Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page New log for you.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 08-20-2005, 12:52 PM   #1 (permalink)
Member
 
Join Date: Jul 2004
Posts: 41
OS: XP


New log for you.
I think I have some crap by aurora. I emailed them and complained and they gave me an uninstaller but that didnt clean everything. I've run ad aware, spy bot, housecall, and hijack this i deleted what i could in hijack this, but here is my new log. thanks you guys rock.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:31:31 PM, on 8/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Documents and Settings\scott\My Documents\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ssgxld.exe reg_run
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: TEW-424UB Utility.lnk = ?
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} -
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\rgr20.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of KRC HijackThis Analyzer Log.
====================================================================
untruehero is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-20-2005, 03:26 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,348
OS: N/A


Please do the following:

Download L2MFix
Double click L2mfix.exe & answer Yes when prompted. Then click the Install button to extract the files to a newly created folder named - L2mfix

Close all open programs
Double click L2mfix.bat
Select option #2 - Run Fix - by typing 2
Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Copy the contents of that log and paste it here, along with a new HJT log.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.

Please Do NOT run any other files in the l2mfix folder until you are told to
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2005, 04:27 PM   #3 (permalink)
Member
 
Join Date: Jul 2004
Posts: 41
OS: XP


Thanks sUBs.

L2Mfix 1.03d

Running From:
C:\Documents and Settings\scott\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\scott\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\scott\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1464 'explorer.exe'
Killing PID 1464 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 212 'rundll32.exe'
Killing PID 432 'rundll32.exe'
Killing PID 476 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\decpcsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\decpcsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\isxrtmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\isxrtmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rgr20.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rgr20.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rir20.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rir20.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\decpcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\decpcsvc.dll
deleting: C:\WINDOWS\system32\decpcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\decpcsvc.dll
deleting: C:\WINDOWS\system32\isxrtmgr.dll
Successfully Deleted: C:\WINDOWS\system32\isxrtmgr.dll
deleting: C:\WINDOWS\system32\isxrtmgr.dll
Successfully Deleted: C:\WINDOWS\system32\isxrtmgr.dll
deleting: C:\WINDOWS\system32\rgr20.dll
Successfully Deleted: C:\WINDOWS\system32\rgr20.dll
deleting: C:\WINDOWS\system32\rgr20.dll
Successfully Deleted: C:\WINDOWS\system32\rgr20.dll
deleting: C:\WINDOWS\system32\rir20.dll
Successfully Deleted: C:\WINDOWS\system32\rir20.dll
deleting: C:\WINDOWS\system32\rir20.dll
Successfully Deleted: C:\WINDOWS\system32\rir20.dll


Zipping up files for submission:
adding: decpcsvc.dll (164 bytes security) (deflated 48%)
adding: isxrtmgr.dll (164 bytes security) (deflated 48%)
adding: rgr20.dll (164 bytes security) (deflated 48%)
adding: rir20.dll (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 46%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 80%)
adding: readme.txt (164 bytes security) (deflated 51%)
adding: test.txt (164 bytes security) (deflated 80%)
adding: test2.txt (164 bytes security) (deflated 27%)
adding: test3.txt (164 bytes security) (deflated 27%)
adding: test5.txt (164 bytes security) (deflated 27%)
adding: xfind.txt (164 bytes security) (deflated 77%)
adding: backregs/0D08722D-EA5E-4B56-B5DF-556D1D6FE8FA.reg (164 bytes security) (deflated 70%)
adding: backregs/6E720096-4D23-4BB3-B34B-08B36F96D15D.reg (164 bytes security) (deflated 70%)
adding: backregs/A7C85046-450F-4D00-9152-42189EE0133C.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: decpcsvc.dll
deleting local copy: decpcsvc.dll
deleting local copy: isxrtmgr.dll
deleting local copy: isxrtmgr.dll
deleting local copy: rgr20.dll
deleting local copy: rgr20.dll
deleting local copy: rir20.dll
deleting local copy: rir20.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\decpcsvc.dll
C:\WINDOWS\system32\decpcsvc.dll
C:\WINDOWS\system32\isxrtmgr.dll
C:\WINDOWS\system32\isxrtmgr.dll
C:\WINDOWS\system32\rgr20.dll
C:\WINDOWS\system32\rgr20.dll
C:\WINDOWS\system32\rir20.dll
C:\WINDOWS\system32\rir20.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6E720096-4D23-4BB3-B34B-08B36F96D15D}"=-
"{0D08722D-EA5E-4B56-B5DF-556D1D6FE8FA}"=-
"{A7C85046-450F-4D00-9152-42189EE0133C}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6E720096-4D23-4BB3-B34B-08B36F96D15D}]
[-HKEY_CLASSES_ROOT\CLSID\{0D08722D-EA5E-4B56-B5DF-556D1D6FE8FA}]
[-HKEY_CLASSES_ROOT\CLSID\{A7C85046-450F-4D00-9152-42189EE0133C}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 6:21:53 PM, on 8/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Documents and Settings\scott\My Documents\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ssgxld.exe reg_run
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: riku.exe
O4 - Global Startup: TEW-424UB Utility.lnk = ?
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} -
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of KRC HijackThis Analyzer Log.
====================================================================
untruehero is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-20-2005, 11:18 PM   #4 (permalink)
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Hi and Welcome to TSF

Next pass............

Please DISABLE spybot's teatimer and LEAVE IT OFF until the fix is complete!


Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.
Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Download DelDomains.inf
Right-click and select..... Save Target As

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ssgxld.exe reg_run
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - Global Startup: riku.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} -

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\WINDOWS\System32\ssgxld.exe
C:\WINDOWS\seeve.exe
riku.exe
AUNPS2.DLL <--locate and delete these 2

Run CWShredder again and click FIX.

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted

Once back to normal mode.....

Please run an online scan at http://www.pandasoftware.com/actives..._principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with the Ewido log and the log's from the following tools...

Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!


Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log
Ewido log
Panda scan log
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!





Spyware/Adware Removal Tools
Hijackthis
Ad-aware SE
Spybot Search&Destroy
SpywareBlaster
CWShredder
Last edited by MicroBell; 08-20-2005 at 11:19 PM.
MicroBell is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-24-2005, 06:21 PM   #5 (permalink)
Member
 
Join Date: Jul 2004
Posts: 41
OS: XP


Thanks MicroBell. Here is all you asked for but Panda. I can't give you a Panda log, I scanned twice and once it was done the window closed, here are the other logs. Also I am having problems accessing some sites it is telling me that they timed out but I know they work because i use them at work. One is my ISP site for email and they haven't banned my IP so I don't know if any of this is related.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"ABIT uGuru"="C:\\Program Files\\ABIT\\ABIT uGuru\\uGuru.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"NvMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe"
"SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\SMARTB~1\\MotiveSB.exe"
"Media Gateway"="C:\\Program Files\\Media Gateway\\MediaGateway.exe"
"A Verizon App"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll

Subkey --- AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6}
C:\PROGRA~1\AlphaZIP\AlphaZip.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- mxnsfkns
{8f9e96ed-ec9f-47ad-b882-3bbd48cbe818}
C:\WINDOWS\System32\eanrj.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}
C:\Program Files\WinAce\arcext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Acrobat Speed Launcher.lnk
Adobe Gamma Loader.lnk
BlackICE PC Protection.lnk
desktop.ini
MUPS.lnk
TEW-424UB Utility.lnk
==============================
C:\Documents and Settings\scott\Start Menu\Programs\Startup

Adobe Acrobat Speed Launcher.lnk
Adobe Gamma Loader.lnk
BlackICE PC Protection.lnk
desktop.ini
MUPS.lnk
TEW-424UB Utility.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
MBLLNK.CPL AvantGo, Inc.
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plugincpl131_04.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 8/26/2004 11:51:48 PM 27262976 C:\VIRTPART.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 4/27/2005 10:34:16 PM 34304 C:\WINDOWS\cnmirri.exe
UPX! 4/27/2005 10:34:16 PM 34304 C:\WINDOWS\cygjtam.exe
UPX! 6/1/2005 7:13:28 PM 35328 C:\WINDOWS\cygz.dll
UPX! 3/15/2004 7:28:50 PM 69120 C:\WINDOWS\daemon.bak
PECompact2 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\LPT$VPN.604
qoologic 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\LPT$VPN.604
SAHAgent 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\LPT$VPN.604
web-nex 8/18/2005 11:11:12 PM 3965 C:\WINDOWS\mzorj.dll
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 4/28/2005 5:41:48 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\VPTNFILE.604
qoologic 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\VPTNFILE.604
SAHAgent 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\VPTNFILE.604
UPX! 4/28/2005 9:13:04 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 4/28/2005 9:13:04 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
SAHAgent 8/21/2005 9:38:58 PM 3557 C:\WINDOWS\SYSTEM32\37h52g2c.ini
SAHAgent 6/1/2005 7:55:28 PM 35 C:\WINDOWS\SYSTEM32\7obevefj.ini
SAHAgent 8/21/2005 1:28:20 PM 35 C:\WINDOWS\SYSTEM32\9uniq4jm.ini
UPX! 4/27/2005 10:34:26 PM 32256 C:\WINDOWS\SYSTEM32\aaodogso.exe
UPX! 6/1/2005 7:13:28 PM 35328 C:\WINDOWS\SYSTEM32\cygz.dll
PEC2 8/23/2001 11:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
69.59.186.63 8/21/2005 12:37:04 PM 10240 C:\WINDOWS\SYSTEM32\eanrj.dll
209.66.67.134 8/21/2005 12:37:04 PM 10240 C:\WINDOWS\SYSTEM32\eanrj.dll
web-nex 8/21/2005 12:37:04 PM 10240 C:\WINDOWS\SYSTEM32\eanrj.dll
winsync 8/21/2005 12:37:04 PM 10240 C:\WINDOWS\SYSTEM32\eanrj.dll
69.59.186.63 8/21/2005 9:49:16 PM 46080 C:\WINDOWS\SYSTEM32\fsjfsdj.dll
209.66.67.134 8/21/2005 9:49:16 PM 46080 C:\WINDOWS\SYSTEM32\fsjfsdj.dll
web-nex 8/21/2005 9:49:16 PM 46080 C:\WINDOWS\SYSTEM32\fsjfsdj.dll
winsync 8/21/2005 9:49:16 PM 46080 C:\WINDOWS\SYSTEM32\fsjfsdj.dll
SAHAgent 8/21/2005 1:28:20 PM 35 C:\WINDOWS\SYSTEM32\gtrtk8e9.ini
SAHAgent 6/1/2005 7:55:28 PM 35 C:\WINDOWS\SYSTEM32\lj7k29es.ini
UPX! 4/27/2005 10:34:16 PM 34304 C:\WINDOWS\SYSTEM32\mqhmaaaa.exe
UPX! 5/23/2002 9:40:44 PM 110080 C:\WINDOWS\SYSTEM32\nlame.dll
UPX! 2/21/2004 3:16:38 AM 654336 C:\WINDOWS\SYSTEM32\pqdvdf.exe
Umonitor 8/29/2002 6:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
SAHAgent 6/1/2005 7:56:08 PM 3458 C:\WINDOWS\SYSTEM32\rb10dolf.ini
UPX! 11/11/2003 10:36:10 AM 412672 C:\WINDOWS\SYSTEM32\vbskpro2.ocx
winsync 8/23/2001 11:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 8/24/2005 7:50:58 PM 2048 C:\WINDOWS\bootstat.dat
H 8/20/2005 6:26:20 PM 54156 C:\WINDOWS\QTFont.qfn
H 8/18/2005 9:31:40 PM 0 C:\WINDOWS\LastGood\INF\oem26.inf
H 8/18/2005 9:31:42 PM 0 C:\WINDOWS\LastGood\INF\oem26.PNF
H 8/24/2005 7:50:06 PM 890 C:\WINDOWS\system32\vsconfig.xml
H 8/24/2005 7:50:54 PM 8192 C:\WINDOWS\system32\config\default.LOG
H 8/24/2005 7:51:06 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
H 8/24/2005 7:50:58 PM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
H 8/24/2005 7:52:02 PM 86016 C:\WINDOWS\system32\config\software.LOG
H 8/24/2005 7:50:58 PM 1159168 C:\WINDOWS\system32\config\system.LOG
SH 8/19/2005 11:51:18 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e0bb3dce-73a5-42d7-bd73-7877e708d74b
SH 8/19/2005 11:51:18 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
SH 8/24/2005 7:49:44 PM 190 C:\WINDOWS\Tasks\RUTASK.job
H 8/24/2005 7:49:40 PM 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/23/2001 11:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/10/2004 8:09:52 PM 49262 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
AvantGo, Inc. 2/21/2003 5:58:26 AM 69632 C:\WINDOWS\SYSTEM32\MBLLNK.CPL
Microsoft Corporation 8/23/2001 11:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 4/1/2005 4:16:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 4:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
NVIDIA Corporation 7/30/2002 11:50:00 AM 118784 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\nvtuicpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/24/2005 4:50:00 PM 2335 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
8/24/2004 7:08:50 PM 1924 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/18/2004 8:48:42 PM 1652 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlackICE PC Protection.lnk
9/16/2004 632 PM 1633 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MUPS.lnk
2/21/2005 1:02:10 PM 597 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TEW-424UB Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
4/5/2005 7:59:36 PM 1568 C:\Documents and Settings\scott\Application Data\mpauth.dat
1/12/2005 8:29:12 PM 91 C:\Documents and Settings\scott\Application Data\Sskdmns.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
MyIE2 = IEAK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6} = C:\PROGRA~1\AlphaZIP\AlphaZip.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mxnsfkns
{8f9e96ed-ec9f-47ad-b882-3bbd48cbe818} = C:\WINDOWS\System32\eanrj.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6} = C:\PROGRA~1\AlphaZIP\AlphaZip.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6} = C:\PROGRA~1\AlphaZIP\AlphaZip.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
ButtonText = Create Mobile Favorite :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0\bin\jusched.exe
ABIT uGuru C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
NvMixerTray "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
DAEMON Tools-1033 "C:\Program Files\D-Tools\daemon.exe" -lang 1033
Acrobat Assistant 7.0 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
Profiler C:\Program Files\Saitek\Software\Profiler.exe
SaiSmart C:\Program Files\Saitek\Software\SaiSmart.exe
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
Motive SmartBridge C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
Media Gateway C:\Program Files\Media Gateway\MediaGateway.exe
A Verizon App C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
H/PC Connection Agent "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoDispAppearancePage 0
NoColorChoice 0
NoSizeChoice 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/24/2005 8:00:54 PM




