Host file is being changed automagically

[khelbena]

Hello I have a pc that had the spyaxe program on it which I think I have removed but not quite sure as my host file is being taken over automatically. I have run spybot/adaware/ewido in normal mode and in safe mode and cleaned everything they have found. Obviously something is being missed somewhere. I am currently running Panda active scan. here is my HJT log

Also the host file is set to read only

Logfile of HijackThis v1.99.1
Scan saved at 2:52:43 PM, on 11/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\wuauclt.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Windows\system32\ntvdm.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\FacetWin\fwagent.exe
C:\Windows\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\wuauclt.exe
C:\Agency Support\HijackThis.exe
C:\Windows\System32\msiexec.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [CSISetup] S:\PCSetup\disk1\setup.exe -fdailysetup.ins
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - Global Startup: FacetWin Agent.lnk = C:\FacetWin\fwagent.exe
O15 - Trusted Zone: *.csic.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16F2DAFF-BEE1-498A-877F-ADE1E15F8D59}: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{16F2DAFF-BEE1-498A-877F-ADE1E15F8D59}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{16F2DAFF-BEE1-498A-877F-ADE1E15F8D59}: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\..\{16F2DAFF-BEE1-498A-877F-ADE1E15F8D59}: NameServer =
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


Edit: also the following entries are needed

O15 - Trusted Zone: *.csic.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab

[tetonbob]

Since you're running Panda Active scan already, please post that log when done, along with the results from Ewido's last run, so we can see what is/was there.

Also, have you edited out the domain name in the O17 entries? The CLSIDs are unknowns, and the lack of any IP addy or domain name is suspicious.

You seem to know a thing or two....so you probably know that some trojans will overwrite a hosts file. Until it is IDd and removed, simply putting a new one in place will not work. There's nothing like that showing in the HJT log.....

Do you use a custom hosts file? Or one from MVPS.org? We use this one:

Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

Once these questions are answered and we have the Panda and Ewido logs, we can go to work.

[khelbena]

Yes i removed the domain and IP address parts of the O17 entries sorry I forgot to mention that earlier.

I just use the standard windows host file with the only entry in it being 127.0.0.1 localhost set to read only attribute.

Here is the Ewido Report

--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:56:08 AM, 11/16/2005
+ Report-Checksum: B940ED8D

+ Scan result:

C:\Agency Support\spyaxeremoval\illegal_adv_uninstaller1.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\agent2\Desktop\uninstallers.zip/illegal_adv_uninstaller1.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\agent2\Local Settings\Temporary Internet Files\Content.IE5\XRBFXHGE\uninstallers[1].zip/illegal_adv_uninstaller1.exe -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End


Here is the panda report

Incident Status Location

Adware:adware/clickalchemy No disinfected C:\WINDOWS\alchem.ini
Adware:adware/spyaxe No disinfected Windows Registry


here is the HJT log again

Logfile of HijackThis v1.99.1
Scan saved at 9:47:48 AM, on 11/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Windows\system32\ntvdm.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\FacetWin\fwagent.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Windows\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Agency Support\HijackThis.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [CSISetup] S:\PCSetup\disk1\setup.exe -fdailysetup.ins
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - Global Startup: FacetWin Agent.lnk = C:\FacetWin\fwagent.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.csic.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16F2DAFF-BEE1-498A-877F-ADE1E15F8D59}: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{16F2DAFF-BEE1-498A-877F-ADE1E15F8D59}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{16F2DAFF-BEE1-498A-877F-ADE1E15F8D59}: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\..\{16F2DAFF-BEE1-498A-877F-ADE1E15F8D59}: NameServer =
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

The o17 entries have also been edited. ONce we get this cleaned I will put your recommended host file in place.

[tetonbob]

I see nothing in those logs which should cause a hosts file to change....Let's have a deeper look.

First, delete this file:

C:\WINDOWS\alchem.ini

If it resists deletion, reboot into safe mode and delete it from there.

Perform an online scan with Internet Explorer with

Kaspersky Online Scanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Next, Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

How is the system behaving in general now? Any redirects, popups...?

[khelbena]

Ok installing the kapersky labs scanner the install of the definitions is taking a while will post the appropriate logs when finished.

