Can't get winstall.exe out of my Registry!

Bosqueboy · 08-10-2005, 12:12 PM

I recently did battle with Spysheriff and finally won...mostly. In the
process of getting the Spysheriff stuff off of my computer, I
identified a few other items in my "Hijack This" log that were regarded as
malware and/or were left over after a program had been removed from my
computer.

I have tried getting rid of them by checking them on a "Hijack This" scan.
I have tried getting rid of them by by deleting them with "Autoruns." I
have deleted them using "RegScrubXP" and "RegSupreme." In each and every
case the offending lines continue to appear the next time I run one of
these programs. "RegScrubXP" identifies the files as problems to be
corrected and notes the problem as being "Run file does not exist." That
is correct as I deleted the programs, but I cannot get the references to
them out of the Registry.

As I am trying to speed up the start-up time for XP I want to get rid of
anything in the start-up loop that isn't necessary and these entries
definitely qualify. Any help in understanding why these entries are being
regenerated and squelching them would be greatly appreciated.

Here is my current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:49:42 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NexusServer] "c:\program files\common files\canopus shared\procoder 2\kernel\cache\pnxservr.exe" -SelfLaunch
O4 - HKLM\..\Run: [Archive] C:\Program Files\Archive\archive.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

MicroBell · 08-10-2005, 09:41 PM

Hi and Welcome to TSF

Since you had the "Sheriff" lets run it's fix to make sure you got it all.

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Download smitRem.exe and save the file to your desktop.
Double click on the file and it will extract it’s files into it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Archive] C:\Program Files\Archive\archive.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Click [Scanner]
Click [Complete System Scan] to begin scanning.
Click [OK] when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
Once finished, click the [Save report] button
Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it along with a new HijackThis Log , Ewido Log , Panda scan, and the smitfiles.txt log.

Bosqueboy · 08-13-2005, 08:53 AM

The unwanted files are still there! Aaargh!
------------------------------------------------------------------------

Incident Status Location

Virus:W32/Bagle.pwdzip Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Adelphia, Cable Modems & Networking[Document.zip]
Virus:W32/Happy Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Collins Archives[~000029.txt][~000600.txt][Happy99.exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[~000271.@x@]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[~000873.@x@]
Virus:W32/Mytob.DZ.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[email-doc.zip][email-doc.htm .scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[~003183.@x@]
Virus:Trj/Downloader.DCM Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[photos.rar.exe]
Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[document.zip][document.txt .pif]
Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[account-password.zip][account-password.doc .scr]
Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[updated-password.zip][updated-password.txt .scr]
Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[email-details.zip][email-details.htm .pif]
Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[pmanzvx.zip][pmanzvx.txt .exe]
Virus:Trj/Mitglieder.DQ Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[Beach.zip][f5434.exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[~007226.@x@]
Virus:W32/Mytob.C.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[doc.zip][doc.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[details.txt.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[information.pif]
Virus:W32/Bagle.DX.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[Increase_in_the_tax.rar][Taxes.exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[~000270.@x@]
Virus:W32/Mytob.DZ.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[email-doc.zip][email-doc.htm .scr]
Virus:Trj/Downloader.DCM Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[photos.rar.exe]
Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[updated-password.zip][updated-password.txt .scr]
Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[email-details.zip][email-details.htm .pif]
Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[pmanzvx.zip][pmanzvx.txt .exe]
Virus:Trj/Mitglieder.DQ Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[Beach.zip][f5434.exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[~002636.@x@]
Virus:W32/Mytob.C.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[doc.zip][doc.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[details.txt.pif]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[information.pif]
Virus:W32/Bagle.DX.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[Increase_in_the_tax.rar][Taxes.exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Sent[~001597.txt][~000002.@x@]
Virus:W32/Mimail.I.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Sent[www.paypal.com.scr]
Virus:W32/Sober.G.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Sent[photo_940.zip][p-zipped_file_data .pif]
Virus:W32/Mydoom.N.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Sent[message.exe]
Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Trash[document.zip][document.txt .pif]
Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Trash[account-password.zip][account-password.doc .scr]
Virus:Trj/Downloader.DCM Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Trash[photos.rar.exe]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Trash[details.txt.pif]
Possible Virus. No disinfected C:\System Volume Information\_restore{9D0DA541-7A0F-4A01-B423-56015957B9CA}\RP320\A0078519.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{9D0DA541-7A0F-4A01-B423-56015957B9CA}\RP332\A0080903.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{9D0DA541-7A0F-4A01-B423-56015957B9CA}\RP368\A0090512.exe

