:\WINDOWS\System32\svchost.exe
+984=C:\WINDOWS\System32\svchost.exe
+996=C:\WINDOWS\System32\svchost.exe
+1044=C:\WINDOWS\system32\spoolsv.exe
+1116=C:\WINDOWS\System32\alg.exe
+1184=C:\WINDOWS\System32\CTsvcCDA.exe
+1292=C:\WINDOWS\runservice.exe
+1340=C:\WINDOWS\Explorer.EXE
+1448=C:\Program Files\Logitech\iTouch\iTouch.exe
+1472=C:\Program Files\Logitech\MouseWare\system\em_exec.exe
+1480=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
+1528=C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
+1540=C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
+1556=C:\WINDOWS\System32\CTHELPER.EXE
+1584=C:\WINDOWS\System32\rundll32.exe
+1620=<unkown>
+1636=C:\WINDOWS\System32\nvsvc32.exe
+1644=C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
+1680=C:\WINDOWS\System32\MsPMSPSv.exe
+1684=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
+1728=C:\Program Files\Logitech\SetPoint\KEM.exe
+1868=C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
+1864=C:\Program Files\TrojanHunter 4.2\THGuard.exe
+236=C:\Documents and Settings\Carl\Desktop\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User





SilentRunners is giving me a Windows Script Host error - 'Could not create object named 'WScript.Shell', source WScript.CreateObject.

I'm guessing I've missed something I should of disabled (after doing TeaTimer and THGuard) but I thought I'd ask to be sure I'm not barking up the wrong tree.
Last edited by cjhsb; 04-10-2005 at 10:29 PM.
cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2005, 11:18 PM   #9 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


Done a bit more homework and I havn't found anything that should block SilentRunners running.

Have done a bit more digging into the svchost.exe thread thats eating up the CPU, list of .dlls follows if it's of any help:

"Module (25)",Handle,Size,"Full Path"
ADVAPI32.dll,77DD0000,"577,536",C:\WINDOWS\system32\ADVAPI32.dll
CLBCATQ.DLL,7C890000,"528,384",C:\WINDOWS\system32\CLBCATQ.DLL
COMRes.dll,77050000,"806,912",C:\WINDOWS\system32\COMRes.dll
DNSAPI.dll,76F20000,"151,552",C:\WINDOWS\system32\DNSAPI.dll
GDI32.dll,7E090000,"266,240",C:\WINDOWS\system32\GDI32.dll
iphlpapi.dll,76D60000,"90,112",C:\WINDOWS\system32\iphlpapi.dll
kernel32.dll,77E60000,"942,080",C:\WINDOWS\system32\kernel32.dll
msvcrt.dll,77C10000,"339,968",C:\WINDOWS\system32\msvcrt.dll
mswsock.dll,71A50000,"241,664",C:\WINDOWS\system32\mswsock.dll
ntdll.dll,77F50000,"684,032",C:\WINDOWS\System32\ntdll.dll
ole32.dll,771B0000,"1,196,032",C:\WINDOWS\system32\ole32.dll
OLEAUT32.dll,77120000,"569,344",C:\WINDOWS\system32\OLEAUT32.dll
rasadhlp.dll,76FC0000,"20,480",C:\WINDOWS\system32\rasadhlp.dll
RPCRT4.dll,78000000,"552,960",C:\WINDOWS\system32\RPCRT4.dll
rpcss.dll,75850000,"282,624",c:\windows\system32\rpcss.dll
rsaenh.dll,0FFD0000,"143,360",C:\WINDOWS\system32\rsaenh.dll
Secur32.dll,76F90000,"65,536",c:\windows\system32\Secur32.dll
USER32.dll,77D40000,"573,440",C:\WINDOWS\system32\USER32.dll
userenv.dll,75A70000,"675,840",C:\WINDOWS\system32\userenv.dll
VERSION.dll,77C00000,"28,672",C:\WINDOWS\system32\VERSION.dll
winrnr.dll,76FB0000,"28,672",C:\WINDOWS\System32\winrnr.dll
WLDAP32.dll,76F60000,"180,224",C:\WINDOWS\system32\WLDAP32.dll
WS2_32.dll,71AB0000,"81,920",c:\windows\system32\WS2_32.dll
WS2HELP.dll,71AA0000,"32,768",c:\windows\system32\WS2HELP.dll
wshtcpip.dll,71A90000,"32,768",C:\WINDOWS\System32\wshtcpip.dll
cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-11-2005, 10:24 AM   #10 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


