Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Some Sort of Trojan (I am computer savvy)
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 10-12-2005, 04:01 PM   #1 (permalink)
Registered User
 
Join Date: Oct 2005
Posts: 14
OS: XP Pro


Some Sort of Trojan (I am computer savvy)
Thank you for your time on this. It appears i may have a trojan, and everything i have tried to remove it has failed. I have run Ad-aware, Spybot, Bitdefender, and eTrust AV - to no avail. Perhaps you can help.

If it makes a difference, the system is:
Averatec Laptop, C3500 Series
Mobile AMD 2200+ Athlon
Windows XP Tablet PC Edition 2005
512 MB of RAM


And the following is a copy of my HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 8:28:21 AM, on 8/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\system32\medgs1.exe
C:\WINDOWS\system32\yjjhccl\glcstxep.exe
C:\DOCUME~1\Caroline\LOCALS~1\Temp\InSearch.exe
C:\WINDOWS\system32\afwdd\ggtued.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\bdswitch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\Q2Fyb2xpbmUA\command.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\absw\whto.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdlite.exe
C:\Temp\AutoRuns\autoruns.exe
C:\Temp\Process Explorer\procexp.exe
C:\Temp\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [seli] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [xsyuvhn] C:\WINDOWS\xsyuvhn.exe
O4 - HKLM\..\Run: [mmnhfi] C:\WINDOWS\system32\ngvnsru\mmnhfi.exe
O4 - HKLM\..\Run: [ygvam] C:\WINDOWS\system32\ukkpdsk\ygvam.exe
O4 - HKLM\..\Run: [rktjotv] C:\WINDOWS\system32\cvgnpijd\rktjotv.exe
O4 - HKLM\..\Run: [glcstxep] C:\WINDOWS\system32\yjjhccl\glcstxep.exe
O4 - HKLM\..\Run: [wwrxnvxw] C:\WINDOWS\system32\rcetogy\wwrxnvxw.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\system32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Caroline\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [ggtued] C:\WINDOWS\system32\afwdd\ggtued.exe
O4 - HKLM\..\Run: [Yunguyo.exe] C:\WINDOWS\system32\Yunguyo.exe
O4 - HKLM\..\Run: [glcpadaj] C:\WINDOWS\glcpadaj.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pagttr.exe reg_run
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000119.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000119.exe
O4 - HKCU\..\Run: [Rup] "C:\Program Files\absw\whto.exe" -vt rbnd
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com/
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/do...ARKETING32.cab
O16 - DPF: {0AA2D4B3-27C3-42CB-B671-8B6CF97AE4FE} (TSAEButton Class) - https://old.cwinsider.com/cwi/frntd/...e/TSAEButn.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus.net/download/ax/224/installer.exe
O16 - DPF: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - http://66.194.67.102/banner/with-rep.../bannerads.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.co...2c1002_sp2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093027197912
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Testoc Control) - http://www.lojackforlaptops.com/ctmweb/testoc.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Unknown owner - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


Any Sugestions?
Last edited by sUBs; 10-12-2005 at 04:09 PM. Reason: undoing user error
SpikedPunchVctm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 10-12-2005, 04:24 PM   #2 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-12-2005, 05:46 PM   #3 (permalink)
Registered User
 
Join Date: Oct 2005
Posts: 14
OS: XP Pro


Thanks Vikes. I appreciate this, and will try to learn as much as possible from what you discern.

Thanks for the tip of subscribing. I have tons of patience, and understand how much time it could take to analyze this entire log.
SpikedPunchVctm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-12-2005, 06:00 PM   #4 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


If you are really interested in Hijackthis, malware, and how to remove it I suggest you take a look at this forum's Academy. You can read a little about it in the stickies at the top of this forum. Basicly it is a place to learn how to analyze Hijackthis! logs and determine what tools are needed to deal with them. As long as the mods know your still hanging around, it is pretty much go at your own pace so you can take as much or as little time as you need for each log. If your interested read the stickies at the top of the forum about applying.
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-13-2005, 07:05 AM   #5 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Your log appears to show multiple antivirus programs running. Multiple antivirus programs running at the same time can cause conflicts so it is recommended you uninstall all but one.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Please download AproposFix

Save it to your desktop but do NOT run it yet.

Please download Ewido Security Suite.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

The Temp folders must be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download Cleanup! (Alternate Link) and install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\system32\medgs1.exe
    C:\WINDOWS\system32\yjjhccl\glcstxep.exe
    C:\DOCUME~1\Caroline\LOCALS~1\Temp\InSearch.exe
    C:\WINDOWS\system32\afwdd\ggtued.exe
    C:\WINDOWS\Q2Fyb2xpbmUA\command.exe
    C:\Program Files\Common Files\services.exe
    C:\Program Files\absw\whto.exe
    C:\WINDOWS\system32\PSof1.exe
    C:\WINDOWS\exe82.exe
    C:\WINDOWS\xsyuvhn.exe
    C:\WINDOWS\system32\ngvnsru\mmnhfi.exe
    C:\WINDOWS\system32\ukkpdsk\ygvam.exe
    C:\WINDOWS\system32\cvgnpijd\rktjotv.exe
    C:\WINDOWS\system32\rcetogy\wwrxnvxw.exe
    C:\WINDOWS\system32\opr.exe
    C:\WINDOWS\system32\Yunguyo.exe
    C:\WINDOWS\glcpadaj.exe
    C:\Program Files\Common Files\Windows\mc-58-12-0000119.exe
    C:\Program Files\Common Files\mc-58-12-0000119.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist, don’t worry if they don’t)(You must kill them one at a time).
C:\WINDOWS\system32\medgs1.exe
C:\WINDOWS\system32\yjjhccl\glcstxep.exe
C:\DOCUME~1\Caroline\LOCALS~1\Temp\InSearch.exe
C:\WINDOWS\system32\afwdd\ggtued.exe
C:\WINDOWS\Q2Fyb2xpbmUA\command.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\absw\whto.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
ContextPlus<<< Don’t worry if this is not present