The system is running much better, haven't had any pop-ups today so far. Its also faster with opening programs and responsiveness. The host file is still being modified though. And when i run any type of scanner i.e. spybot adaware etc it will still pick up one or two things which i remove. Seems like there is this "hidden" thing on there which is causing the problem and its adding these one or two micellaneous items back on there.

Will post the new logs soon as I get the kapersky scanner done.

[khelbena]

here is the kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 16, 2005 13:53:51
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/11/2005
Kaspersky Anti-Virus database records: 150392
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
S:\

Scan Statistics:
Total number of scanned objects: 40687
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 5559 sec

Infected Object Name - Virus Name


Scan process completed.

Here is the Stratdrek log

StartDreck (build 2.1.7 public stable) - 2005-11-16 @ 14:00:40 (GMT -05:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as agent1 at CSI0007-PC1

Registry
Run Keys
Current User
Run
RunOnce
Default User
Run
RunOnce
Local Machine
Run
*CPQEASYACC=C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
*Smapp=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
*AdaptecDirectCD="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
*ChkAdmin=C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
*HPDJ Taskbar Utility=C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
*CSISetup=S:\PCSetup\disk1\setup.exe -fdailysetup.ins
*McAfeeUpdaterUI="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
*ShStatEXE="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
*WinVNC="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
*WinPatrol=C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
*IgfxTray=C:\Windows\System32\igfxtray.exe
*HotKeysCmds=C:\Windows\System32\hkcmd.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
RunOnce
RunServices
*CPQDFWAG=C:\Windows\Cpqdiag\CpqDfwAg.exe
RunServicesOnce
RunOnceEx
RunServicesOnceEx
File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
Active Setup (LM)
+Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\Windows\inf\unregmp2.exe /ShowWMP
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\Windows\INF\wmp10.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
Browser Helper Objects (LM)
Internet Explorer
Current User
*Local Page=C:\Windows\SYSTEM32\blank.htm
*Search Bar=http://search.msn.com/spbasic.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.msn.com/
+SearchUrl
*provider=
Default User
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=C:\Windows\SYSTEM32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
Special NT Values
Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
Files
Autostart Folders
Current User
*C:\Documents and Settings\agent2\Start Menu\Programs\Startup\desktop.ini
Default User
*C:\Windows\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
Local Machine
*C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\desktop.ini
*C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\FacetWin Agent.lnk
INI-Files
WIN.INI\[windows]
*LOAD=
*RUN=
SYSTEM.INI\[boot]
*SHELL=Explorer.exe
Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\Windows
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows XP Professional" /fastdetect
*C:\msdos.sys
*C:\Windows\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\Windows\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\Windows\wininit.ini
`[Rename]
`NUL=C:\DOCUME~1\agent2\LOCALS~1\Temp\randreco.exe
*C:\Windows\System32\drivers\etc\hosts
`127.0.0.1 localhost
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 www.websearch.com
`127.0.0.1 xzoomy.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 www.popaware.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\Windows\System32\win.com
*C:\Windows\explorer.exe
%PATH% Companion Files
+C:\Windows\System32\notepad.exe
*C:\Windows\NOTEPAD.EXE
+C:\Windows\System32\taskman.exe
*C:\Windows\TASKMAN.EXE
+C:\Windows\System32\winhlp32.exe
*C:\Windows\winhlp32.exe
+C:\PROGRA~1\REFLEC~1\Aping.exe
*C:\Program Files\Reflection\Aping.exe
*C:\Program Files\Reflection\Aping.exe
+C:\PROGRA~1\REFLEC~1\Apingd.exe
*C:\Program Files\Reflection\Apingd.exe
*C:\Program Files\Reflection\Apingd.exe
+C:\PROGRA~1\REFLEC~1\cnectwiz.exe
*C:\Program Files\Reflection\cnectwiz.exe
*C:\Program Files\Reflection\cnectwiz.exe
+C:\PROGRA~1\REFLEC~1\ed3270db.exe
*C:\Program Files\Reflection\ed3270db.exe
*C:\Program Files\Reflection\ed3270db.exe
+C:\PROGRA~1\REFLEC~1\ed5250db.exe
*C:\Program Files\Reflection\ed5250db.exe
*C:\Program Files\Reflection\ed5250db.exe
+C:\PROGRA~1\REFLEC~1\Edit3270.exe