Yet more info...
> Error Could not create object named "WScript.Shell"

You can't run any script at all under Windows XP. That's definitely
not a "Silent Runners" problem, but a side-effect of infection.

Thats from Andy, author of SR - probably the reason why TDS doesn't work either.
cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-11-2005, 02:47 PM   #11 (permalink)
Analyst, Security Team
 
kworley517's Avatar
 
Join Date: Feb 2005
Location: South Florida
Posts: 538
OS: XP Pro


Check your scripting...
You may not have your scripting enable on your system. Please download NoScript from http://www.symantec.com/avcenter/noscript.exe and run it accordingly. This will allow you to see if scripting is enabled. If it is disabled, Enable it using the NoScript program. You may disable it back later on by utilizing the same NoScript program, if you wish. For now, please leave your scripting Enabled so that we may run this and other VBS scripts that may be necessary to diagnose your problem.

Afterwards, please try and re-run Silent Runners...
kworley517 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-12-2005, 01:22 AM   #12 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


Light at the end of the tunnel!
Firstly, my apologies for taking so long to reply; I've had a busy night!

Secondly, let me again thank you for all the hard work and effort you have put in so far trying to help me! :-)

Ok...

After discovering the switch was already set to allow scripts, I threw in the towel and did a CD reinstall/fix of XP itself.

Upon completion, I was delighted to find the svchost hog had been removed (along with seemingly nothing else but my graphics card drivers - that at least I can fix :-))

Unfortunatly, I reliased that my desktop had DerBiz, which hadn't been there before. None the less I decided that if I was infected already I would continue on and try to make the environment as secure as possible before housecleaning.

Proceeded to d/l and update to SP2 and all fixes. Ran Ad-Aware and Spybot all over in safe mode and normal backwards and forwards and managed to reduce 878 infections!! to 0 in Ad-Aware and 5 in Spybot.

Installed McAfee and ran, which detected 4 adware, Morphine and HijackThis =P - fixed what I could, quarantined the rest.

Pleased to say computer is working fine now except for the obvious malicious infection problems.

However, I just cant seem to get rid of the last 5 - I've tried disabling their obvious entries from within HJT (HJT is now becoming rapidly familiar to me, even if I only understand a tiny bit of it now...) but they just return on reboot.

Last five are:

Alitun.EliteBar
CallingHome.biz
DyFuCA.InternetOptimizer
ISearchTech.SideFind
n-Case

HJT Log follows - yet more help would again be very gratefully appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 8:00:32 AM, on 4/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Documents and Settings\Carl\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitekto32.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113267096656
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97C2BAA4-0E72-4889-BCBA-09149288F59C}: NameServer = 194.72.9.44 194.74.65.86
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CesarFTP FTP Server (CesarFTP) - Unknown owner - C:\Program Files\CesarFTP\server.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-12-2005, 08:54 PM   #13 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


lil bump
A little bump a little early as per forum rules in case post has been buried. (Sorry Kworley517 )

Situation unchanged.
cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-13-2005, 08:21 PM   #14 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


Nother bump, 24 hrs passed - still no change I'm afraid.
cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-13-2005, 09:24 PM   #15 (permalink)
Analyst, Security Team
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,331
OS: Windows 98 & Windows XP Home/Pro

My System

OK, let me jump in here for a second. kworley may take over this after you post these logs.

For TDS-3, try renaming that TDS-3.exe file to something like TDSold.exe instead. Doesn't matter what you call it, just give it another name. Now try running it. Whether it worked or not (but tell us if it doesn't), do the following also:

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. Do not run it yet.