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [seli] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [xsyuvhn] C:\WINDOWS\xsyuvhn.exe
O4 - HKLM\..\Run: [mmnhfi] C:\WINDOWS\system32\ngvnsru\mmnhfi.exe
O4 - HKLM\..\Run: [ygvam] C:\WINDOWS\system32\ukkpdsk\ygvam.exe
O4 - HKLM\..\Run: [rktjotv] C:\WINDOWS\system32\cvgnpijd\rktjotv.exe
O4 - HKLM\..\Run: [glcstxep] C:\WINDOWS\system32\yjjhccl\glcstxep.exe
O4 - HKLM\..\Run: [wwrxnvxw] C:\WINDOWS\system32\rcetogy\wwrxnvxw.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\system32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Caroline\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [ggtued] C:\WINDOWS\system32\afwdd\ggtued.exe
O4 - HKLM\..\Run: [Yunguyo.exe] C:\WINDOWS\system32\Yunguyo.exe
O4 - HKLM\..\Run: [glcpadaj] C:\WINDOWS\glcpadaj.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pagttr.exe reg_run
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000119.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000119.exe
O4 - HKCU\..\Run: [Rup] "C:\Program Files\absw\whto.exe" -vt rbnd
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/d...MARKETING32.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus.net/download/ax/224/installer.exe
O16 - DPF: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - http://66.194.67.102/banner/with-re...g/bannerads.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.c...c2c1002_sp2.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\WINDOWS\system32\yjjhccl
C:\WINDOWS\system32\afwdd
C:\WINDOWS\Q2Fyb2xpbmUA
C:\Program Files\absw
C:\WINDOWS\system32\ngvnsru
C:\WINDOWS\system32\ukkpdsk
C:\WINDOWS\system32\cvgnpijd
C:\WINDOWS\system32\rcetogy

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.

please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Uncheck the following :
  • Scan local drives for temporary files


Click OK, Press the CleanUp! button to start the program and reboot(Normal Mode) when prompted.

There will be a file called log.txt in the Aproposfix folder, please copy the contents of that file here.

Please run a Scan at Panda ActiveScan

Make sure that you choose the "fix" or "clean" option when available
at the end of this scan you will be given then option to save a log from the scan -SAVE THAT LOG- and post it here

In your next post please include:
  • Ewido log
  • Aproposfix log.txt
  • Panda Activescan Log
  • A new Hijackthis! Log
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-13-2005, 03:05 PM   #6 (permalink)
Registered User
 
Join Date: Oct 2005
Posts: 14
OS: XP Pro


Ewido Log
Alright, all the above mentioned have been done. The following are the reports you've requested.

:: Ewido Log ::
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:18:30 AM, 8/30/2005
+ Report-Checksum: 2C801746

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\TypeLib\\ -> Spyware.MoneyTree : Ignored
HKLM\SOFTWARE\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID\\ -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1\CLSID\\ -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\\ -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001} -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001}\TypeLib\\ -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB} -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\ClickSpring -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Spyware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InternetOffers -> Spyware.LZIO : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaTickets -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\VGroup -> Spyware.SAHA : Cleaned with backup
HKLM\SOFTWARE\VGroup\SAHPopup -> Spyware.SAHA : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-609264541-873382673-3294363746-1005\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-609264541-873382673-3294363746-1005\Software\DNS -> Adware.Shorty : Cleaned with backup
HKU\S-1-5-21-609264541-873382673-3294363746-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-609264541-873382673-3294363746-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-609264541-873382673-3294363746-1005\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-609264541-873382673-3294363746-1005\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\knua.exe -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\Caroline\Cookies\caroline@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Caroline\Cookies\caroline@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Caroline\Cookies\caroline@interchangecorporation.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Caroline\Cookies\caroline@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Caroline\Cookies\caroline@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Caroline\Cookies\caroline@shopathomeselect[2].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\Documents and Settings\Caroline\Cookies\caroline@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Caroline\Cookies\caroline@www.epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\Documents and Settings\Caroline\Local Settings\Temp\180sainstallersca.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Caroline\Local Settings\Temp\180sainstallersca.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Caroline\Local Settings\Temp\BundleP.exe -> Adware.Saha : Cleaned with backup
C:\Documents and Settings\Caroline\Local Settings\Temp\Del10F.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\Caroline\Local Settings\Temp\Del11A.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Caroline\Local Settings\Temp\Mshtml3.exe -> Spyware.PurityScan : Cleaned with backup
C:\Documents and Settings\Caroline\Local Settings\Temp\res111.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Caroline\Local Settings\Temp\res89.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Caroline\Local Settings\Temporary Internet Files\Content.IE5\OHEJ4X6V\rcverlib[1].exe -> Trojan.Pakes : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
C:\Program Files\Offtedge\AI_27-08-2005.log -> Backdoor.Wiaatl : Cleaned with backup
C:\Program Files\Offtedge\AI_29-08-2005.log -> Backdoor.Wiaatl : Cleaned with backup
C:\Program Files\Offtedge\AI_30-08-2005.log -> Backdoor.Wiaatl : Cleaned with backup
C:\Program Files\Offtedge\data.bin -> Backdoor.Wiaatl : Cleaned with backup
C:\RECYCLER\S-1-5-21-609264541-873382673-3294363746-1005\Dc16\asappsrv.dll -> Spyware.CommAd : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\system32\apguu.dat -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\MediaGateway.exe -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\WINDOWS\system32\nbxaarx.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\njraa.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\pagttr.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\rixcctx.dll -> TrojanDownloader.Qoologic.af : Cleaned with backup