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:50:08 PM, 8/21/2005
+ Report-Checksum: FC07C19

+ Scan result:

HKLM\SOFTWARE\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
:mozilla.7:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.9:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.12:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.15:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.16:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.19:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.23:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.30:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.46:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.47:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.48:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.49:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.50:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.51:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.52:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.53:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.61:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Linkbuddies : Cleaned with backup
:mozilla.65:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.66:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.67:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.68:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.72:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.73:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.74:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.76:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.81:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.82:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.83:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.86:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.87:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.101:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.105:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\scott\Desktop\l2mfix\backup.zip/decpcsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\scott\Desktop\l2mfix\backup.zip/isxrtmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\scott\Desktop\l2mfix\backup.zip/rgr20.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\scott\Desktop\l2mfix\backup.zip/rir20.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Application Data\Wildtangent\Cdacache\00\00\2B.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\4HEBOD2V\MediaGateway[1].exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\4HEBOD2V\SSK3_B5[1].exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\4HEBOD2V\stubinstaller5975[1].exe -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\4HEBOD2V\ysb_regular[1].cab/ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\8RATCDWF\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\8RATCDWF\thin-143-1-x-x[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\9SK3D5OP\Bridge-c139[1].cab/MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\9SK3D5OP\optimize[1].exe -> TrojanDownloader.Dyfuca.dk : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\BJLJB9CW\installer_SIAC[1].exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\BJLJB9CW\website[1].ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\FV5FGNFP\pcs_0026[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\FV5FGNFP\recinst[1].exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\FV5FGNFP\SYSsfitb[1].cab/d_loader.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\GZ0J234N\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\GZ0J234N\bundle_mediamotor1004[1].exe -> Adware.Saha : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\O7QRSTUV\joysaver[1].cab/m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\O7QRSTUV\mm15201518.Stub[1].exe -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\O7QRSTUV\seeve[1].exe -> Spyware.MediaMotor : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\O7QRSTUV\trk_0026[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\U53GPSRE\shop1005[1].exe -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\U53GPSRE\thin-114-1-x-x[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\d_loader.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\website.ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\gtrtk8e9.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\9uniq4jm.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\wkagp.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Error during cleaning
C:\WINDOWS\Temp\ICD1.tmp\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\Temp\ICD2.tmp\d_loader.exe -> TrojanDownloader.IstBar : Cleaned with backup


::Report End
untruehero is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-24-2005, 07:15 PM   #6 (permalink)
Member
 
Join Date: Jul 2004
Posts: 41
OS: XP


Thanks MicroBell. Here is all you asked for but Panda. I can't give you a Panda log, I scanned twice and once it was done the window closed, here are the other logs. Also I am having problems accessing some sites it is telling me that they timed out but I know they work because i use them at work. One is my ISP site for email and they haven't banned my IP so I don't know if any of this is related.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"ABIT uGuru"="C:\\Program Files\\ABIT\\ABIT uGuru\\uGuru.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"NvMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe"
"SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\SMARTB~1\\MotiveSB.exe"
"Media Gateway"="C:\\Program Files\\Media Gateway\\MediaGateway.exe"
"A Verizon App"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll

Subkey --- AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6}
C:\PROGRA~1\AlphaZIP\AlphaZip.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- mxnsfkns
{8f9e96ed-ec9f-47ad-b882-3bbd48cbe818}
C:\WINDOWS\System32\eanrj.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}
C:\Program Files\WinAce\arcext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Acrobat Speed Launcher.lnk
Adobe Gamma Loader.lnk
BlackICE PC Protection.lnk
desktop.ini
MUPS.lnk
TEW-424UB Utility.lnk
==============================
C:\Documents and Settings\scott\Start Menu\Programs\Startup

Adobe Acrobat Speed Launcher.lnk
Adobe Gamma Loader.lnk
BlackICE PC Protection.lnk
desktop.ini
MUPS.lnk
TEW-424UB Utility.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
MBLLNK.CPL AvantGo, Inc.
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plugincpl131_04.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 8/26/2004 11:51:48 PM 27262976 C:\VIRTPART.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 4/27/2005 10:34:16 PM 34304 C:\WINDOWS\cnmirri.exe
UPX! 4/27/2005 10:34:16 PM 34304 C:\WINDOWS\cygjtam.exe
UPX! 6/1/2005 7:13:28 PM 35328 C:\WINDOWS\cygz.dll
UPX! 3/15/2004 7:28:50 PM 69120 C:\WINDOWS\daemon.bak
PECompact2 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\LPT$VPN.604
qoologic 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\LPT$VPN.604
SAHAgent 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\LPT$VPN.604
web-nex 8/18/2005 11:11:12 PM 3965 C:\WINDOWS\mzorj.dll
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 4/28/2005 5:41:48 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\VPTNFILE.604
qoologic 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\VPTNFILE.604
SAHAgent 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\VPTNFILE.604
UPX! 4/28/2005 9:13:04 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 4/28/2005 9:13:04 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
SAHAgent 8/21/2005 9:38:58 PM 3557 C:\WINDOWS\SYSTEM32\37h52g2c.ini
SAHAgent 6/1/2005 7:55:28 PM 35 C:\WINDOWS\SYSTEM32\7obevefj.ini
SAHAgent 8/21/2005 1:28:20 PM 35 C:\WINDOWS\SYSTEM32\9uniq4jm.ini
UPX! 4/27/2005 10:34:26 PM 32256 C:\WINDOWS\SYSTEM32\aaodogso.exe
UPX! 6/1/2005 7:13:28 PM 35328 C:\WINDOWS\SYSTEM32\cygz.dll
PEC2 8/23/2001 11:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
69.59.186.63 8/21/2005 12:37:04 PM 10240 C:\WINDOWS\SYSTEM32\eanrj.dll
209.66.67.134 8/21/2005 12:37:04 PM 10240 C:\WINDOWS\SYSTEM32\eanrj.dll
web-nex 8/21/2005 12:37:04 PM 10240 C:\WINDOWS\SYSTEM32\eanrj.dll
winsync 8/21/2005 12:37:04 PM 10240 C:\WINDOWS\SYSTEM32\eanrj.dll
69.59.186.63 8/21/2005 9:49:16 PM 46080 C:\WINDOWS\SYSTEM32\fsjfsdj.dll
209.66.67.134 8/21/2005 9:49:16 PM 46080 C:\WINDOWS\SYSTEM32\fsjfsdj.dll
web-nex 8/21/2005 9:49:16 PM 46080 C:\WINDOWS\SYSTEM32\fsjfsdj.dll
winsync 8/21/2005 9:49:16 PM 46080 C:\WINDOWS\SYSTEM32\fsjfsdj.dll
SAHAgent 8/21/2005 1:28:20 PM 35 C:\WINDOWS\SYSTEM32\gtrtk8e9.ini
SAHAgent 6/1/2005 7:55:28 PM 35 C:\WINDOWS\SYSTEM32\lj7k29es.ini
UPX! 4/27/2005 10:34:16 PM 34304 C:\WINDOWS\SYSTEM32\mqhmaaaa.exe
UPX! 5/23/2002 9:40:44 PM 110080 C:\WINDOWS\SYSTEM32\nlame.dll
UPX! 2/21/2004 3:16:38 AM 654336 C:\WINDOWS\SYSTEM32\pqdvdf.exe
Umonitor 8/29/2002 6:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
SAHAgent 6/1/2005 7:56:08 PM 3458 C:\WINDOWS\SYSTEM32\rb10dolf.ini
UPX! 11/11/2003 10:36:10 AM 412672 C:\WINDOWS\SYSTEM32\vbskpro2.ocx
winsync 8/23/2001 11:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 8/24/2005 7:50:58 PM 2048 C:\WINDOWS\bootstat.dat
H 8/20/2005 6:26:20 PM 54156 C:\WINDOWS\QTFont.qfn
H 8/18/2005 9:31:40 PM 0 C:\WINDOWS\LastGood\INF\oem26.inf
H 8/18/2005 9:31:42 PM 0 C:\WINDOWS\LastGood\INF\oem26.PNF
H 8/24/2005 7:50:06 PM 890 C:\WINDOWS\system32\vsconfig.xml
H 8/24/2005 7:50:54 PM 8192 C:\WINDOWS\system32\config\default.LOG
H 8/24/2005 7:51:06 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
H 8/24/2005 7:50:58 PM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
H 8/24/2005 7:52:02 PM 86016 C:\WINDOWS\system32\config\software.LOG
H 8/24/2005 7:50:58 PM 1159168 C:\WINDOWS\system32\config\system.LOG
SH 8/19/2005 11:51:18 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e0bb3dce-73a5-42d7-bd73-7877e708d74b
SH 8/19/2005 11:51:18 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
SH 8/24/2005 7:49:44 PM 190 C:\WINDOWS\Tasks\RUTASK.job
H 8/24/2005 7:49:40 PM 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/23/2001 11:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/10/2004 8:09:52 PM 49262 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
AvantGo, Inc. 2/21/2003 5:58:26 AM 69632 C:\WINDOWS\SYSTEM32\MBLLNK.CPL
Microsoft Corporation 8/23/2001 11:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 4/1/2005 4:16:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 4:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
NVIDIA Corporation 7/30/2002 11:50:00 AM 118784 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\nvtuicpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/24/2005 4:50:00 PM 2335 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
8/24/2004 7:08:50 PM 1924 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/18/2004 8:48:42 PM 1652 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlackICE PC Protection.lnk
9/16/2004 632 PM 1633 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MUPS.lnk
2/21/2005 1:02:10 PM 597 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TEW-424UB Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
4/5/2005 7:59:36 PM 1568 C:\Documents and Settings\scott\Application Data\mpauth.dat
1/12/2005 8:29:12 PM 91 C:\Documents and Settings\scott\Application Data\Sskdmns.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
MyIE2 = IEAK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6} = C:\PROGRA~1\AlphaZIP\AlphaZip.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mxnsfkns
{8f9e96ed-ec9f-47ad-b882-3bbd48cbe818} = C:\WINDOWS\System32\eanrj.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6} = C:\PROGRA~1\AlphaZIP\AlphaZip.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6} = C:\PROGRA~1\AlphaZIP\AlphaZip.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
ButtonText = Create Mobile Favorite :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0\bin\jusched.exe
ABIT uGuru C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
NvMixerTray "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
DAEMON Tools-1033 "C:\Program Files\D-Tools\daemon.exe" -lang 1033
Acrobat Assistant 7.0 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
Profiler C:\Program Files\Saitek\Software\Profiler.exe
SaiSmart C:\Program Files\Saitek\Software\SaiSmart.exe
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
Motive SmartBridge C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
Media Gateway C:\Program Files\Media Gateway\MediaGateway.exe
A Verizon App C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
H/PC Connection Agent "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoDispAppearancePage 0
NoColorChoice 0
NoSizeChoice 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/24/2005 8:00:54 PM