-------------------------------------------------------------------------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:28:54 AM, 8/13/2005
+ Report-Checksum: DE64EE61

+ Scan result:

:mozilla.16:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.278:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.280:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.298:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.349:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.350:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.372:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.373:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.374:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.423:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.424:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup

::Report End
---------------------------------------------------------------

smitRem log file
version 2.3

by noahdfear

The current date is: Sat 08/13/2005
The current time is: 8:46:59.56

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

CLEAN! :)
----------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:45:04 AM, on 8/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Archive] C:\Program Files\Archive\archive.exe
O4 - HKLM\..\Run: [NexusServer] "c:\program files\common files\canopus shared\procoder 2\kernel\cache\pnxservr.exe" -SelfLaunch
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Bosqueboy · 08-13-2005, 08:56 AM

Despite the fact that the unwanted files are still there, I'm very glad that I ran the programs and got rid of a bunch of junk that AdAware, SpybotS&D, McAfee and Microsoft didn't catch! Thanks for that!!

MicroBell · 08-13-2005, 08:06 PM

Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log

Bosqueboy · 08-13-2005, 10:55 PM

Here are the logs you requested.

--------------------------------------------------------------------------

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 11/22/2004 4:54:32 PM 27262976 C:\VIRTPART.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 6/19/2005 11:10:50 PM 15198037 C:\WINDOWS\LPT$VPN.695
qoologic 6/19/2005 11:10:50 PM 15198037 C:\WINDOWS\LPT$VPN.695
SAHAgent 6/19/2005 11:10:50 PM 15198037 C:\WINDOWS\LPT$VPN.695
UPX! 6/19/2005 11:10:50 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 6/19/2005 11:10:50 PM 15198037 C:\WINDOWS\VPTNFILE.695
qoologic 6/19/2005 11:10:50 PM 15198037 C:\WINDOWS\VPTNFILE.695
SAHAgent 6/19/2005 11:10:50 PM 15198037 C:\WINDOWS\VPTNFILE.695
UPX! 6/19/2005 11:10:50 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 6/19/2005 11:10:50 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/23/2001 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 2/14/1997 11:24:14 PM 197171 C:\WINDOWS\SYSTEM32\Dwapilib.tlb
aspack 2/17/2005 2:35:48 PM 702464 C:\WINDOWS\SYSTEM32\Incinerator.dll
PECompact2 8/4/2005 9:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 9:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 12:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 12:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 8/14/2005 12:29:16 AM 2048 C:\WINDOWS\bootstat.dat
SH 7/30/2005 7:21:34 AM 8192 C:\WINDOWS\Thumbs.db
S 6/23/2005 8:41:36 PM 64 C:\WINDOWS\CSC\00000001
S 6/23/2005 8:34:24 PM 64 C:\WINDOWS\CSC\00000002
H 7/3/2005 12:28:30 AM 0 C:\WINDOWS\inf\oem14.inf
S 7/8/2005 4:23:18 PM 12143 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
S 6/30/2005 9