::Report End
Last edited by sUBs; 10-13-2005 at 03:32 PM.
SpikedPunchVctm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-13-2005, 03:08 PM   #7 (permalink)
Registered User
 
Join Date: Oct 2005
Posts: 14
OS: XP Pro


:: Apropos Log ::

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Caroline\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CpTh3AE5KR99]
"Device"="\\\\.\\YdwF1nvc"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\apfkdump.sys"
"DriverName"="Chatapi"
"HideUninstallerName"="C:\\Program Files\\Offtedge\\msosacct.exe"
"HDll"="C:\\WINDOWS\\system32\\ipctract.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.SAV2"
"InstallationId"="{X431176c-b264-6ac4-b95a-9b2a870cbfd7}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Offtedge\\dintimon.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\msfatime.exe"
"Version"="2.0.100"
@="rIBUBQJbccbccdc9EXugOWDbccbrec7x.s:73cTZTUFNihcESJWFSTcBQGLEVNQdTZT"

--
[HKEY_LOCAL_MACHINE\Software\Aprps]

[HKEY_LOCAL_MACHINE\Software\Aprps\Client]
"PartnerId"="WB.VER2"


************

Removing hidden service:
Service Chatapi removed.

Removing hidden folder:
Deletion of folder Offtedge succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\apfkdump.sys succeeded!
Deletion of file C:\WINDOWS\system32\msfatime.exe succeeded!
Deletion of file C:\WINDOWS\system32\ipctract.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CpTh3AE5KR99]
[-HKEY_CURRENT_USER\Software\Aprps]
[-HKEY_LOCAL_MACHINE\Software\CpTh3AE5KR99]
[-HKEY_LOCAL_MACHINE\Software\Aprps]

Done!

Finished!

:: Panda ActivScan ::


Incident Status Location

Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Caroline\Application Data\Sskcwrd.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Adware:adware/maxifiles No disinfected C:\Program Files\Common Files\system32.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\cwebpage.dll
Virus:Trj/Downloader.ENI Disinfected C:\WINDOWS\io2uns.exe
Adware:adware/exact.bargainbuddyNo disinfected C:\WINDOWS\system32\bho.dll
Adware:Adware/Qoologic No disinfected C:\WINDOWS\system32\efqmm.dll
Adware:adware/wupd No disinfected C:\WINDOWS\system32\ide21201.vxd
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
:: HijackThis! Log ::

Logfile of HijackThis v1.99.1
Scan saved at 7:44:55 AM, on 8/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\SYSTEM32\Rpcnet.exe
E:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BDMCon] C:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com/
O16 - DPF: {0AA2D4B3-27C3-42CB-B671-8B6CF97AE4FE} (TSAEButton Class) - https://old.cwinsider.com/cwi/frntd/...e/TSAEButn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093027197912
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Testoc Control) - http://www.lojackforlaptops.com/ctmweb/testoc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Unknown owner - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: ygvamukkpdsk - Unknown owner - C:\WINDOWS\system32\ukkpdsk\ygvam.exe (file missing)


So far the computer is already running much better. Does it look like it's fully clean?
Last edited by sUBs; 10-13-2005 at 03:33 PM.
SpikedPunchVctm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-14-2005, 07:11 AM   #8 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Make sure you can keep your computer on before you continue on with the below. I need you to keep it on until I reply with a fix and when you actually do the fix because the filenames may change if you restart or shutdown your computer. So if you can't keep the computer on today, don't run the below steps until you can keep it on. I also need to know if you can access the Task Manager(ctrl+alt+del) and/or Regedit(Start->Run->Regedit). Please check to see if you can access both of these and let me know whether or not you can in your next post.