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:50:08 PM, 8/21/2005
+ Report-Checksum: FC07C19

+ Scan result:

HKLM\SOFTWARE\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
:mozilla.7:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.9:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.12:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.15:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.16:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.19:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.23:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.30:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.46:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.47:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.48:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.49:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.50:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.51:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.52:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.53:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.61:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Linkbuddies : Cleaned with backup
:mozilla.65:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.66:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.67:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.68:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.72:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.73:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.74:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.76:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.81:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.82:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.83:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.86:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.87:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.101:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.105:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\scott\Cookies\scott@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\scott\Desktop\l2mfix\backup.zip/decpcsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\scott\Desktop\l2mfix\backup.zip/isxrtmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\scott\Desktop\l2mfix\backup.zip/rgr20.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\scott\Desktop\l2mfix\backup.zip/rir20.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Application Data\Wildtangent\Cdacache\00\00\2B.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\4HEBOD2V\MediaGateway[1].exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\4HEBOD2V\SSK3_B5[1].exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\4HEBOD2V\stubinstaller5975[1].exe -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\4HEBOD2V\ysb_regular[1].cab/ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\8RATCDWF\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\8RATCDWF\thin-143-1-x-x[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\9SK3D5OP\Bridge-c139[1].cab/MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\9SK3D5OP\optimize[1].exe -> TrojanDownloader.Dyfuca.dk : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\BJLJB9CW\installer_SIAC[1].exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\BJLJB9CW\website[1].ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\FV5FGNFP\pcs_0026[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\FV5FGNFP\recinst[1].exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\FV5FGNFP\SYSsfitb[1].cab/d_loader.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\GZ0J234N\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\GZ0J234N\bundle_mediamotor1004[1].exe -> Adware.Saha : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\O7QRSTUV\joysaver[1].cab/m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\O7QRSTUV\mm15201518.Stub[1].exe -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\O7QRSTUV\seeve[1].exe -> Spyware.MediaMotor : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\O7QRSTUV\trk_0026[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\U53GPSRE\shop1005[1].exe -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Temporary Internet Files\Content.IE5\U53GPSRE\thin-114-1-x-x[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\d_loader.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\website.ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\gtrtk8e9.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\9uniq4jm.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\wkagp.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Error during cleaning
C:\WINDOWS\Temp\ICD1.tmp\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\Temp\ICD2.tmp\d_loader.exe -> TrojanDownloader.IstBar : Cleaned with backup


::Report End
untruehero is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-24-2005, 11:30 PM   #7 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,348
OS: N/A


Download KillBox v2.0.0.175 & save it to Desktop

I have attached a file to this post - regdel.txt
Download it & rename it "regdel.REG" (inclusive of the quotes)
Make sure you do not mistakenly rename it as regdel.reg.txt (double extensions)
Double-click on it & answer YES when prompted to merge into the Registry