34 AM 11437 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896423.cat
S 7/19/2005 7:18:10 PM 18913 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
S 6/30/2005 1:42:18 PM 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899587.cat
S 6/30/2005 2:21:10 PM 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899588.cat
S 6/30/2005 8:46:18 AM 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899591.cat
S 6/28/2005 7:12:56 PM 11845 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901214.cat
S 7/2/2005 4:18:16 AM 9445 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB903235.cat
H 8/14/2005 12:29:08 AM 8192 C:\WINDOWS\system32\config\default.LOG
H 8/14/2005 12:29:30 AM 1024 C:\WINDOWS\system32\config\SAM.LOG
H 8/14/2005 12:29:18 AM 8192 C:\WINDOWS\system32\config\SECURITY.LOG
H 8/14/2005 12:33:28 AM 110592 C:\WINDOWS\system32\config\software.LOG
H 8/14/2005 12:28:04 AM 1024 C:\WINDOWS\system32\config\system.LOG
H 8/13/2005 8:40:54 AM 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
SH 7/3/2005 12:36:40 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\315fbe28-5622-4272-8153-45cb1bbe7d76
SH 7/3/2005 12:36:40 AM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
H 8/14/2005 12:27:58 AM 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 2/27/2003 3:39:50 AM 3028992 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
11/12/1999 5:11:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
ATI Technologies Inc. 10/26/2001 9:37:48 AM 49152 C:\WINDOWS\SYSTEM32\MMCpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 10:20:50 AM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
7/8/2005 10:51:40 AM 898 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
7/8/2005 10:51:40 AM 968 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
7/8/2005 10:51:40 AM 907 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
7/8/2005 10:51:40 AM 773 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kaspersky Anti-Hacker.lnk
7/19/2005 6:46:16 PM 1775 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
7/8/2005 10:51:40 AM 649 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
7/8/2005 10:51:40 AM 588 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
2/2/2005 8:59:04 PM 873 C:\Documents and Settings\Kenneth Grimm\Application Data\AdobeDLM.log
2/2/2005 8:59:04 PM 0 C:\Documents and Settings\Kenneth Grimm\Application Data\dm.ini
3/31/2005 10:37:20 PM 53976 C:\Documents and Settings\Kenneth Grimm\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{44226DFF-747E-4edc-B30C-78752E50CD0C}
ButtonText = ATI TV :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{8E718888-423F-11D2-876E-00A0C9082467} = Radio : C:\WINDOWS\system32\msdxm.ocx
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SoundMan SOUNDMAN.EXE
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
PinnacleDriverCheck C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
GhostStartTrayApp C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
type32 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
IntelliPoint "C:\Program Files\Microsoft IntelliPoint\point32.exe"
HydarVisionDesktopManager
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Archive C:\Program Files\Archive\archive.exe
NexusServer "c:\program files\common files\canopus shared\procoder 2\kernel\cache\pnxservr.exe" -SelfLaunch

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Skype "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
AWMON "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
ATI Launchpad
Windows installer C:\winstall.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoComponents 0
NoAddingComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoHTMLWallPaper 0
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
ForceActiveDesktopOn 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0
NoDispAppearancePage 0
NoDispBackgroundPage 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/14/2005 12:40:15 AM

--------------------------------------------------------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"GhostStartTrayApp"="C:\\Program Files\\Symantec\\Norton Ghost 2003\\GhostStartTrayApp.exe"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"HydarVisionDesktopManager"=""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Archive"="C:\\Program Files\\Archive\\archive.exe"
"NexusServer"="\"c:\\program files\\common files\\canopus shared\\procoder 2\\kernel\\cache\\pnxservr.exe\" -SelfLaunch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"Archive"="C:\\Program Files\\Archive\\archive.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"NexusServer"="\"c:\\program files\\common files\\canopus shared\\procoder 2\\kernel\\cache\\pnxservr.exe\" -SelfLaunch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87}
C:\Program Files\Network Associates\VirusScan\shext.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Acrobat Assistant.lnk
Adobe Gamma Loader.lnk
Adobe Reader Speed Launch.lnk
desktop.ini
Kaspersky Anti-Hacker.lnk
Kodak EasyShare software.lnk
Microsoft Office.lnk
Quicken Startup.lnk
==============================
C:\Documents and Settings\Kenneth Grimm\Start Menu\Programs\Startup

Acrobat Assistant.lnk
Adobe Gamma Loader.lnk
Adobe Reader Speed Launch.lnk
desktop.ini
Kaspersky Anti-Hacker.lnk
Kodak EasyShare software.lnk
Microsoft Office.lnk
Quicken Startup.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files

access.cpl Microsoft Corporation
ALSNDMGR.CPL Realtek Semiconductor Corp.
appwiz.cpl Microsoft Corporation
bdeadmin.cpl Inprise Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
MMCpl.cpl ATI Technologies Inc.
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

MicroBell · 08-14-2005, 01:59 AM

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into safe mode.

Run Ewido:

Click [Scanner]
Click [Complete System Scan] to begin scanning.
Click [OK] when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
Once finished, click the [Save report] button
Save the report to your desktop

Close Ewido

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows installer C:\winstall.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Archive C:\Program Files\Archive\archive.exe

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\winstall.exe
C:\Program Files\Archive\archive.exe
C:\Documents and Settings\Kenneth Grimm\Application Data\dm.ini

Once you reboot.....

C:\Program Files\Archive<--delete that folder.

Then run hijackthis and post a new log along with the log from the Ewido scan.

