|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-15-2005, 03:28 PM
|
#1 (permalink) |
|
I helped the forums.
Join Date: Aug 2005
Posts: 12
OS: XP
|
Hijackthis Log
Hi again, thanks for all the help last time! I'll be doing a donation shortly.
In the meantime though, I have one other computer that could use some cleaning. I've run Adaware, Spybot, and a Virus Scan, and had all windows closed when I ran HJT. Here is is: Logfile of HijackThis v1.99.1 Scan saved at 5:21:47 PM, on 8/15/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe C:\WINDOWS\system32\papaqj.exe C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Cas\Client\casclient.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\WINDOWS\system32\l?gonui.exe C:\Program Files\rdso\eetu.exe C:\Program Files\Digital Line Detect\DLG.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\ewido\security suite\ewidoctrl.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe C:\WINDOWS\wanmpsvc.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.ucctops.com/ucc/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\papaqj.exe reg_run O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe" O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [Mgtwwu] C:\WINDOWS\system32\l?gonui.exe O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O15 - Trusted Zone: *.homeshowexpo.com O15 - Trusted Zone: *.ucctops.com O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - http://www.ucctops.com/UCC/ARVIEWER.CAB O16 - DPF: {0914A6AD-B2B2-489D-9F8A-65AC0892C16F} (prjOutLoadActiveX.OutLoadOrderPick) - http://www.ucctops.com/UCC/OUTLOADACTIVEX.CAB O16 - DPF: {110684D6-FD55-11D4-B95D-0008C7BBC99A} (UCCCenterEmp.CenterEmployee) - http://www.ucctops.com/UCC/UCCCENTEREMP.CAB O16 - DPF: {198D7217-D4DE-4F1C-9653-67FA935BBF2E} (UCCMemberComment.MemberComment) - http://www.ucctops.com/UCC/UCCMEMBERCOMMENT.CAB O16 - DPF: {37EDD7F1-F9D2-11D3-B92F-0008C7B328E7} (UCCVendorComment.VendorComment) - http://www.ucctops.com/UCC/UCCVENDORCOMMENT.CAB O16 - DPF: {3AB35C72-FBC9-11D4-B95A-0008C7BBC99A} (UCCVendor_Center.Vendor_Center) - http://www.ucctops.com/UCC/UCCVENDOR_CENTER.CAB O16 - DPF: {3E868D8B-D560-11D3-B8E1-0008C7B328E7} (UCCVendorContact.VendorContact) - http://www.ucctops.com/UCC/UCCVENDORCONTACT.CAB O16 - DPF: {46F1070B-2725-4C80-8F03-4146BF337889} (Sign.ctrlSign) - http://www.ucctops.com/UCC/SIGN.CAB O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {508CF561-90FD-11D3-B86B-0008C7B328E7} (UCCOrderedItems.OrderedItems) - http://www.ucctops.com/UCC/UCCORDEREDITEMS.CAB O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx O16 - DPF: {5F7EF593-FD4C-11D4-B95D-0008C7BBC99A} (UCCVendorEmp.VendorEmployee) - http://www.ucctops.com/UCC/UCCVENDOREMP.CAB O16 - DPF: {6DCE5A95-534F-4589-8F34-B80BD8F86A23} (UCCFeesCenter.UCCFeesCtlCenter) - http://www.ucctops.com/UCC/UCCFEESCENTER.CAB O16 - DPF: {719D6B64-25D8-11D4-B85E-0008C7BBC99A} (UCCOrderPayment.OrderPayment) - http://www.ucctops.com/ucc/OrderPayment.CAB O16 - DPF: {7BFC8554-6919-4679-8A97-6A85D51A64E5} (VSClientLogOn.UserControl1) - http://sec1.totalhomedirect.com/VSRLogOn.CAB O16 - DPF: {7F3AADF6-83B7-4993-92D3-5AF9AE33F0F0} (UCCDate.Date) - https://www.ucctops.com/cabs/UCCDate.CAB O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.ucctops.com/ucc/arview2.cab O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab O16 - DPF: {890D538D-BB75-11D4-B90A-0008C7BBC99A} (UCCCenterCenter.CenterVendor) - http://www.ucctops.com/UCC/UCCCENTERVENDOR.CAB O16 - DPF: {92AA2752-FD2D-11D4-B95D-0008C7BBC99A} (UCCEmpCenter.EmployeeCenter) - http://www.ucctops.com/UCC/EMPLOYEECENTER.CAB O16 - DPF: {9AA16458-56A0-41E4-8DE9-693200AFBE2C} (Project1.VSRLogOnSecure) - http://sec1.totalhomedirect.com/VSR.CAB O16 - DPF: {9C2142D6-65DE-11D3-B809-0008C7B328E7} (prjLVendorFacility.LVendorFacility) - http://www.ucctops.com/UCC/UCCLVENDORFACILITY.CAB O16 - DPF: {9DD2D2FB-8E09-4EB5-985C-3E2CAFF81BE8} (UCCVendorFacility.VendorFacility) - http://www.ucctops.com/UCC/UCCVENDORFACILITY.CAB O16 - DPF: {ABB987D4-3BB1-11D4-A72C-0050BAB0F843} (prjRouteLocation.RouteLocation) - http://www.ucctops.com/UCC/ROUTELOCATION.CAB O16 - DPF: {AC253AD4-C8EA-425F-820A-12993CDBC5BB} (UCCVendorPayTo.VendorPayTo) - http://www.ucctops.com/UCC/UCCVENDORPAYTO.CAB O16 - DPF: {AECA0013-460B-4BD4-B6ED-5BCD714E8678} (UCCEFTMerch.ctlEFTMerch) - http://www.ucctops.com/UCC/PRJUCCEFTMERCH.CAB O16 - DPF: {B1BFC425-32F8-11D4-AD62-0050BAB0F843} (prjOrderToLoad.OrderToLoad) - http://www.ucctops.com/UCC/ORDERTOLOAD.CAB O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab O16 - DPF: {CD2368C8-0429-11D5-8E96-00C04F580C6F} (UCCDateControl.DateControl) - http://www.ucctops.com/ucc/UCCDateControl.CAB O16 - DPF: {D17D5567-5202-45C5-A7E2-CECA48101268} (UccSupplierList.SupplierList) - http://www.ucctops.com/ucc/UccSupplierList.CAB O16 - DPF: {DB944E32-A10B-4D97-AA5E-B7451C157B0A} (UCCDiscussionsXML.UCCPODiscussionsXML) - https://www.ucctops.com/ucc/UCC_PODiscussionsXML.cab O16 - DPF: {DED417FF-FD42-11D4-B95D-0008C7BBC99A} (UCCEmpVendor.EmployeeVendor) - http://www.ucctops.com/UCC/EMPLOYEEVENDOR.CAB O16 - DPF: {EEB96741-4027-4B6A-98FE-6FE6DCE89F87} (UCCEFTMemb.EFTMemb) - http://www.ucctops.com/UCC/UCCEFTMEMB.CAB O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - https://www.ucctops.com/ucc/msxml3.cab O16 - DPF: {F6A7C954-3CD2-4B78-A56F-4C488E363035} (UCCMemberPayment.MemberPayment) - http://www.ucctops.com/UCC/UCCMEMBERPAYMENT.CAB O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe For reference, I do use McAfee and UCCTOPS, but not AOL or Dell4me which I see references to in the above. Much thanks in advance for the assistance when time permits! 
|
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
08-15-2005, 09:51 PM
|
#2 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,897
OS: WinXP and Vista
|
Hello vader3001,
Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet. Download Trackqoo http://www.geekstogo.com/downloads/Trackqoo.zip Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet. Reboot into Safe Mode. (tapping F8 or F5) Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one if they are still listed (they shouldn't be - but double check it):(You must kill them one at a time). C:\WINDOWS\system32\papaqj.exe C:\Program Files\Cas\Client\casclient.exe C:\WINDOWS\system32\l?gonui.exe C:\Program Files\rdso\eetu.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Cas Rdso If you no longer use AOL and wish to remove it, remove through the Add/Remove Panel. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\papaqj.exe reg_run O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe" O4 - HKCU\..\Run: [Mgtwwu] C:\WINDOWS\system32\l?gonui.exe O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\Cas C:\Program Files\rdso C:\WINDOWS\system32\papaqj.exe C:\WINDOWS\system32\l?gonui.exe Reboot back into Safe Mode. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here. Restart one more time back into Normal Mode, run a scan with HijackThis and save the log to post here. Locate & double-click on TrackQoo1.vbs . Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next post * If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless! So I will need the following logs: WPFind Trackqoo HijackThis |
|
|
|
|
08-16-2005, 01:22 PM
|
#3 (permalink) |
|
I helped the forums.