*C:\Program Files\Reflection\Edit3270.exe
*C:\Program Files\Reflection\Edit3270.exe
+C:\PROGRA~1\REFLEC~1\Edit5250.exe
*C:\Program Files\Reflection\Edit5250.exe
*C:\Program Files\Reflection\Edit5250.exe
+C:\PROGRA~1\REFLEC~1\Hllsetup.exe
*C:\Program Files\Reflection\Hllsetup.exe
*C:\Program Files\Reflection\Hllsetup.exe
+C:\PROGRA~1\REFLEC~1\langset.exe
*C:\Program Files\Reflection\langset.exe
*C:\Program Files\Reflection\langset.exe
+C:\PROGRA~1\REFLEC~1\lpdserv.exe
*C:\Program Files\Reflection\lpdserv.exe
*C:\Program Files\Reflection\lpdserv.exe
+C:\PROGRA~1\REFLEC~1\Nthlltsr.exe
*C:\Program Files\Reflection\Nthlltsr.exe
*C:\Program Files\Reflection\Nthlltsr.exe
+C:\PROGRA~1\REFLEC~1\R8win.exe
*C:\Program Files\Reflection\R8win.exe
*C:\Program Files\Reflection\R8win.exe
+C:\PROGRA~1\REFLEC~1\rbd240ex.exe
*C:\Program Files\Reflection\rbd240ex.exe
*C:\Program Files\Reflection\rbd240ex.exe
+C:\PROGRA~1\REFLEC~1\rbd240fx.exe
*C:\Program Files\Reflection\rbd240fx.exe
*C:\Program Files\Reflection\rbd240fx.exe
+C:\PROGRA~1\REFLEC~1\rbd240gx.exe
*C:\Program Files\Reflection\rbd240gx.exe
*C:\Program Files\Reflection\rbd240gx.exe
+C:\PROGRA~1\REFLEC~1\rbd240jx.exe
*C:\Program Files\Reflection\rbd240jx.exe
*C:\Program Files\Reflection\rbd240jx.exe
+C:\PROGRA~1\REFLEC~1\Rdoshll.exe
*C:\Program Files\Reflection\Rdoshll.exe
*C:\Program Files\Reflection\Rdoshll.exe
+C:\PROGRA~1\REFLEC~1\Receive.exe
*C:\Program Files\Reflection\Receive.exe
*C:\Program Files\Reflection\Receive.exe
+C:\PROGRA~1\REFLEC~1\rftpc.exe
*C:\Program Files\Reflection\rftpc.exe
*C:\Program Files\Reflection\rftpc.exe
+C:\PROGRA~1\REFLEC~1\RLinks.exe
*C:\Program Files\Reflection\RLinks.exe
*C:\Program Files\Reflection\RLinks.exe
+C:\PROGRA~1\REFLEC~1\rnlpd.exe
*C:\Program Files\Reflection\rnlpd.exe
*C:\Program Files\Reflection\rnlpd.exe
+C:\PROGRA~1\REFLEC~1\rnlpr.exe
*C:\Program Files\Reflection\rnlpr.exe
*C:\Program Files\Reflection\rnlpr.exe
+C:\PROGRA~1\REFLEC~1\rnPing.exe
*C:\Program Files\Reflection\rnPing.exe
*C:\Program Files\Reflection\rnPing.exe
+C:\PROGRA~1\REFLEC~1\Rvd.exe
*C:\Program Files\Reflection\Rvd.exe
*C:\Program Files\Reflection\Rvd.exe
+C:\PROGRA~1\REFLEC~1\Send.exe
*C:\Program Files\Reflection\Send.exe
*C:\Program Files\Reflection\Send.exe
+C:\PROGRA~1\REFLEC~1\Sfxlate.exe
*C:\Program Files\Reflection\Sfxlate.exe
*C:\Program Files\Reflection\Sfxlate.exe
+C:\PROGRA~1\REFLEC~1\Snaeng.exe
*C:\Program Files\Reflection\Snaeng.exe
System/Drivers
Running Processes
+0=<idle>
+4=<system>
+616=\SystemRoot\System32\smss.exe
+680=\??\C:\Windows\system32\csrss.exe
+704=\??\C:\Windows\system32\winlogon.exe
+748=C:\Windows\system32\services.exe
+760=C:\Windows\system32\lsass.exe
+928=C:\Windows\system32\svchost.exe
+1032=C:\Windows\System32\svchost.exe
+1192=C:\Windows\System32\svchost.exe
+1224=C:\Windows\System32\svchost.exe
+1348=C:\Windows\system32\spoolsv.exe
+1456=C:\COMPAQ\ACLIENT\ACLIENT.exe
+1484=C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
+1500=C:\Windows\Cpqdiag\Cpqdfwag.exe
+1512=C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
+1540=C:\Program Files\ewido\security suite\ewidoctrl.exe
+1576=C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
+1624=C:\Program Files\Network Associates\VirusScan\Mcshield.exe
+1648=C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
+1684=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
+1728=C:\Windows\System32\NMSSvc.exe
+1804=C:\Windows\System32\wdfmgr.exe
+2016=C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
+128=C:\Program Files\RealVNC\WinVNC\WinVNC.exe
+316=C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
+648=C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
+1772=C:\Windows\Explorer.EXE
+2108=C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
+2120=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
+2148=C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
+2168=C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
+2188=C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
+2556=C:\Windows\system32\ntvdm.exe
+2568=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
+2576=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
+2620=C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
+2648=C:\Windows\System32\igfxtray.exe
+2660=C:\Windows\System32\hkcmd.exe
+2672=C:\FacetWin\fwagent.exe
+2684=C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
+2692=C:\Compaq\EAKDRV\EAUSBKBD.EXE
+2708=C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
+3968=C:\Windows\System32\wuauclt.exe
+3384=C:\Agency Support\startdreck\StartDreck.exe
VMM32Files (LM)
%System%\VMM32
%System%\IOSUBSYS
Application specific
MS Office 97/8.0 STARTUP-PATH
Current User
Default User
Local Machine
ICQ NetDetect
Current User
Default User