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • Media Gateway

Delete this directory/folder - C:\Program Files\Media Gateway


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Launch KillBox.exe & select the following options:
  • Replace on Reboot
  • Use Dummy
  • end Explorer shell while killing file
  • unregister dlll before deleting * if it's not grayed out
Select all the filenames below & then click on Notepad's 'Edit' menu & select Copy
  • C:\WINDOWS\cnmirri.exe
    C:\WINDOWS\cygjtam.exe
    C:\WINDOWS\cygz.dll
    C:\WINDOWS\mzorj.dll
    C:\WINDOWS\SYSTEM32\37h52g2c.ini
    C:\WINDOWS\SYSTEM32\7obevefj.ini
    C:\WINDOWS\SYSTEM32\9uniq4jm.ini
    C:\WINDOWS\SYSTEM32\aaodogso.exe
    C:\WINDOWS\SYSTEM32\cygz.dll
    C:\WINDOWS\SYSTEM32\eanrj.dll
    C:\WINDOWS\SYSTEM32\fsjfsdj.dll
    C:\WINDOWS\SYSTEM32\gtrtk8e9.ini
    C:\WINDOWS\SYSTEM32\lj7k29es.ini
    C:\WINDOWS\SYSTEM32\mqhmaaaa.exe
    C:\WINDOWS\SYSTEM32\nlame.dll
    C:\WINDOWS\SYSTEM32\pqdvdf.exe
    C:\WINDOWS\SYSTEM32\rb10dolf.ini
    C:\WINDOWS\SYSTEM32\vbskpro2.ocx
    C:\WINDOWS\Tasks\RUTASK.job
    C:\Documents and Settings\scott\Application Data\Sskdmns.dll
* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:
If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


After you have rebooted, run CleanUp!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Next, perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        • Standard
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackThis log

* Turn off the real time scanner of any existing antivirus program while performing the online scan
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-29-2005, 06:16 PM   #8 (permalink)
Member
 
Join Date: Jul 2004
Posts: 41
OS: XP


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, August 29, 2005 19:36:51
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/08/2005
Kaspersky Anti-Virus database records: 137492
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 195923
Number of viruses found: 40
Number of infected objects: 95
Number of suspicious objects: 0
Duration of the scan process: 5691 sec

Infected Object Name - Virus Name
C:\Documents and Settings\scott\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a84a25a-7fd6bcff.zip/Beyond.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\scott\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a84a25a-7fd6bcff.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.af
C:\Documents and Settings\scott\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a84a25a-7fd6bcff.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.ai
C:\Documents and Settings\scott\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a84a25a-7fd6bcff.zip Infected: Trojan.Java.ClassLoader.ai
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP104\A0021366.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP107\A0021436.exe Infected: Trojan.Win32.StartPage.zq
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP107\A0021437.exe Infected: Trojan.Win32.StartPage.zq
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP107\A0021443.exe Infected: Trojan-Clicker.Win32.Delf.cf
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP107\A0021445.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP107\A0021448.exe Infected: Trojan.Win32.StartPage.zq
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018160.exe Infected: Trojan-Downloader.Win32.Small.aal
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018161.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018163.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018164.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018166.exe Infected: Trojan-Downloader.Win32.Apropo.ae
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018167.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018169.exe Infected: Trojan-Downloader.Win32.Qoologic.v
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018170.exe Infected: Trojan-Downloader.Win32.Small.apm
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018174.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018175.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018187.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018190.dll Infected: Trojan-Downloader.Win32.Qoologic.t
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018197.exe Infected: Trojan.Win32.Stervis.d
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018199.exe Infected: Trojan-Dropper.Win32.SurfSide.a
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018212.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018244.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018247.dll Infected: Trojan-Downloader.Win32.Agent.le
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018251.exe Infected: Trojan-Downloader.Win32.Delf.cb
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018261.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018262.exe Infected: Email-Worm.Win32.Bagz.i
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018263.exe Infected: Trojan-Dropper.Win32.Small.wv
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018268.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018270.exe Infected: Trojan-Dropper.Win32.Small.zp
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018273.exe Infected: Email-Worm.Win32.Bagz.h
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018278.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018281.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018283.dll Infected: Trojan-Downloader.Win32.Adload.g
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018284.dll Infected: Trojan-Downloader.Win32.Lastad.h
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018286.exe Infected: Trojan-Dropper.Win32.Agent.ka
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018287.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018288.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018289.dll Infected: Trojan-Downloader.Win32.Qoologic.s
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018295.exe Infected: Trojan.Win32.Stervis.d
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018299.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018302.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018303.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018304.dll Infected: Trojan-Proxy.Win32.Small.bk
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018322.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018333.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018334.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018335.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018336.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018403.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018404.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018405.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019007.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019008.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019009.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019010.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019028.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019034.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019035.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019036.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019037.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019051.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019052.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019053.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019055.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019126.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019128.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019129.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019130.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019150.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019151.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019152.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019153.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019177.exe Infected: Trojan-Downloader.Win32.Dyfuca.dk
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019178.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019179.exe Infected: Trojan-Downloader.Win32.Small.asf
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019184.DLL Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019189.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019190.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019191.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019193.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019197.exe Infected: Trojan-Downloader.Win32.Dyfuca.dk
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019223.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019229.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\WINDOWS\system32\d140113.a.Stub.exe Infected: Trojan-Downloader.Win32.Delmed.a
C:\WINDOWS\system32\dmnxbqn.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\WINDOWS\Temp\ASHeuristic\d140113.a.Stub.exe.vir Infected: Trojan-Downloader.Win32.Delmed.a
C:\WINDOWS\Temp\ASHeuristic\d140113.a.Stub.exe.vir.vir Infected: Trojan-Downloader.Win32.Delmed.a

Scan process completed.
untruehero is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-30-2005, 12:47 AM   #9 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,348
OS: N/A


There has been a long delay in between replies. The virus isnt gonna sit idle waiting for us to come remove it. This delay may have invalidated much of what we have accomplished earlier. Please do not take too long to reply.


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • end Explorer shell while killing file
  • unregister dlll before deleting * if it's not grayed out
Select all the filenames below & then click on Notepad's 'Edit' menu & select Copy
  • C:\WINDOWS\system32\d140113.a.Stub.exe
    C:\WINDOWS\system32\dmnxbqn.exe
    C:\WINDOWS\Temp\ASHeuristic\d140113.a.Stub.exe
* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.



Reboot to Safe Mode

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.



Run Ewido :(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.