Viewing Hidden Files
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads
WinPFind-Unzip it to the desktop, but do not run it yet

Track qoo-Unzip it to the desktop, but do not run it yet

Hoster-Run Hoster and choose the 'Restore Original Hosts' button and press OK.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\NDNuninstall6_38.exe
    C:\WINDOWS\system32\apguu.dat
    C:\WINDOWS\system32\MediaGateway.exe
    C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe
    C:\WINDOWS\system32\nbxaarx.exe
    C:\WINDOWS\system32\njraa.dll
    C:\WINDOWS\system32\pagttr.exe
    C:\WINDOWS\system32\rixcctx.dll
    C:\Documents and Settings\Caroline\Application Data\Sskcwrd.dll
    C:\Program Files\Cas\Client\Uninstall.exe
    C:\Program Files\Common Files\system32.dll
    C:\Program Files\DNS\cwebpage.dll
    C:\WINDOWS\io2uns.exe
    C:\WINDOWS\system32\bho.dll
    C:\WINDOWS\system32\efqmm.dll
    C:\WINDOWS\system32\ide21201.vxd
    C:\WINDOWS\unstall.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Add/Remove
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if listed):
DNS OR Shorty
Internet Optimizer
Casino Client OR Cas OR Casino (something)

Deleting a Service
Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - ygvamukkpdsk
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O23 - Service: ygvamukkpdsk - Unknown owner - C:\WINDOWS\system32\ukkpdsk\ygvam.exe (file missing)
Please remember to close all other windows, including browsers then click Fix checked.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\Program Files\Cas
C:\Program Files\DNS
C:\Program Files\Internet Optimizer
C:\WINDOWS\system32\ukkpdsk

Restart your computer in Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list).

Tools
Double click WinPFind.exe

* Click 'Start Scan'
* It will scan the entire system, so please be patient!
* Once the scan is complete:
1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Copy those results in the next post!

Reboot your system in Normal Mode.

Double click on Track qoo.vbs

**Note - If you have an anti-virus program that has script blocking features, you will get a pop up window asking you what to do. Allow this entire script to run. It's harmless.

Wait a few seconds and Notepad will pop up. Save this file to your desktop as Trackqoo.txt. Copy & Paste the results and place them in the next post along with the results of WinPFind! Remember to keep your computer on now until you do the fix that I will give you.

Online Scans
Please open IE and go to
Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next post please include:
  • Kaspersky Log
  • A new Hijackthis! Log
  • WinPFind.txt
  • Trackqoo Log
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-14-2005, 01:01 PM   #9 (permalink)
Registered User
 
Join Date: Oct 2005
Posts: 14
OS: XP Pro


Just to let you know, I am going to be away for the next 2 days. I will have to do this when i get back to ensure the comptuer will be on the whole time.

I appreciate all of your help. I'm sure you're doing this in your free time aside from working.

~William
SpikedPunchVctm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-14-2005, 01:14 PM   #10 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Thanks for the heads up. I am subscribed to this thread so I will recieve notification when you make a post upon your return. I find this process very interesting, it's also my way at getting back at the bad guys .
Last edited by Vikesrock8411; 10-14-2005 at 01:32 PM.
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-16-2005, 03:04 PM   #11 (permalink)
Registered User
 
Join Date: Oct 2005
Posts: 14
OS: XP Pro


======================== WInPFind LOG =====================

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 10/5/2005 10:56:12 AM 38912 C:\WINDOWS\mtuninst.exe
UPX! 10/4/2005 1:55:54 AM 82432 C:\WINDOWS\untokuoitu.exe

Checking %System% folder...
UPX! 7/19/2005 11:15:14 AM 286720 C:\WINDOWS\SYSTEM32\ctmweb.exe
PEC2 8/4/2004 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 11/8/2004 12:02:34 PM 14336 C:\WINDOWS\SYSTEM32\diagdll.dll
UPX! 7/21/2005 1:01:58 PM 30720 C:\WINDOWS\SYSTEM32\identprv.dll
PECompact2 9/8/2005 8:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 8:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 5:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 10/5/2005 10:56:10 AM 137216 C:\WINDOWS\SYSTEM32\oins.exe
Umonitor 8/4/2004 5:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 8/24/2005 4:46:42 AM 374272 C:\WINDOWS\SYSTEM32\ride5.0.exe
winsync 8/4/2004 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 1/17/2002 2:52:00 PM 3584 C:\WINDOWS\SYSTEM32\wceprv.dll