[tetonbob]

Open C:\Windows\wininit.ini in Notepad and edit out the following lines, then save and close:

`[Rename]
`NUL=C:\DOCUME~1\agent2\LOCALS~1\Temp\randreco.exe

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* Download WinPFind http://www.bleepingcomputer.com/files/winpfind.php
o Double click on WinPFind and unzip it to your Desktop.
o Don't do anything with it yet!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Double click WinPFind.exe

* Click 'Start Scan'
* It will scan the entire system, so please be patient!
* Once the scan is complete:
1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Copy those results in the next post!

[khelbena]

OK deleted the entry in the wininit.ini file.

Ran the cleanup program.

Rebooted into safe mode and ran the WinPFind program.

Here is the WinPFind Log

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...
aspack 2/23/2005 4:51:28 PM 3504602 C:\CSIHomeValuation.EXE

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/17/2001 3:00:00 PM 41397 C:\Windows\SYSTEM32\dfrg.msc
PTech 8/29/2005 1:27:12 PM 520968 C:\Windows\SYSTEM32\LegitCheckControl.DLL
PECompact2 11/10/2005 9:17:18 PM 2368864 C:\Windows\SYSTEM32\MRT.exe
aspack 11/10/2005 9:17:18 PM 2368864 C:\Windows\SYSTEM32\MRT.exe
Umonitor 8/28/2002 9:41:10 AM 631808 C:\Windows\SYSTEM32\rasdlg.dll
winsync 8/17/2001 3:00:00 PM 1309184 C:\Windows\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\Windows\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/16/2005 3:29:56 PM S 2048 C:\Windows\bootstat.dat
11/16/2005 3:30:00 PM S 64 C:\Windows\CSC\00000001
9/19/2005 3:48:30 PM H 10820 C:\Windows\Help\update.GID
11/15/2005 3:33:22 PM H 0 C:\Windows\LastGood\INF\codecs10.inf
11/15/2005 3:33:22 PM H 0 C:\Windows\LastGood\INF\codecs10.PNF
11/15/2005 3:33:18 PM H 0 C:\Windows\LastGood\INF\DRM10.inf
11/15/2005 3:33:18 PM H 0 C:\Windows\LastGood\INF\DRM10.PNF
11/15/2005 436 PM H 0 C:\Windows\LastGood\INF\ip6fw.inf
11/15/2005 436 PM H 0 C:\Windows\LastGood\INF\ip6fw.PNF
11/15/2005 3:34:18 PM H 0 C:\Windows\LastGood\INF\MPCD10.inf
11/15/2005 3:34:18 PM H 0 C:\Windows\LastGood\INF\MPCD10.PNF
11/15/2005 3:33:10 PM H 0 C:\Windows\LastGood\INF\MPPRE10.inf
11/15/2005 3:33:10 PM H 0 C:\Windows\LastGood\INF\MPPRE10.PNF
11/15/2005 3:34:20 PM H 0 C:\Windows\LastGood\INF\MPSTUB10.inf
11/15/2005 3:34:20 PM H 0 C:\Windows\LastGood\INF\MPSTUB10.PNF
11/15/2005 2:34:20 PM H 0 C:\Windows\LastGood\INF\oem49.inf
11/15/2005 2:34:20 PM H 0 C:\Windows\LastGood\INF\oem49.PNF
11/15/2005 3:23:48 PM H 0 C:\Windows\LastGood\INF\oem50.inf
11/15/2005 3:23:48 PM H 0 C:\Windows\LastGood\INF\oem50.PNF
11/15/2005 3:36:18 PM H 0 C:\Windows\LastGood\INF\oem51.inf
11/15/2005 3:36:18 PM H 0 C:\Windows\LastGood\INF\oem51.PNF
11/15/2005 434 PM H 0 C:\Windows\LastGood\INF\p2p.inf
11/15/2005 436 PM H 0 C:\Windows\LastGood\INF\p2p.PNF
11/15/2005 4:23:50 PM H 0 C:\Windows\LastGood\INF\q823353.inf
11/15/2005 4:23:50 PM H 0 C:\Windows\LastGood\INF\q823353.PNF
11/15/2005 3:33:36 PM H 0 C:\Windows\LastGood\INF\WMDM10.inf
11/15/2005 3:33:36 PM H 0 C:\Windows\LastGood\INF\WMDM10.PNF
11/15/2005 3:33:26 PM H 0 C:\Windows\LastGood\INF\WMFSDK10.inf
11/15/2005 3:33:26 PM H 0 C:\Windows\LastGood\INF\WMFSDK10.PNF
11/15/2005 3:33:48 PM H 0 C:\Windows\LastGood\INF\WMP10.inf