Join Date: Aug 2005
Posts: 12
OS: XP
|
Here are the requested logs:
WPFind WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding. If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly. »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600 Internet Explorer Version: 6.0.2900.2180 »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder... FSG! 1/16/2003 1:15:46 PM 43516067 C:\drv9x.cab Checking %ProgramFilesDir% folder... Checking %WinDir% folder... aspack 9/1/2004 8:49:08 PM 192000 C:\WINDOWS\chocRiver.scr aspack 9/1/2004 8:49:06 PM 545280 C:\WINDOWS\flashax.exe aspack 6/24/2004 3:18:20 PM 192000 C:\WINDOWS\MMS_OgreFactory.scr Checking %System% folder... PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC 69.59.186.63 7/15/2005 12:50:30 PM 9728 C:\WINDOWS\SYSTEM32\ededr.dll 209.66.67.134 7/15/2005 12:50:30 PM 9728 C:\WINDOWS\SYSTEM32\ededr.dll web-nex 7/15/2005 12:50:30 PM 9728 C:\WINDOWS\SYSTEM32\ededr.dll winsync 7/15/2005 12:50:30 PM 9728 C:\WINDOWS\SYSTEM32\ededr.dll 69.59.186.63 7/15/2005 12:50:30 PM 26624 C:\WINDOWS\SYSTEM32\kfkfadh.dll 209.66.67.134 7/15/2005 12:50:30 PM 26624 C:\WINDOWS\SYSTEM32\kfkfadh.dll web-nex 7/15/2005 12:50:30 PM 26624 C:\WINDOWS\SYSTEM32\kfkfadh.dll winsync 7/15/2005 12:50:30 PM 26624 C:\WINDOWS\SYSTEM32\kfkfadh.dll PECompact2 8/4/2005 9:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe aspack 8/4/2005 9:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU Checking %System%\Drivers folder and sub-folders... PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... S 8/16/2005 3:03:44 PM 2048 C:\WINDOWS\BOOTSTAT.DAT H 7/1/2005 10:50:04 AM 0 C:\WINDOWS\INF\oem35.inf SH 7/21/2005 9:58:48 AM 401408 C:\WINDOWS\SYSTEM32\l?gonui.exe S 7/8/2005 4:23:18 PM 12143 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat S 6/30/2005 9  34 AM 11437 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896423.catS 7/19/2005 7:18:10 PM 18913 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat S 6/30/2005 1:42:18 PM 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899587.cat S 6/30/2005 2:21:10 PM 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899588.cat S 6/30/2005 8:46:18 AM 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899591.cat S 6/28/2005 7:12:56 PM 11845 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901214.cat S 7/2/2005 4:18:16 AM 9445 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB903235.cat H 8/16/2005 3:03:36 PM 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG H 8/16/2005 3:03:54 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG H 8/16/2005 3:03:46 PM 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG H 8/16/2005 3:03:54 PM 69632 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG H 8/16/2005 3:03:48 PM 917504 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG H 8/14/2005 3:01:02 AM 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG SH 7/18/2005 8:59:32 PM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\6c2fc18d-61b7-43d7-a316-992ae237af76 SH 7/18/2005 8:59:32 PM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred H 8/16/2005 3:02:56 PM 6 C:\WINDOWS\Tasks\SA.DAT SH 7/14/2005 4:54:50 PM 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini SH 7/14/2005 4:54:50 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini SH 7/28/2005 12:08:06 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C1E9YTC1\desktop.ini SH 7/21/2005 12:02:08 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CPQ9AZ6P\desktop.ini SH 8/11/2005 12 02 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\E9GTO1ER\desktop.iniSH 7/21/2005 12:02:10 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YH0V234B\desktop.ini Checking for CPL files... Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl Broadcom Corporation 5/8/2003 9:25:18 PM 815104 C:\WINDOWS\SYSTEM32\B57exp.cpl 5/11/2001 2:00:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl Intel Corporation 1/23/2005 10:33:44 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl Sun Microsystems 1/24/2004 8:20:50 AM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl Microsoft Corporation 8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl Microsoft Corporation 8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl RealNetworks, Inc. 1/24/2004 8:33:14 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl Apple Computer, Inc. 7/27/2003 12:05:54 PM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl Microsoft Corporation 8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl Intel Corporation 4/7/2003 2:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»» Checking files in %ALLUSERSPROFILE%\Startup folder... 1/25/2005 4:05:52 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk 1/24/2004 8:30:42 AM 493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk 7/15/2005 12:50:30 PM 61952 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rdrd.exe 1/19/2005 2:34:00 PM 1429 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk Checking files in %ALLUSERSPROFILE%\Application Data folder... Checking files in %USERPROFILE%\Startup folder... Checking files in %USERPROFILE%\Application Data folder... 1/25/2005 4:03:56 PM 1693 C:\Documents and Settings\Aaron DeKuiper\Application Data\AdobeDLM.log 1/25/2005 4:03:56 PM 0 C:\Documents and Settings\Aaron DeKuiper\Application Data\dm.ini 5/1/2005 4:02:48 PM 45672 C:\Documents and Settings\Aaron DeKuiper\Application Data\GDIPFONTCACHEV1.DAT 8/11/2004 2:45:28 PM 12358 C:\Documents and Settings\Aaron DeKuiper\Application Data\PFP110JCM.{PB 8/11/2004 2:45:28 PM 61678 C:\Documents and Settings\Aaron DeKuiper\Application Data\PFP110JPR.{PB »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»» [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] = [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] {1636CDDC-86FA-4527-8224-822E80E2631A} = C:\WINDOWS\system32\aavpack.dll {881332B6-C12A-4086-B11E-BE06EBB32FCD} = C:\WINDOWS\system32\mihtml.dll {B0B56CDB-428C-4418-B858-62009264E0B1} = C:\WINDOWS\system32\DNCPROP.DLL {38CC3047-BBDF-45F3-AE0E-2D5CE080AFC5} = C:\WINDOWS\system32\mtwdat10.dll {51BDCCF1-26A3-4282-A5AF-4AEB19C73730} = C:\WINDOWS\system32\bydispl.dll {97625C83-3F28-41EA-9853-04FA43F298EF} = C:\WINDOWS\system32\TUAPPCMP.DLL {11294A51-2B73-4D47-B7B0-97D1890D6494} = C:\WINDOWS\system32\SKP32.DLL {813D666C-255C-4E4A-BB9E-00F12DCA9653} = C:\WINDOWS\system32\VKA256.DLL {B8348D37-002C-4FC8-AFCD-32BD97B08166} = C:\WINDOWS\system32\mwfutil.dll {A321BC8B-2C15-4215-8F83-F43C4A05C673} = C:\WINDOWS\system32\DLSETUP.DLL {B3B4FC34-2887-4421-8C43-A9E1EB47EA60} = C:\WINDOWS\system32\MYIOLE32.DLL {E29680E3-3C16-4A83-9491-598A6309E2F7} = C:\WINDOWS\system32\SCRIO800.DLL {125C8F0F-B81A-469F-86C7-0AC58D7127EC} = C:\WINDOWS\system32\mjcoree.dll {1D6ABB61-DB12-4F97-B584-CF703A18191B} = C:\WINDOWS\system32\wuadmod.dll {CC24AE25-60D9-4560-AAF1-6E51789BF655} = C:\WINDOWS\system32\phd.dll {1AD4CD0D-A861-41E0-9D28-B0DE14CFDBA3} = C:\WINDOWS\system32\ivencode.dll [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mgmgsfxm {6b87a013-4a84-4fe9-a69e-d86e241e96c7} = C:\WINDOWS\system32\ededr.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022} = c:\progra~1\mcafee.com\vso\mcvsshl.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022} = c:\progra~1\mcafee.com\vso\mcvsshl.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu {C0E10002-0028-0004-C0E1-C0E1C0E1C0E1} = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627} = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F} = C:\PROGRA~1\SPYBOT~1\SDHelper.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} PCTools Site Guard = C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890} DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC} PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC} = [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\System32\shdocvw.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} Real.com = C:\WINDOWS\System32\Shdocvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} ButtonText = Spyware Doctor : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} ButtonText = Real.com : [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38} Search Band = %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} History Band = %SystemRoot%\System32\shdocvw.