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/2/2005 6:15:10 AM S 2048 C:\WINDOWS\bootstat.dat
8/30/2005 5:18:50 AM H 24 C:\WINDOWS\ppc4Y
8/3/2005 5:36:08 AM H 0 C:\WINDOWS\inf\oem9.inf
8/2/2005 8:52:38 AM H 1024 C:\WINDOWS\repair\SAM.LOG
8/2/2005 8:52:40 AM H 1024 C:\WINDOWS\repair\SECURITY.LOG
8/2/2005 8:52:40 AM H 1024 C:\WINDOWS\repair\SOFTWARE.LOG
8/2/2005 8:52:44 AM H 1024 C:\WINDOWS\repair\SYSTEM.LOG
7/8/2005 4:23:18 PM S 12143 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
7/19/2005 7:18:10 PM S 18913 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
9/2/2005 6:15:02 AM H 8192 C:\WINDOWS\system32\config\default.LOG
9/2/2005 6:15:24 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/2/2005 6:15:12 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
9/2/2005 6:19:42 AM H 90112 C:\WINDOWS\system32\config\software.LOG
9/2/2005 6:15:20 AM H 929792 C:\WINDOWS\system32\config\system.LOG
8/12/2005 12:17:52 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
8/3/2005 5:36:28 AM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
8/3/2005 5:36:24 AM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
8/3/2005 5:36:28 AM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
8/3/2005 5:36:24 AM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
8/2/2005 8:52:58 AM H 262144 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
8/2/2005 8:52:58 AM H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0885501c-e530-4625-b40c-a3db4603f3e3
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0bd5badc-886f-49cc-86f7-36e5c2a7ce64
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\15a32d92-3308-454c-87af-0da266a852d0
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\42aa6379-eb6d-4652-853c-019f55b7c612
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\654156c2-7946-4588-b2d4-32f673a572eb
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\8df4fcde-1472-43a0-8da2-80916e86f7cd
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a1f02855-3488-46ab-b35f-5142c0deff06
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a918fc42-830d-4788-9ce5-2bdf24b3b061
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\b41812f9-6f71-40fc-a162-c84e6b5f1c7e
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\cdcecc26-2bbf-404c-b51a-c74a85dcb0e6
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\dc829529-d943-4e1d-8998-58653d733f19
8/2/2005 8:53:44 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
9/2/2005 6:14:06 AM H 6 C:\WINDOWS\Tasks\SA.DAT
8/2/2005 8:58:32 AM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
8/2/2005 8:58:32 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
8/30/2005 6:27:50 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\2BBUM44J\desktop.ini
8/30/2005 6:27:50 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8RSBUVEF\desktop.ini
8/30/2005 6:27:50 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GZIJK3MN\desktop.ini
8/30/2005 6:27:50 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y9IV2ZQ7\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 5/14/2004 5:26:34 PM 14268928 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 5:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 148992 C:\WINDOWS\SYSTEM32\tabletpc.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 148992 C:\WINDOWS\SYSTEM32\dllcache\tabletpc.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/2/2005 5:49:18 AM 2335 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
8/20/2004 9:10:16 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/25/2004 12:26:46 PM 1805 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
8/8/2005 6:32:28 PM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/20/2004 1:58:48 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/20/2004 9:10:16 AM HS 84 C:\Documents and Settings\Caroline\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/20/2004 1:58:48 AM HS 62 C:\Documents and Settings\Caroline\Application Data\desktop.ini
8/24/2005 7:34:34 AM 146 C:\Documents and Settings\Caroline\Application Data\Sskdmns.dll
8/24/2005 4:47:06 AM 460858 C:\Documents and Settings\Caroline\Application Data\Sskknwrd.dll
8/24/2005 6:40:12 AM 33 C:\Documents and Settings\Caroline\Application Data\Sskuknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BitDefender Antivirus v8
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Program Files\Softwin\BitDefender9\bdshelxt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\nfsyytsy
{f4b98269-e8f3-4cfb-ac8b-6975843ce240} = C:\WINDOWS\system32\efqmm.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BitDefender Antivirus v8
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Program Files\Softwin\BitDefender9\bdshelxt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TabletWizard C:\WINDOWS\help\SplshWrp.exe
TabletTip "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
SiS Windows KeyHook C:\WINDOWS\system32\keyhook.exe
SiSUSBRG C:\WINDOWS\SiSUSBrg.exe
Apoint C:\Program Files\Apoint2K\Apoint.exe
SoundMan SOUNDMAN.EXE
SMSERIAL sm56hlpr.exe
RoxioEngineUtility "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
RoxioAudioCentral "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
WinampAgent C:\Program Files\Winamp\winampa.exe
Acrobat Assistant 7.0 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

BDMCon C:\progra~1\softwin\bitdef~1\bdmcon.exe
BDOESRV "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
BDNewsAgent "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
BDSwitchAgent "C:\progra~1\softwin\bitdef~1\bdswitch.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
AIM C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations
LowRiskFileTypes .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\loginkey
= C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TabBtnWL
= TabBtnWL.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpgwlnotify
= tpgwlnot.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/2/2005 6:25:14 AM


=================== End WinPFind LOG =============




================= Trackqoo Log =====================

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="C:\\WINDOWS\\help\\SplshWrp.exe"
"TabletTip"="\"C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabtip.exe\" /resume"
"SiS Windows KeyHook"="C:\\WINDOWS\\system32\\keyhook.exe"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"SoundMan"="SOUNDMAN.EXE"
"SMSERIAL"="sm56hlpr.exe"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"BDMCon"="C:\\progra~1\\softwin\\bitdef~1\\bdmcon.exe"
"BDOESRV"="\"C:\\Program Files\\Softwin\\BitDefender9\\bdoesrv.exe\""
"BDNewsAgent"="\"C:\\progra~1\\softwin\\bitdef~1\\bdnagent.exe\""
"BDSwitchAgent"="\"C:\\progra~1\\softwin\\bitdef~1\\bdswitch.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll

Subkey --- BitDefender Antivirus v8
{D653647D-D607-4DF6-A5B8-48D2BA195F7B}
C:\Program Files\Softwin\BitDefender9\bdshelxt.dll

Subkey --- nfsyytsy
{f4b98269-e8f3-4cfb-ac8b-6975843ce240}
C:\WINDOWS\system32\efqmm.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Acrobat Speed Launcher.lnk
desktop.ini
Microsoft Office OneNote 2003 Quick Launch.lnk
Microsoft Office.lnk
==============================
C:\Documents and Settings\Caroline\Start Menu\Programs\Startup