11/15/2005 3:33:48 PM H 0 C:\Windows\LastGood\INF\WMP10.PNF
11/15/2005 3:34:24 PM H 0 C:\Windows\LastGood\INF\WMSET10.inf
11/15/2005 3:34:24 PM H 0 C:\Windows\LastGood\INF\WMSET10.PNF
11/15/2005 3:33:40 PM H 0 C:\Windows\LastGood\INF\WPD10.inf
11/15/2005 3:33:40 PM H 0 C:\Windows\LastGood\INF\WPD10.PNF
11/15/2005 3:33:44 PM H 0 C:\Windows\LastGood\INF\wpdmtp.inf
11/15/2005 3:33:44 PM H 0 C:\Windows\LastGood\INF\wpdmtp.PNF
10/5/2005 8:33:38 PM S 12849 C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/4/2005 1:16:36 PM S 20086 C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688-IE6SP1-20051004.130236.cat
9/28/2005 11:53:30 AM S 17402 C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
11/16/2005 3:29:54 PM H 8192 C:\Windows\system32\config\default.LOG
11/16/2005 3:30:10 PM H 1024 C:\Windows\system32\config\SAM.LOG
11/16/2005 3:29:58 PM H 16384 C:\Windows\system32\config\SECURITY.LOG
11/16/2005 3:30:30 PM H 131072 C:\Windows\system32\config\software.LOG
11/16/2005 3:30:20 PM H 868352 C:\Windows\system32\config\system.LOG
11/15/2005 3:43:08 PM H 1024 C:\Windows\system32\config\systemprofile\NTUSER.DAT.LOG
11/15/2005 2:49:38 PM HS 67 C:\Windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
11/15/2005 2:49:38 PM HS 67 C:\Windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\012Z0167\desktop.ini
11/15/2005 2:49:38 PM HS 67 C:\Windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4NX3T0M2\desktop.ini
11/15/2005 2:49:38 PM HS 67 C:\Windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5QVJ26H3\desktop.ini
11/15/2005 2:49:38 PM HS 67 C:\Windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FI4IXKQS\desktop.ini
11/15/2005 3:03:48 PM HS 388 C:\Windows\system32\Microsoft\Protect\S-1-5-18\f3c102f4-f222-4c0c-b882-79ed3938af0c
11/15/2005 3:03:48 PM HS 24 C:\Windows\system32\Microsoft\Protect\S-1-5-18\Preferred
10/14/2005 8:24:46 AM HS 388 C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\c1af805a-b863-420b-9849-6b90c9849458
10/14/2005 8:24:46 AM HS 24 C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\Preferred
11/16/2005 3:29:18 PM H 6 C:\Windows\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/17/2001 3:00:00 PM 66048 C:\Windows\SYSTEM32\access.cpl
Microsoft Corporation 5/30/2003 4:17:20 PM 579584 C:\Windows\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/28/2002 9:41:28 AM 129024 C:\Windows\SYSTEM32\desk.cpl
Microsoft Corporation 8/17/2001 3:00:00 PM 150016 C:\Windows\SYSTEM32\hdwwiz.cpl
Intel Corporation 6/21/2005 4:46:18 PM 94208 C:\Windows\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/28/2002 9:41:28 AM 292352 C:\Windows\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/28/2002 9:41:28 AM 121856 C:\Windows\SYSTEM32\intl.cpl
Microsoft Corporation 8/28/2002 9:41:28 AM 65536 C:\Windows\SYSTEM32\joy.cpl
Microsoft Corporation 8/17/2001 3:00:00 PM 187904 C:\Windows\SYSTEM32\main.cpl
Microsoft Corporation 8/17/2001 3:00:00 PM 559616 C:\Windows\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/17/2001 3:00:00 PM 35840 C:\Windows\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/17/2001 3:00:00 PM 256000 C:\Windows\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/17/2001 3:00:00 PM 36864 C:\Windows\SYSTEM32\nwc.cpl