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Open up HijackThis and go to Config->Misc Tools and check the first two boxes there. Now click on the 'Generate StartupList log' button. Post that log in your next post.

Right click on http://www.greyknight17.com/spy/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Download Find-qoologic http://www.greyknight17.com/spy/Find-qoologic.zip. Unzip the files to your Desktop. Open the qoologic folder and run the 'qoologic.bat' file. Wait a few minutes for it to finish. When the dos window disappears, go to your C: drive and open up the 'log.txt' file. Copy and paste the whole log in your next post.

Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.

Download 'Find It NT-2K-XP' at http://www.greyknight17.com/spy/Find...20NT-2K-XP.zip for Windows NT/2000/XP. For those with Windows 98/ME, get FindIt9xME at http://www.greyknight17.com/spy/FindIt9xME.zip instead. Once downloaded, unzip it. Open up the folder and double click on the FindNarrator.bat (Windows NT/2K/XP users) or the FindIt9xMe.bat (for Windows 98/ME users) file. Let it run for a while. This will generate a log file. Please post the entire contents of the log file here.

Post all of the logs in your next post. We need all of them to get a fix for this infection.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-14-2005, 12:09 AM   #16 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


Many thanks GreyKnight17 for the new plan of action!

One quick question though - I am working through the steps now but my anti-virus software keeps deleting the viruses from files as TDS finds them. I have been somewhat concerned to turn it off, but should I before doing all this, or is it just the blockers such as TeaTimer you want me to take offline?
cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-14-2005, 07:01 AM   #17 (permalink)
Analyst, Security Team
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,331
OS: Windows 98 & Windows XP Home/Pro

My System

So TDS-3 does work then? I thought you said it doesn't work? Oh well. If it's running, let it finish up first. It shouldn't take very long though. So if you had it running for a very long time (I would say over an hour is overkill), then close it and run those programs I mentioned above. We will get to the bottom of this, eventually.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-14-2005, 08:42 AM   #18 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


Ya it works - after I did the fix from XP CD my svchost thread unlocked and I was again able to run windows (and other) scripts. The problem has moved down in scale from a completly useless computer to just one with a host of malware on it :-)

Anyway it ran fine, but I let it run and didnt paste a log as that was last night.

Will rerun it all from scratch and post logs!
cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-14-2005, 09:06 AM   #19 (permalink)
I helped the forums.
 
Join Date: Apr 2005
Posts: 18
OS: XP Home SP2


Ok, results as follows (pls note that this was the second run of the apps without a reboot - more than happy to reboot and rerun it all again if needed, I don't know if it makes a difference...

TDS-3 Run sucessfully; nothing found
First run it found 4 or 5 files that it couldn't open as McAfee detected viruses and autofixed them as it was running; no other errors/infections noted.

Logfile of HijackThis v1.99.1
Scan saved at 3:41:06 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Carl\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.3.122.17/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113267096656
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97C2BAA4-0E72-4889-BCBA-09149288F59C}: NameServer = 194.72.9.44 194.74.65.86
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CesarFTP FTP Server (CesarFTP) - Unknown owner - C:\Program Files\CesarFTP\server.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



"Silent Runners.vbs", revision 29, launched at: 15:44Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP SP2


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RemoteCenter" = "C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe" ["Creative Technology Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"zBrowser Launcher" = "C:\Program Files\Logitech\iTouch\iTouch.exe" ["Logitech Inc."]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"CTSysVol" = "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" ["Creative Technology Ltd"]
"CTDVDDet" = "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" ["Creative Technology Ltd"]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"CTStartup" = ""C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run" ["Creative Technology Ltd."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"VSOCheckTask" = ""c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["Networks Associates Technology, Inc"]
"VirusScan Online" = ""c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"" ["Networks Associates Technology, Inc"]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe" ["McAfee, Inc"]
"LiveMonitor" = "C:\Program Files\MSI\Live Update 3\LMonitor.exe" [empty string]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}" = "eLicense Control"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\lcmmfu.cpl" [null data]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b3 (beta test) Context Menu Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b3 (beta test) DragDrop Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b3 (beta test) Context Menu Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b3 (beta test) Property Sheet Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "PCANotify\DLLName" = "PCANotify.dll" ["Symantec Corporation"]


Startup items in "Carl" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Logitech Desktop Messenger" -> shortcut to: "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\KEM.exe" ["Logitech Inc."]