Bosqueboy · 08-14-2005, 07:56 AM

Everything done as directed except for last action. C:\Program Files\Archive was not found.

Ewido shows as clean and HiJackThis shows the registry entries are still there.

----------------------------------------------------------------------------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:30:27 AM, 8/14/2005
+ Report-Checksum: 7E60C8A

+ Scan result:

No infected objects found.

::Report End

-------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:45:48 AM, on 8/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NexusServer] "c:\program files\common files\canopus shared\procoder 2\kernel\cache\pnxservr.exe" -SelfLaunch
O4 - HKLM\..\Run: [Archive] C:\Program Files\Archive\archive.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Ried · 08-14-2005, 10:51 AM

That should have worked. Please be sure the following is still in effect:

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

Let's try it this way:

Reboot into Safe Mode.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Archive

If you do not see it listed in the Add/Remove, see if it's listed here and uninstall:

Open HijackThis>Config>Misc Tools>Open Uninstall Manager and look for Archive

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Archive] C:\Program Files\Archive\archive.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Delete the following Folder and File if they still exist:

C:\Program Files\Archive
C:\winstall.exe

Reboot into Normal Mode and run another scan with HijackThis and post the log here. If those entries have returned, please do the following:

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

MicroBell · 08-14-2005, 02:44 PM

Try doing the fix from normal mode. DO NOT reboot into safe mode. As the entrys are still there...your missing a step or the files. Likely since you didn't remove archive.exe it's holding the winstall.exe in place.

**Note**

Please disable Adawares Ad-Watch or Spybot's Teatimer until this fix is complete!!! Both can block changes to the registry!!!

Bosqueboy · 08-14-2005, 08:46 PM

Quote:

Originally Posted by MicroBell

**Note**

Please disable Adawares Ad-Watch or Spybot's Teatimer until this fix is complete!!! Both can block changes to the registry!!!

This was the key. Ad-Watch was blocking the registry changes. Once I told Ad-Watch to not install at startup, I was then able to check the undesired entries in HiJackThis and they seem to have finally entered the bit bucket! Thanks for all the help. I really appreciate it and I'm more than a little embarrassed for not realizing that Ad-Watch was hurting rather than helping.

Consider this case closed. Thanks again!!! You folks rock!

08-10-2005, 12:12 PM	#1 (permalink)
Bosqueboy Registered User Join Date: Aug 2005 Location: Virginia Posts: 6 OS: XP	Can't get winstall.exe out of my Registry! I recently did battle with Spysheriff and finally won...mostly. In the process of getting the Spysheriff stuff off of my computer, I identified a few other items in my "Hijack This" log that were regarded as malware and/or were left over after a program had been removed from my computer. I have tried getting rid of them by checking them on a "Hijack This" scan. I have tried getting rid of them by by deleting them with "Autoruns." I have deleted them using "RegScrubXP" and "RegSupreme." In each and every case the offending lines continue to appear the next time I run one of these programs. "RegScrubXP" identifies the files as problems to be corrected and notes the problem as being "Run file does not exist." That is correct as I deleted the programs, but I cannot get the references to them out of the Registry. As I am trying to speed up the start-up time for XP I want to get rid of anything in the start-up loop that isn't necessary and these entries definitely qualify. Any help in understanding why these entries are being regenerated and squelching them would be greatly appreciated. Here is my current HJT log: Logfile of HijackThis v1.99.1 Scan saved at 1:49:42 PM, on 8/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe C:\QUICKENW\QWDLLS.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [NexusServer] "c:\program files\common files\canopus shared\procoder 2\kernel\cache\pnxservr.exe" -SelfLaunch O4 - HKLM\..\Run: [Archive] C:\Program Files\Archive\archive.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ? O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Microsoft Office.lnk = ? O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe __________________ Bosqueboy

08-10-2005, 09:41 PM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Hi and Welcome to TSF Since you had the "Sheriff" lets run it's fix to make sure you got it all. Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running. Ad-Aware® SE Personal Edition Spybot Search & Destroy CWShredder Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT) Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point. Download smitRem.exe and save the file to your desktop. Double click on the file and it will extract it’s files into it's own folder on the desktop. Place a shortcut to Panda ActiveScan on your desktop. Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Please read Ewido Setup Instructions Install it, and update the definitions to the newest files. Do NOT run a scan yet. If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup Don't run it yet! Next, please reboot your computer in SafeMode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. Now scan with HJT and place a checkmark next to each of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [Archive] C:\Program Files\Archive\archive.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply Open Ad-aware and do a full scan. Remove all it finds. Run Ewido: Click [Scanner] Click [Complete System Scan] to begin scanning. Click [OK] when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK]. Once finished, click the [Save report] button Save the report to your desktop Close Ewido Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log and post it along with a new HijackThis Log , Ewido Log , Panda scan, and the smitfiles.txt log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