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] IgfxTray C:\WINDOWS\system32\igfxtray.exe HotKeysCmds C:\WINDOWS\system32\hkcmd.exe dla C:\WINDOWS\system32\dla\tfswctrl.exe StorageGuard "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r PCMService "C:\Program Files\Dell\Media Experience\PCMService.exe" VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe MCUpdateExe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe VirusScan Online "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" CXMon "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" MSKAGENTEXE C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe MSKDetectorExe C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup winsync C:\WINDOWS\system32\papaqj.exe reg_run [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] IMAIL Installed = 1 MAPI Installed = 1 MSFS Installed = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Sonic RecordNow! MSKAGENTEXE C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup Spyware Doctor "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 undockwithoutlogon 1 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun 145 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, Shell = explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui = igfxsrvc.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder. Scan completed on 8/16/2005 3:10:20 PM Trackqoo REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe" "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r" "PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\"" "VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask" "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe" "MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe" "VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\"" "CXMon"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\"" "MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKAgent.exe" "MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskDetct.exe /startup" "winsync"="C:\\WINDOWS\\system32\\papaqj.exe reg_run" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" ----------------- HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers Subkey --- mgmgsfxm {6b87a013-4a84-4fe9-a69e-d86e241e96c7} C:\WINDOWS\system32\ededr.dll Subkey --- Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} C:\WINDOWS\System32\cscui.dll Subkey --- Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} C:\WINDOWS\system32\SHELL32.dll Subkey --- Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} C:\WINDOWS\system32\SHELL32.dll Subkey --- WinZip {E0D79304-84BE-11CE-9641-444553540000} C:\PROGRA~1\WINZIP\WZSHLSTB.DLL Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin C:\WINDOWS\system32\SHELL32.dll Subkey --- {CFC7205E-2792-4378-9591-3879CC6C9022} c:\progra~1\mcafee.com\vso\mcvsshl.dll ===================== HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871} C:\WINDOWS\system32\SHELL32.dll Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF} C:\WINDOWS\system32\SHELL32.dll Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF} C:\WINDOWS\system32\SHELL32.dll Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE} C:\WINDOWS\system32\SHELL32.dll Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll ============================== C:\Documents and Settings\All Users\Start Menu\Programs\Startup Adobe Reader Speed Launch.lnk DESKTOP.INI Digital Line Detect.lnk rdrd.exe UPS WorldShip PLD Reminder Utility.lnk ============================== C:\Documents and Settings\Aaron DeKuiper\Start Menu\Programs\Startup Adobe Reader Speed Launch.lnk DESKTOP.INI Digital Line Detect.lnk rdrd.exe UPS WorldShip PLD Reminder Utility.lnk DESKTOP.INI ============================== C:\WINDOWS\SYSTEM32 cpl files access.cpl Microsoft Corporation appwiz.cpl Microsoft Corporation B57exp.cpl Broadcom Corporation bdeadmin.cpl Borland Software