Adobe Acrobat Speed Launcher.lnk
desktop.ini
Microsoft Office OneNote 2003 Quick Launch.lnk
Microsoft Office.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
ALSNDMGR.CPL Realtek Semiconductor Corp.
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
tabletpc.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

=================== End Trackqoo ====================



================= Kaspersky Log ==================

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, September 02, 2005 07:37:02
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/10/2005
Kaspersky Anti-Virus database records: 145153
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 31391
Number of viruses found: 20
Number of infected objects: 135
Number of suspicious objects: 0
Duration of the scan process: 1792 sec

Infected Object Name - Virus Name
C:\RECYCLER\S-1-5-21-609264541-873382673-3294363746-1005\Dc4\gloryrmx.dll Infected: Trojan-Downloader.Win32.Agent.lg
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0004038.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0004039.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0004040.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0004041.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0004043.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005038.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005040.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005041.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005042.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005043.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005058.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005059.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005060.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005061.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005073.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005076.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005077.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005089.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005090.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005091.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005093.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005100.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005101.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005102.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005103.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0005104.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0006108.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0006109.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0006110.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0006111.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0006116.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0006135.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0006136.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0006138.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0006139.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0007140.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0007141.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0007142.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0007143.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0009137.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0009138.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0009139.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0009140.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0012157.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0012158.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0012159.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0012160.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0013155.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0013156.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0013159.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0013160.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0015155.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0015157.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0015158.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0015159.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0016176.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0016177.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0016178.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0016181.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0016196.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0016197.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0016198.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0016199.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0016206.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0016208.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0016214.dll Infected: Trojan-Downloader.Win32.Qoologic.ae
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0017197.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0017198.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0017199.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0017200.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0017216.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0017217.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0017218.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0017219.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018244.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018245.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018246.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018247.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018257.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018258.exe/data0005 Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018258.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018260.exe Infected: Trojan.Win32.EliteBar.c
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018261.exe Infected: Trojan.Win32.EliteBar.c
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018266.exe Infected: Trojan.Win32.EliteBar.c
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018268.exe Infected: Trojan.Win32.EliteBar.c
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018270.exe Infected: Trojan.Win32.EliteBar.c
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018271.exe Infected: Trojan.Win32.EliteBar.c
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018272.exe Infected: Trojan.Win32.EliteBar.c
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018273.exe Infected: Trojan.Win32.EliteBar.c
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018447.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018448.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018449.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018450.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018453.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0018459.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0019435.dll Infected: Trojan.Win32.EliteBar.c
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0019436.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0019444.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0020442.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0020443.exe Infected: Trojan-Downloader.Win32.VB.jl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0020444.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0020445.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0020446.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0020448.exe Infected: Trojan.Win32.EliteBar.c
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0020450.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0020452.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0020456.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0020458.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0020459.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP14\A0020460.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP15\A0020533.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP15\A0020534.dll Infected: Trojan-Downloader.Win32.Qoologic.af
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP15\A0020535.dll Infected: Trojan-Downloader.Win32.Qoologic.ak
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP16\A0020586.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP16\A0020587.dll Infected: Trojan-Downloader.Win32.Qoologic.af
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP16\A0020588.dll Infected: Trojan-Downloader.Win32.Qoologic.ak
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP16\A0020599.exe Infected: Trojan-Downloader.Win32.VB.hw
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP16\A0020603.exe Infected: Trojan-Downloader.Win32.Agent.vp
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP16\A0020604.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP16\A0020614.exe Infected: Trojan-Downloader.Win32.Agent.lg
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP17\A0021554.dll Infected: Trojan-Downloader.Win32.Qoologic.ae
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP17\A0021559.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP17\A0021560.dll Infected: Trojan-Downloader.Win32.Qoologic.af
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP17\A0021561.dll Infected: Trojan-Downloader.Win32.Qoologic.ak
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP18\A0021607.exe Infected: Trojan-Clicker.Win32.VB.is
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP18\A0021608.exe Infected: Trojan-Downloader.Win32.Agent.lg
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP18\A0021612.exe Infected: Trojan-Downloader.Win32.VB.hj
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP18\A0021623.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP18\A0021628.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP18\A0021629.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP18\A0021630.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP18\A0021631.dll Infected: Trojan-Downloader.Win32.Qoologic.af
C:\System Volume Information\_restore{228FA598-7770-4360-A758-3CFB320A8092}\RP19\A0023713.dll Infected: Trojan-Downloader.Win32.Qoologic.ak
C:\WINDOWS\uhvokou.exe Infected: Trojan-Dropper.Win32.Agent.mu

Scan process completed.