Whilst in Safe Mode, run a WinPFinf scan & post the results


In your next reply, I require these logs:

Fresh HJT log
Fresh Kaspersky scan
Ewido's log
Fresh WinPfind logs

Tell me how the machine is behaving now.
__________________

Question - what have you done for the community today?
Last edited by sUBs; 08-30-2005 at 12:50 AM.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-30-2005, 09:06 PM   #10 (permalink)
Member
 
Join Date: Jul 2004
Posts: 41
OS: XP


Thanks sUBs

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:10:07 PM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Documents and Settings\scott\My Documents\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: TEW-424UB Utility.lnk = ?
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs...WebInstall.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of KRC HijackThis Analyzer Log.
====================================================================

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, August 30, 2005 23:02:07
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 31/08/2005
Kaspersky Anti-Virus database records: 137657
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 188418
Number of viruses found: 39
Number of infected objects: 89
Number of suspicious objects: 0
Duration of the scan process: 5506 sec

Infected Object Name - Virus Name
C:\Documents and Settings\scott\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a84a25a-7fd6bcff.zip/Beyond.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\scott\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a84a25a-7fd6bcff.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.af
C:\Documents and Settings\scott\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a84a25a-7fd6bcff.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.ai
C:\Documents and Settings\scott\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a84a25a-7fd6bcff.zip Infected: Trojan.Java.ClassLoader.ai
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP104\A0021366.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP107\A0021436.exe Infected: Trojan.Win32.StartPage.zq
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP107\A0021437.exe Infected: Trojan.Win32.StartPage.zq
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP107\A0021443.exe Infected: Trojan-Clicker.Win32.Delf.cf
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP107\A0021445.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP107\A0021448.exe Infected: Trojan.Win32.StartPage.zq
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP108\A0021490.exe Infected: Trojan-Downloader.Win32.Delmed.a
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP108\A0021491.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018160.exe Infected: Trojan-Downloader.Win32.Small.aal
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018161.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018163.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018164.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018166.exe Infected: Trojan-Downloader.Win32.Apropo.ae
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018167.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018169.exe Infected: Trojan-Downloader.Win32.Qoologic.v
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018170.exe Infected: Trojan-Downloader.Win32.Small.apm
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018174.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018175.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018187.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018190.dll Infected: Trojan-Downloader.Win32.Qoologic.t
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018197.exe Infected: Trojan.Win32.Stervis.d
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018199.exe Infected: Trojan-Dropper.Win32.SurfSide.a
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018212.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018244.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP97\A0018247.dll Infected: Trojan-Downloader.Win32.Agent.le
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018251.exe Infected: Trojan-Downloader.Win32.Delf.cb
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018261.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018262.exe Infected: Email-Worm.Win32.Bagz.i
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018263.exe Infected: Trojan-Dropper.Win32.Small.wv
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018268.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018270.exe Infected: Trojan-Dropper.Win32.Small.zp
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018273.exe Infected: Email-Worm.Win32.Bagz.h
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018278.exe Infected: Trojan-Downloader.Win32.Agent.ro
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018281.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018283.dll Infected: Trojan-Downloader.Win32.Adload.g
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018284.dll Infected: Trojan-Downloader.Win32.Lastad.h
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018286.exe Infected: Trojan-Dropper.Win32.Agent.ka
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018287.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018288.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018289.dll Infected: Trojan-Downloader.Win32.Qoologic.s
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018295.exe Infected: Trojan.Win32.Stervis.d
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018299.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018302.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018303.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018304.dll Infected: Trojan-Proxy.Win32.Small.bk
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018322.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018333.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018334.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018335.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018336.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018403.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018404.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0018405.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019007.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019008.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019009.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019010.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019028.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019034.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019035.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019036.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019037.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019051.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019052.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019053.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019055.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019126.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019128.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019129.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019130.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019150.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019151.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019152.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP98\A0019153.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019177.exe Infected: Trojan-Downloader.Win32.Dyfuca.dk
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019178.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019179.exe Infected: Trojan-Downloader.Win32.Small.asf
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019184.DLL Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019189.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019190.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019191.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019193.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019197.exe Infected: Trojan-Downloader.Win32.Dyfuca.dk
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019223.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{5ED30C24-4599-4D38-AD7C-4E34402C9700}\RP99\A0019229.exe Infected: Trojan-Downloader.Win32.Qoologic.ac

Scan process completed.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:58:06 PM, 8/30/2005
+ Report-Checksum: 8A717165

+ Scan result:

:mozilla.30:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.37:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.39:C:\Documents and Settings\scott\Application Data\Mozilla\Firefox\Profiles\knk2eeyd.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\scott\Local Settings\Application Data\Wildtangent\Cdacache\00\00\2B.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup



::Report End

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"ABIT uGuru"="C:\\Program Files\\ABIT\\ABIT uGuru\\uGuru.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"NvMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"Profiler"="C:\\Program Files\\Saitek\\Software\\Profiler.exe"
"SaiSmart"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\SMARTB~1\\MotiveSB.exe"
"Media Gateway"="C:\\Program Files\\Media Gateway\\MediaGateway.exe"
"A Verizon App"="C:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll

Subkey --- AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6}
C:\PROGRA~1\AlphaZIP\AlphaZip.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- mxnsfkns
{8f9e96ed-ec9f-47ad-b882-3bbd48cbe818}
C:\WINDOWS\System32\eanrj.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}
C:\Program Files\WinAce\arcext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Acrobat Speed Launcher.lnk
Adobe Gamma Loader.lnk
BlackICE PC Protection.lnk
desktop.ini
MUPS.lnk
TEW-424UB Utility.lnk
==============================
C:\Documents and Settings\scott\Start Menu\Programs\Startup

Adobe Acrobat Speed Launcher.lnk
Adobe Gamma Loader.lnk
BlackICE PC Protection.lnk
desktop.ini
MUPS.lnk
TEW-424UB Utility.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
MBLLNK.CPL AvantGo, Inc.
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plugincpl131_04.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
untruehero is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-01-2005, 01:35 AM   #11 (permalink)
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Please DISABLE spybot's teatimer and LEAVE IT OFF until the fix is complete!