Corporation bthprops.cpl Microsoft Corporation desk.cpl Microsoft Corporation firewall.cpl Microsoft Corporation hdwwiz.cpl Microsoft Corporation igfxcpl.cpl Intel Corporation inetcpl.cpl Microsoft Corporation intl.cpl Microsoft Corporation irprops.cpl Microsoft Corporation joy.cpl Microsoft Corporation jpicpl32.cpl Sun Microsystems MAIN.CPL Microsoft Corporation mmsys.cpl Microsoft Corporation NCPA.CPL Microsoft Corporation netsetup.cpl Microsoft Corporation nusrmgr.cpl Microsoft Corporation odbccp32.cpl Microsoft Corporation powercfg.cpl Microsoft Corporation prefscpl.cpl RealNetworks, Inc. QuickTime.cpl Apple Computer, Inc. sysdm.cpl Microsoft Corporation TELEPHON.CPL Microsoft Corporation timedate.cpl Microsoft Corporation wscui.cpl Microsoft Corporation wuaucpl.cpl Microsoft Corporation HijackThis Logfile of HijackThis v1.99.1 Scan saved at 3:13:32 PM, on 8/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\system32\papaqj.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\ewido\security suite\ewidoctrl.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\Hijackthis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.ucctops.com/ucc/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\papaqj.exe reg_run O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O15 - Trusted Zone: *.homeshowexpo.com O15 - Trusted Zone: *.ucctops.com O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - http://www.ucctops.com/UCC/ARVIEWER.CAB O16 - DPF: {0914A6AD-B2B2-489D-9F8A-65AC0892C16F} (prjOutLoadActiveX.OutLoadOrderPick) - http://www.ucctops.com/UCC/OUTLOADACTIVEX.CAB O16 - DPF: {110684D6-FD55-11D4-B95D-0008C7BBC99A} (UCCCenterEmp.CenterEmployee) - http://www.ucctops.com/UCC/UCCCENTEREMP.CAB O16 - DPF: {198D7217-D4DE-4F1C-9653-67FA935BBF2E} (UCCMemberComment.MemberComment) - http://www.ucctops.com/UCC/UCCMEMBERCOMMENT.CAB O16 - DPF: {37EDD7F1-F9D2-11D3-B92F-0008C7B328E7} (UCCVendorComment.VendorComment) - http://www.ucctops.com/UCC/UCCVENDORCOMMENT.CAB O16 - DPF: {3AB35C72-FBC9-11D4-B95A-0008C7BBC99A} (UCCVendor_Center.Vendor_Center) - http://www.ucctops.com/UCC/UCCVENDOR_CENTER.CAB O16 - DPF: {3E868D8B-D560-11D3-B8E1-0008C7B328E7} (UCCVendorContact.VendorContact) - http://www.ucctops.com/UCC/UCCVENDORCONTACT.CAB O16 - DPF: {46F1070B-2725-4C80-8F03-4146BF337889} (Sign.ctrlSign) - http://www.ucctops.com/UCC/SIGN.CAB O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {508CF561-90FD-11D3-B86B-0008C7B328E7} (UCCOrderedItems.OrderedItems) - http://www.ucctops.com/UCC/UCCORDEREDITEMS.CAB O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx O16 - DPF: {5F7EF593-FD4C-11D4-B95D-0008C7BBC99A} (UCCVendorEmp.VendorEmployee) - http://www.ucctops.com/UCC/UCCVENDOREMP.CAB O16 - DPF: {6DCE5A95-534F-4589-8F34-B80BD8F86A23} (UCCFeesCenter.UCCFeesCtlCenter) - http://www.ucctops.com/UCC/UCCFEESCENTER.CAB O16 - DPF: {719D6B64-25D8-11D4-B85E-0008C7BBC99A} (UCCOrderPayment.OrderPayment) - http://www.ucctops.com/ucc/OrderPayment.CAB O16 - DPF: {7BFC8554-6919-4679-8A97-6A85D51A64E5} (VSClientLogOn.UserControl1) - http://sec1.totalhomedirect.com/VSRLogOn.CAB O16 - DPF: {7F3AADF6-83B7-4993-92D3-5AF9AE33F0F0} (UCCDate.Date) - https://www.ucctops.com/cabs/UCCDate.CAB O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.ucctops.com/ucc/arview2.cab O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab O16 - DPF: {890D538D-BB75-11D4-B90A-0008C7BBC99A} (UCCCenterCenter.CenterVendor) - http://www.ucctops.com/UCC/UCCCENTERVENDOR.CAB O16 - DPF: {92AA2752-FD2D-11D4-B95D-0008C7BBC99A} (UCCEmpCenter.EmployeeCenter) - http://www.ucctops.com/UCC/EMPLOYEECENTER.CAB O16 - DPF: {9AA16458-56A0-41E4-8DE9-693200AFBE2C} (Project1.VSRLogOnSecure) - http://sec1.totalhomedirect.com/VSR.CAB O16 - DPF: {9C2142D6-65DE-11D3-B809-0008C7B328E7} (prjLVendorFacility.LVendorFacility) - http://www.ucctops.com/UCC/UCCLVENDORFACILITY.CAB O16 - DPF: {9DD2D2FB-8E09-4EB5-985C-3E2CAFF81BE8} (UCCVendorFacility.VendorFacility) - http://www.ucctops.com/UCC/UCCVENDORFACILITY.CAB O16 - DPF: {ABB987D4-3BB1-11D4-A72C-0050BAB0F843} (prjRouteLocation.RouteLocation) - http://www.ucctops.com/UCC/ROUTELOCATION.CAB O16 - DPF: {AC253AD4-C8EA-425F-820A-12993CDBC5BB} (UCCVendorPayTo.VendorPayTo) - http://www.ucctops.com/UCC/UCCVENDORPAYTO.CAB O16 - DPF: {AECA0013-460B-4BD4-B6ED-5BCD714E8678} (UCCEFTMerch.ctlEFTMerch) - http://www.ucctops.com/UCC/PRJUCCEFTMERCH.CAB O16 - DPF: {B1BFC425-32F8-11D4-AD62-0050BAB0F843} (prjOrderToLoad.OrderToLoad) - http://www.ucctops.com/UCC/ORDERTOLOAD.CAB O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab O16 - DPF: {CD2368C8-0429-11D5-8E96-00C04F580C6F} (UCCDateControl.DateControl) - http://www.ucctops.com/ucc/UCCDateControl.CAB O16 - DPF: {D17D5567-5202-45C5-A7E2-CECA48101268} (UccSupplierList.SupplierList) - http://www.ucctops.com/ucc/UccSupplierList.CAB O16 - DPF: {DB944E32-A10B-4D97-AA5E-B7451C157B0A} (UCCDiscussionsXML.UCCPODiscussionsXML) - https://www.ucctops.com/ucc/UCC_PODiscussionsXML.cab O16 - DPF: {DED417FF-FD42-11D4-B95D-0008C7BBC99A} (UCCEmpVendor.EmployeeVendor) - http://www.ucctops.com/UCC/EMPLOYEEVENDOR.CAB O16 - DPF: {EEB96741-4027-4B6A-98FE-6FE6DCE89F87} (UCCEFTMemb.EFTMemb) - http://www.ucctops.com/UCC/UCCEFTMEMB.CAB O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - https://www.ucctops.com/ucc/msxml3.cab O16 - DPF: {F6A7C954-3CD2-4B78-A56F-4C488E363035} (UCCMemberPayment.MemberPayment) - http://www.ucctops.com/UCC/UCCMEMBERPAYMENT.CAB O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe Thank you much for the assistance to this point!
|
|
|
|
|
08-17-2005, 07:34 PM
|
#4 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
  |
Hi and Welcome to TSF
Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running. Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT) STEP 1 ================ Download DelDomains.inf Right-click and select..... Save Target As To use: Right-click and select....... Install (no need to restart) **Note** This will remove all entries in the "Trusted Zone" Download L2mfix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and save it as I will ask for it later. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! STEP 2 ================ Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip Download and install CleanUp! but do not run it yet. *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. Download, install, and update Ewido Security Suite
After the updates are installed, exit Ewido Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: *Click "Options..." *Move the arrow down to "Custom CleanUp!" *Put a check next to the following:
Press the CleanUp! button to start the program. Reboot/logoff when prompted. Reboot into safe mode. Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED. HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mgmgsfxm {6b87a013-4a84-4fe9-a69e-d86e241e96c7} = C:\WINDOWS\system32\ededr.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winsync C:\WINDOWS\system32\papaqj.exe reg_run Close regedit Run hijackthis and fix the following entrys.... R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\papaqj.exe reg_run O15 - Trusted Zone: *.homeshowexpo.com O15 - Trusted Zone: *.ucctops.com O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll Run Ewido:
Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINDOWS\system32\papaqj.exe C:\Program Files\Cas\Client\casmf.dll C:\WINDOWS\system32\ededr.dll C:\WINDOWS\chocRiver.scr C:\WINDOWS\flashax.exe C:\drv9x.cab C:\WINDOWS\MMS_OgreFactory.scr C:\WINDOWS\SYSTEM32\kfkfadh.dll C:\WINDOWS\SYSTEM32\l?gonui.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rdrd.exe C:\Documents and Settings\Aaron DeKuiper\Application Data\dm.ini Once you reboot..... C:\Program Files\Cas<--delete that folder. Please run an online scan at http://www.pandasoftware.com/actives..._principal.htm Once it has finished save the activescan log. Then post that log in your next post along with another set of the following.... So I need. Panda scan log Ewido Log WPFind Trackqoo HijackThis
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
   Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