====================== End Kaspersky Log ==================



=================== Hijack! This ====================

Logfile of HijackThis v1.99.1
Scan saved at 7:38:06 AM, on 9/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM95\aim.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\upgrepl.exe
C:\Temp\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BDMCon] C:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com/
O16 - DPF: {0AA2D4B3-27C3-42CB-B671-8B6CF97AE4FE} (TSAEButton Class) - https://old.cwinsider.com/cwi/frntd/...e/TSAEButn.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093027197912
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Testoc Control) - http://www.lojackforlaptops.com/ctmweb/testoc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Unknown owner - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

=========================== End Hijack! This ===============
SpikedPunchVctm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2005, 02:11 PM   #12 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Viewing Hidden Files
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads
KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Tools
Click Start->Run->Then Type "regedit"
Click File->Export and save a copy of your registry somewhere just in case
Then navigate to and delete the entries listed in Red:
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\nf syytsy

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy

1. Checkmark/tick - Ignore Safe System Info Streams
2. Click Scan
3. When it has finished scanning, checkmark/tick all that it found
4. Click Remove Selected

Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\untokuoitu.exe
    C:\Documents and Settings\Caroline\Application Data\Sskdmns.dll
    C:\Documents and Settings\Caroline\Application Data\Sskknwrd.dll
    C:\Documents and Settings\Caroline\Application Data\Sskuknwrd.dll
    C:\WINDOWS\system32\efqmm.dll
    C:\WINDOWS\uhvokou.exe
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Please go to Jotti Viruscan and upload the following files (one at a time):
C:\WINDOWS\SYSTEM32\identprv.dll
C:\WINDOWS\SYSTEM32\ride5.0.exe
C:\WINDOWS\SYSTEM32\wceprv.dll
C:\WINDOWS\ppc4Y

Please include the result of these scans in your next post

Please Run WinPFind again using the same directions as above.

In your next post please include:
  • A new Hijackthis! Log
  • WinPFind Log
  • Jotti results
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2005, 12:21 PM   #13 (permalink)
Registered User
 
Join Date: Oct 2005
Posts: 14
OS: XP Pro


Tomorrow I'm leaving for a week. I'm hoping we can get this done by today, but, if you're unable to do it, i understand. It seems like we're at the tail end of this thing. I had no idea there were so many tools for cleaning out viruses/malware.

here are the logs you requested:


==================== Hijack! This ==================

Logfile of HijackThis v1.99.1
Scan saved at 4:55:27 AM, on 9/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Temp\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BDMCon] C:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com/
O16 - DPF: {0AA2D4B3-27C3-42CB-B671-8B6CF97AE4FE} (TSAEButton Class) - https://old.cwinsider.com/cwi/frntd/...e/TSAEButn.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093027197912
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Testoc Control) - http://www.lojackforlaptops.com/ctmweb/testoc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Unknown owner - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

====================== End Hijack! This ==================


==================== Jotti Scan ==================

File: identprv.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 b9dd481b02c60d045a82e5714797714d
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing



File: ride5.0.exe
Status: INFECTED/MALWARE
MD5 f18b5c115a867bec19df37af7098ae44
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found modification of BackDoor.Generic.1024, Adware.Casclient
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Embedded.Trojan-Dropper.Win32.Agent.mu (probable variant)



File: wceprv.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 abc3cd3be33cbecf4cff51b156567b1a
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


File: ppc4Y
Status: OK
MD5 4981e19041612a3f51d27e2e765b170b
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

======================== End Jotti Scan =================


=================== WinPFind ================

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 10/5/2005 10:56:12 AM 38912 C:\WINDOWS\mtuninst.exe

Checking %System% folder...
UPX! 7/19/2005 11:15:14 AM 286720 C:\WINDOWS\SYSTEM32\ctmweb.exe
PEC2 8/4/2004 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 11/8/2004 12:02:34 PM 14336 C:\WINDOWS\SYSTEM32\diagdll.dll
UPX! 7/21/2005 1:01:58 PM 30720 C:\WINDOWS\SYSTEM32\identprv.dll
PECompact2 10/4/2005 7:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/4/2005 7:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 5:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 10/5/2005 10:56:10 AM 137216 C:\WINDOWS\SYSTEM32\oins.exe
Umonitor 8/4/2004 5:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 8/24/2005 4:46:42 AM 374272 C:\WINDOWS\SYSTEM32\ride5.0.exe
winsync 8/4/2004 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 1/17/2002 2:52:00 PM 3584 C:\WINDOWS\SYSTEM32\wceprv.dll