Run hijackthis and fix the following entrys...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

Clear your Java Cache...

1. From the Start button, click Settings > Control Panel
2. In the Control Panel, open the "Java Plug-in Control Panel"
3. Select the Cache Tab
4. Click the Clear button inside the Cache Tab, which will clear your JRE cache directory.

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Media Gateway"="C:\\Program Files\\Media Gateway\\MediaGateway.exe"

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
mxnsfkns <--make sure you delete that folder!

C:\WINDOWS\System32\eanrj.dll<--delete that file

C:\Program Files\Media Gateway<-- delete that folder

Run the Cleanup utility and reboot. Then post another WinPfind and hijackthis log.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!





Spyware/Adware Removal Tools
Hijackthis
Ad-aware SE
Spybot Search&Destroy
SpywareBlaster
CWShredder
MicroBell is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2005, 01:10 PM   #12 (permalink)
Member
 
Join Date: Jul 2004
Posts: 41
OS: XP


I think everything is all clear I havent had a problem in a while.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:16:43 PM, on 9/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Documents and Settings\scott\My Documents\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: TEW-424UB Utility.lnk = ?
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs...WebInstall.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of KRC HijackThis Analyzer Log.
====================================================================

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 8/26/2004 11:51:48 PM 27262976 C:\VIRTPART.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 3/15/2004 7:28:50 PM 69120 C:\WINDOWS\daemon.bak
UPX! 8/22/2004 5:04:56 PM 69120 C:\WINDOWS\daemon.dll
PECompact2 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\LPT$VPN.604
qoologic 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\LPT$VPN.604
SAHAgent 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\LPT$VPN.604
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 4/28/2005 5:41:48 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\VPTNFILE.604
qoologic 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\VPTNFILE.604
SAHAgent 4/28/2005 5:41:48 PM 14826377 C:\WINDOWS\VPTNFILE.604
UPX! 4/28/2005 9:13:04 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 4/28/2005 9:13:04 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/23/2001 11:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 8/29/2002 6:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 11:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 9/5/2005 2:12:22 PM 2048 C:\WINDOWS\bootstat.dat
H 8/20/2005 6:26:20 PM 54156 C:\WINDOWS\QTFont.qfn
H 8/18/2005 9:31:40 PM 0 C:\WINDOWS\LastGood\INF\oem26.inf
H 8/18/2005 9:31:42 PM 0 C:\WINDOWS\LastGood\INF\oem26.PNF
H 9/5/2005 12:30:12 PM 890 C:\WINDOWS\system32\vsconfig.xml
H 9/5/2005 2:12:18 PM 8192 C:\WINDOWS\system32\config\default.LOG
H 9/5/2005 2:16:08 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
H 9/5/2005 2:12:24 PM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
H 9/5/2005 2:17:10 PM 110592 C:\WINDOWS\system32\config\software.LOG
H 9/5/2005 2:12:24 PM 1048576 C:\WINDOWS\system32\config\system.LOG
SH 8/19/2005 11:51:18 PM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e0bb3dce-73a5-42d7-bd73-7877e708d74b
SH 8/19/2005 11:51:18 PM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
H 9/5/2005 1:43:42 PM 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/23/2001 11:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/10/2004 8:09:52 PM 49262 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
AvantGo, Inc. 2/21/2003 5:58:26 AM 69632 C:\WINDOWS\SYSTEM32\MBLLNK.CPL
Microsoft Corporation 8/23/2001 11:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 4/1/2005 4:16:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 4:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 11:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
NVIDIA Corporation 7/30/2002 11:50:00 AM 118784 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\nvtuicpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/5/2005 12:38:04 PM 2335 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
8/24/2004 7:08:50 PM 1924 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/18/2004 8:48:42 PM 1652 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlackICE PC Protection.lnk
9/16/2004 632 PM 1633 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MUPS.lnk
2/21/2005 1:02:10 PM 597 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TEW-424UB Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
4/5/2005 7:59:36 PM 1568 C:\Documents and Settings\scott\Application Data\mpauth.dat
8/28/2005 10:03:04 PM 56 C:\Documents and Settings\scott\Application Data\Sskdmns.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
MyIE2 = IEAK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6} = C:\PROGRA~1\AlphaZIP\AlphaZip.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6} = C:\PROGRA~1\AlphaZIP\AlphaZip.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\AlphaZipContextMenu
{5AD42C8A-F224-4113-9851-8A9A489A0CA6} = C:\PROGRA~1\AlphaZIP\AlphaZip.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
ButtonText = Create Mobile Favorite :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0\bin\jusched.exe
ABIT uGuru C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
NvMixerTray "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
Acrobat Assistant 7.0 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
Profiler C:\Program Files\Saitek\Software\Profiler.exe
SaiSmart C:\Program Files\Saitek\Software\SaiSmart.exe
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
Motive SmartBridge C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
A Verizon App C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
DAEMON Tools-1033 "C:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
H/PC Connection Agent "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
CleanUp! C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoDispAppearancePage 0
NoColorChoice 0
NoSizeChoice 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/5/2005 2:25:29 PM
untruehero is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-05-2005, 01:34 PM   #13 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,348
OS: N/A


Delete this file -> C:\Documents and Settings\scott\Application Data\Sskdmns.dll

After that, your system is clean. Do yourself a favor & upgrade to SP2.

Please follow these simple steps in order to keep your computer clean and secure:
  1. CLEAR & RESET SYSTEM RESTORE'S CACHE
    Go to Start >> Run - type sysdm.cpl & press Enter
    • Select the System Restore Tab
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  4. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  5. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  6. Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  7. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  8. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  9. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 09-06-2005, 04:41 PM   #14 (permalink)
Member
 
Join Date: Jul 2004
Posts: 41
OS: XP


Thanks sUBs and everyone else. All clean. You can move this thread.
untruehero is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 09:40 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85