Enabled Scheduled Tasks:
------------------------

"McAfee.com Update Check (OBSTINATE-Carl)" -> launches: "C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe /Schedule" ["McAfee, Inc"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
LicCtrl Service, LicCtrlService, "C:\WINDOWS\runservice.exe" [null data]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["Network Associates, Inc."]
McAfee.com VirusScan Online Realtime Engine, MCVSRte, "c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding" ["Networks Associates Technology, Inc"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]


QOO
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

C:\Documents and Settings\Carl\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\ntdll.dll: .aspack

Files Found in all users startup Folder............
------------------------


* DLLCompare Log version(1.0.0.125)Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,352 items found: 1,352 files, 0 directories.
Total of file sizes: 285,441,038 bytes 272.21 M

Administrator Account = True

--------------------End log---------------------




---------------- FindNarrator NT-2K-XP ----------------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

***** Operating System *****

Microsoft Windows XP Home Edition 5.1 Service Pack 2 (Build 2600)

********* Date/Time ********

Thursday, April 14, 2005 (4/14/2005)
3:59 PM, GMT Standard Time

*********** Path ***********

FindNarrator.bat is running from: C:\Documents and Settings\Carl\Desktop\FindIt\FindIt NT-2K-XP

---------------- Strings.exe Qoologic Results ----------------


---------------- Strings.exe Aspack Results ----------------

C:\WINDOWS\system32\ntdll.dll: .aspack

---------------- Active Setup Installed Components ----------------

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{02f78298-8af6-495c-9ecb-b6ae68678186}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{032A6019-9DAA-40f9-A3B3-34ABB0AA0947}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608555}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2cc9d512-6db6-4f1c-8979-9a41fae88de0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{377483c2-e4b4-4ee8-b577-9aed264c8735}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{411EDCF7-755D-414E-A74B-3DCD6583F589}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5f3c70b3-ac2f-432c-8f9c-1624df61f54f}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{795d0712-722c-43ec-906a-fc5e678eada9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8EFA4753-7169-4CC3-A28B-0A1643B8A39B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{abcdf74f-9a64-4e6e-b8eb-6e5a41de6550}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{BB2DC990-9642-456b-8F41-44D6F8A7C00A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C34F4917-ED43-439f-9023-97B0024A2B3B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{eddbec60-89cb-44ef-8291-0850fd28ff6a}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{f5173cf0-1dfb-4978-8e50-a90169ee7ca9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F5776D81-AE53-4935-8E84-B0B283D8BCEF}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{f5de1b93-9d38-416b-b09e-aa85a8e84309}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F9C174E3-3E87-40bc-AA94-B8974F2B9222}

---------------- Context Menu Handlers ----------------
REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
@=""

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu]
@="{73B24247-042E-4EF5-ADC2-42F62E6FD654}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3]
@="{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter]
@="{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TurboZIP5]
@="{F3802420-0C3F-11d2-961D-00600895E4DF}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd]
@="{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}]

---------------- Run Key ----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"Logitech Utility"="Logi_MwX.Exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"CTHelper"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"CTStartup"="\"C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE\" /run"
"nwiz"="nwiz.exe /install"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcupdate.exe"
"LiveMonitor"="C:\\Program Files\\MSI\\Live Update 3\\LMonitor.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------- FindNarrator NT-2K-XP ----------------

cjhsb is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-14-2005, 10:31 AM   #20 (permalink)
Analyst, Security Team
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,331
OS: Windows 98 & Windows XP Home/Pro

My System

Just one thing. Do you recognize this IP address:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.3.122.17/

If that's ok to keep, then:

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:06 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85