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/3/2005 10:17:30 AM S 2048 C:\WINDOWS\bootstat.dat
8/30/2005 5:18:50 AM H 24 C:\WINDOWS\ppc4Y
8/3/2005 5:36:08 AM H 0 C:\WINDOWS\inf\oem9.inf
8/2/2005 8:52:38 AM H 1024 C:\WINDOWS\repair\SAM.LOG
8/2/2005 8:52:40 AM H 1024 C:\WINDOWS\repair\SECURITY.LOG
8/2/2005 8:52:40 AM H 1024 C:\WINDOWS\repair\SOFTWARE.LOG
8/2/2005 8:52:44 AM H 1024 C:\WINDOWS\repair\SYSTEM.LOG
9/2/2005 6:44:52 AM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6752e343d22c025be1f290a6267a146d\BITC.tmp
7/8/2005 4:23:18 PM S 12143 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
10/4/2005 6:17:40 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
7/19/2005 7:18:10 PM S 18913 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
8/17/2005 7:19:32 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899589.cat
9/28/2005 11:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 7:15:08 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
7/25/2005 1046 PM S 33676 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB902400.cat
8/29/2005 9:25:44 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB904706.cat
8/22/2005 11:48:28 AM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905414.cat
8/22/2005 9:03:36 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905749.cat
9/4/2005 4:57:28 AM H 1024 C:\WINDOWS\system32\config\default.LOG
9/3/2005 10:17:36 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/4/2005 2:17:44 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
9/4/2005 4:57:28 AM H 1024 C:\WINDOWS\system32\config\software.LOG
9/4/2005 4:57:18 AM H 1024 C:\WINDOWS\system32\config\system.LOG
9/3/2005 3:02:04 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
8/3/2005 5:36:28 AM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
8/3/2005 5:36:24 AM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
8/3/2005 5:36:28 AM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
8/3/2005 5:36:24 AM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
8/2/2005 8:52:58 AM H 262144 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
8/2/2005 8:52:58 AM H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0885501c-e530-4625-b40c-a3db4603f3e3
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0bd5badc-886f-49cc-86f7-36e5c2a7ce64
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\15a32d92-3308-454c-87af-0da266a852d0
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\42aa6379-eb6d-4652-853c-019f55b7c612
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\654156c2-7946-4588-b2d4-32f673a572eb
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\8df4fcde-1472-43a0-8da2-80916e86f7cd
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a1f02855-3488-46ab-b35f-5142c0deff06
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a918fc42-830d-4788-9ce5-2bdf24b3b061
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\b41812f9-6f71-40fc-a162-c84e6b5f1c7e
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\cdcecc26-2bbf-404c-b51a-c74a85dcb0e6
8/2/2005 8:53:44 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\dc829529-d943-4e1d-8998-58653d733f19
8/2/2005 8:53:44 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
9/3/2005 10:17:34 AM H 6 C:\WINDOWS\Tasks\SA.DAT
8/2/2005 8:58:32 AM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
8/2/2005 8:58:32 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
8/30/2005 6:27:50 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\2BBUM44J\desktop.ini
8/30/2005 6:27:50 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\8RSBUVEF\desktop.ini
8/30/2005 6:27:50 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GZIJK3MN\desktop.ini
8/30/2005 6:27:50 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Y9IV2ZQ7\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 5/14/2004 5:26:34 PM 14268928 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 5:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 148992 C:\WINDOWS\SYSTEM32\tabletpc.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 148992 C:\WINDOWS\SYSTEM32\dllcache\tabletpc.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 5:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2005 10:17:40 AM 2335 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
8/20/2004 9:10:16 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/25/2004 12:26:46 PM 1805 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
8/8/2005 6:32:28 PM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/20/2004 1:58:48 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/20/2004 9:10:16 AM HS 84 C:\Documents and Settings\Caroline\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/20/2004 1:58:48 AM HS 62 C:\Documents and Settings\Caroline\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BitDefender Antivirus v8
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Program Files\Softwin\BitDefender9\bdshelxt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BitDefender Antivirus v8
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Program Files\Softwin\BitDefender9\bdshelxt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TabletWizard C:\WINDOWS\help\SplshWrp.exe
TabletTip "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
SiS Windows KeyHook C:\WINDOWS\system32\keyhook.exe
SiSUSBRG C:\WINDOWS\SiSUSBrg.exe
Apoint C:\Program Files\Apoint2K\Apoint.exe
SoundMan SOUNDMAN.EXE
SMSERIAL sm56hlpr.exe
RoxioEngineUtility "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
RoxioAudioCentral "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
WinampAgent C:\Program Files\Winamp\winampa.exe
Acrobat Assistant 7.0 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

BDMCon C:\progra~1\softwin\bitdef~1\bdmcon.exe
BDOESRV "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
BDNewsAgent "C:\progra~1\softwin\bitdef~1\bdnagent.exe"
BDSwitchAgent "C:\progra~1\softwin\bitdef~1\bdswitch.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
AIM C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations
LowRiskFileTypes .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\loginkey
= C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TabBtnWL
= TabBtnWL.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpgwlnotify
= tpgwlnot.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs sockspy.dll


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/4/2005 5:00:31 AM


============== End WinPFind ========================
SpikedPunchVctm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2005, 12:22 PM   #14 (permalink)
Registered User
 
Join Date: Oct 2005
Posts: 14
OS: XP Pro


btw, I'm leaving the computer on without rebooting it. It seems to help in that they don't try to recreate themselves.
SpikedPunchVctm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2005, 12:56 PM   #15 (permalink)
Analyst, Security Team
 
Vikesrock8411's Avatar
 
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP


Quote:
I had no idea there were so many tools for cleaning out viruses/malware.
You haven't even scratched the surface of the abundance of tools made to get rid of this stuff.I have good news... and I have bad news.

Bad news first: You still have an infected file.
Good news: There's only one file left. And I don't need any more logs


Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\SYSTEM32\ride5.0.exe
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.


Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off. Please post one more time even if you have no problems so we can mark this thread as resolved.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check Turn off System Restore or Turn off System Restore on all drives. Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Reboot your system.

To turn on System Restore click Start > Right Click My Computer > Properties.Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:

Zone Alarm
Kerio
Sygate

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.
Vikesrock8411 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-18-2005, 02:55 PM   #16 (permalink)
Registered User
 
Join Date: Oct 2005
Posts: 14
OS: XP Pro


Everything looks good. I ran a few scans on it, and they haven't detected anything. You read my mind on advice on how to further protect myself from future attacks. I've sent the info to everyone i know.

Thanks again for all your help. If karma is real, i think you just gained a few points.

~William
SpikedPunchVctm is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:46 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85