08-13-2005, 08:53 AM	#3 (permalink)
Bosqueboy Registered User Join Date: Aug 2005 Location: Virginia Posts: 6 OS: XP	Here are the results of the tests. The unwanted files are still there! Aaargh! ------------------------------------------------------------------------ Incident Status Location Virus:W32/Bagle.pwdzip Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Adelphia, Cable Modems & Networking[Document.zip] Virus:W32/Happy Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Collins Archives[~000029.txt][~000600.txt][Happy99.exe] Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[~000271.@x@] Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[~000873.@x@] Virus:W32/Mytob.DZ.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[email-doc.zip][email-doc.htm .scr] Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[~003183.@x@] Virus:Trj/Downloader.DCM Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[photos.rar.exe] Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[document.zip][document.txt .pif] Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[account-password.zip][account-password.doc .scr] Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[updated-password.zip][updated-password.txt .scr] Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[email-details.zip][email-details.htm .pif] Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[pmanzvx.zip][pmanzvx.txt .exe] Virus:Trj/Mitglieder.DQ Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[Beach.zip][f5434.exe] Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[~007226.@x@] Virus:W32/Mytob.C.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[doc.zip][doc.scr] Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[details.txt.pif] Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[information.pif] Virus:W32/Bagle.DX.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Inbox[Increase_in_the_tax.rar][Taxes.exe] Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[~000270.@x@] Virus:W32/Mytob.DZ.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[email-doc.zip][email-doc.htm .scr] Virus:Trj/Downloader.DCM Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[photos.rar.exe] Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[updated-password.zip][updated-password.txt .scr] Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[email-details.zip][email-details.htm .pif] Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[pmanzvx.zip][pmanzvx.txt .exe] Virus:Trj/Mitglieder.DQ Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[Beach.zip][f5434.exe] Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[~002636.@x@] Virus:W32/Mytob.C.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[doc.zip][doc.scr] Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[details.txt.pif] Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[information.pif] Virus:W32/Bagle.DX.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Junk[Increase_in_the_tax.rar][Taxes.exe] Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Sent[~001597.txt][~000002.@x@] Virus:W32/Mimail.I.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Sent[www.paypal.com.scr] Virus:W32/Sober.G.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Sent[photo_940.zip][p-zipped_file_data .pif] Virus:W32/Mydoom.N.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Sent[message.exe] Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Trash[document.zip][document.txt .pif] Virus:W32/Mytob.FE.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Trash[account-password.zip][account-password.doc .scr] Virus:Trj/Downloader.DCM Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Trash[photos.rar.exe] Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\Kenneth Grimm\Application Data\Thunderbird\Profiles\3t8zghsk.default\Mail\Local Folders\Trash[details.txt.pif] Possible Virus. No disinfected C:\System Volume Information\_restore{9D0DA541-7A0F-4A01-B423-56015957B9CA}\RP320\A0078519.exe Possible Virus. No disinfected C:\System Volume Information\_restore{9D0DA541-7A0F-4A01-B423-56015957B9CA}\RP332\A0080903.exe Possible Virus. No disinfected C:\System Volume Information\_restore{9D0DA541-7A0F-4A01-B423-56015957B9CA}\RP368\A0090512.exe ------------------------------------------------------------------------- --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 8:28:54 AM, 8/13/2005 + Report-Checksum: DE64EE61 + Scan result: :mozilla.16:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup :mozilla.17:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup :mozilla.24:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup :mozilla.31:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.32:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.33:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.34:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.35:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.36:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.37:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.38:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.39:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.40:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.41:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.42:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.43:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.44:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.45:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.46:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.47:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.48:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup :mozilla.65:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.69:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.70:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.71:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.72:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.73:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.74:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup :mozilla.76:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup :mozilla.77:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup :mozilla.78:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup :mozilla.79:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup :mozilla.80:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup :mozilla.81:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.82:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.83:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.84:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.112:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.115:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup :mozilla.127:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup :mozilla.128:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup :mozilla.129:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup :mozilla.142:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup :mozilla.199:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.278:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.279:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup :mozilla.280:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup :mozilla.298:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup :mozilla.349:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup :mozilla.350:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup :mozilla.372:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.373:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.374:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.423:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup :mozilla.424:C:\Documents and Settings\Kenneth Grimm\Application Data\Mozilla\Firefox\Profiles\nzlqcrad.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup ::Report End --------------------------------------------------------------- smitRem log file version 2.3 by noahdfear The current date is: Sat 08/13/2005 The current time is: 8:46:59.56 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Post-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) ---------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 10:45:04 AM, on 8/13/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe C:\QUICKENW\QWDLLS.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Archive] C:\Program Files\Archive\archive.exe O4 - HKLM\..\Run: [NexusServer] "c:\program files\common files\canopus shared\procoder 2\kernel\cache\pnxservr.exe" -SelfLaunch O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ? O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Microsoft Office.lnk = ? O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe __________________ Bosqueboy

08-13-2005, 08:56 AM	#4 (permalink)
Bosqueboy Registered User Join Date: Aug 2005 Location: Virginia Posts: 6 OS: XP	Unwanted files still there.... Despite the fact that the unwanted files are still there, I'm very glad that I ran the programs and got rid of a bunch of junk that AdAware, SpybotS&D, McAfee and Microsoft didn't catch! Thanks for that!! __________________ Bosqueboy

08-13-2005, 08:06 PM	#5 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet! Reboot into Safe Mode Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.! Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. 1. Go to the WinPFind folder 2. Locate WinPFind.txt 3. Please post those results in your next post! REBOOT to normal mode. Double Click on "Track qoo.vbs" Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless! Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind! So I need the following tool logs.. WinPFind.txt log Track qoo.vbs log __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

08-14-2005, 01:59 AM	#7 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip Download and install CleanUp! but do not run it yet. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp!* button to start the program. Reboot/logoff when prompted. Reboot into safe mode. Run Ewido: Click [Scanner] Click [Complete System Scan] to begin scanning. Click [OK] when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK]. Once finished, click the [Save report] button Save the report to your desktop Close Ewido Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows installer C:\winstall.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Archive C:\Program Files\Archive\archive.exe Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\winstall.exe C:\Program Files\Archive\archive.exe C:\Documents and Settings\Kenneth Grimm\Application Data\dm.ini Once you reboot..... C:\Program Files\Archive<--delete that folder. Then run hijackthis and post a new log along with the log from the Ewido scan. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

08-14-2005, 07:56 AM	#8 (permalink)
Bosqueboy Registered User Join Date: Aug 2005 Location: Virginia Posts: 6 OS: XP	Ewido and HiJackThis logs. Everything done as directed except for last action. C:\Program Files\Archive was not found. Ewido shows as clean and HiJackThis shows the registry entries are still there. ---------------------------------------------------------------------------- --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 9:30:27 AM, 8/14/2005 + Report-Checksum: 7E60C8A + Scan result: No infected objects found. ::Report End ------------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 9:45:48 AM, on 8/14/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe C:\QUICKENW\QWDLLS.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NexusServer] "c:\program files\common files\canopus shared\procoder 2\kernel\cache\pnxservr.exe" -SelfLaunch O4 - HKLM\..\Run: [Archive] C:\Program Files\Archive\archive.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ? O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Microsoft Office.lnk = ? O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe __________________ Bosqueboy

08-14-2005, 10:51 AM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,995 OS: WinXP and Vista	That should have worked. Please be sure the following is still in effect: Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. Let's try it this way: Reboot into Safe Mode. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Archive If you do not see it listed in the Add/Remove, see if it's listed here and uninstall: Open HijackThis>Config>Misc Tools>Open Uninstall Manager and look for Archive Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [Archive] C:\Program Files\Archive\archive.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe Delete the following Folder and File if they still exist: C:\Program Files\Archive C:\winstall.exe Reboot into Normal Mode and run another scan with HijackThis and post the log here. If those entries have returned, please do the following: Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-14-2005, 02:44 PM	#10 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Try doing the fix from normal mode. DO NOT reboot into safe mode. As the entrys are still there...your missing a step or the files. Likely since you didn't remove archive.exe it's holding the winstall.exe in place. Note Please disable Adawares Ad-Watch or Spybot's Teatimer until this fix is complete!!! Both can block changes to the registry!!! __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 08-14-2005 at 02:47 PM.