Microsoft Corporation 8/17/2001 3:00:00 PM 36864 C:\Windows\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/17/2001 3:00:00 PM 109056 C:\Windows\SYSTEM32\powercfg.cpl
Intel Corporation 3/25/2002 12:34:42 AM 765952 C:\Windows\SYSTEM32\PROSetp.cpl
Microsoft Corporation 8/28/2002 9:41:28 AM 268288 C:\Windows\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/17/2001 3:00:00 PM 28160 C:\Windows\SYSTEM32\telephon.cpl
Microsoft Corporation 8/17/2001 3:00:00 PM 90112 C:\Windows\SYSTEM32\timedate.cpl
Compaq Computer Corporation 4/30/2002 2:42:46 AM 106496 C:\Windows\SYSTEM32\UICONFIG.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\Windows\SYSTEM32\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/16/2001 3:44:48 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
6/1/2004 7:54:20 AM 509 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FacetWin Agent.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/16/2001 3:35:02 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/3/2004 11:03:30 AM 188 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/16/2001 3:44:48 PM HS 84 C:\Documents and Settings\agent2\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/16/2001 3:35:02 PM HS 62 C:\Documents and Settings\agent2\Application Data\desktop.ini
11/19/2002 4:58:56 PM 0 C:\Documents and Settings\agent2\Application Data\dm.ini
8/24/2004 12:39:48 PM 22456 C:\Documents and Settings\agent2\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CPQEASYACC C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
Smapp C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
ChkAdmin C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
HPDJ Taskbar Utility C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
CSISetup S:\PCSetup\disk1\setup.exe -fdailysetup.ins
McAfeeUpdaterUI "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
ShStatEXE "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
WinVNC "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
WinPatrol C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
IgfxTray C:\Windows\System32\igfxtray.exe
HotKeysCmds C:\Windows\System32\hkcmd.exe
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
CPQDFWAG C:\Windows\Cpqdiag\CpqDfwAg.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
CleanUp! C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 0
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0
NoDispAppearancePage 0
NoDispBackgroundPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} =
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/16/2005 3:36:08 PM

[tetonbob]

I'm going to take a bit more time analyzing the WinPFind log, but in the meantime, overwrite your existing hosts file with the one I've linked you to earlier.

Reboot, and see if it holds.

Also, please do this:

I know you've run adaware...please go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. Run the scan and fix everything that it finds.

[khelbena]

OK downloaded the VX2 plugin and ran it - it came back clean.

Ran another scan of adaware with the settings from greynights site. it came back clean

I installed the new hosts file and rebooted waiting to see if it changes.

[tetonbob]

I've found nothing in the WinPFind log...how is your system behaving now, please?

[khelbena]

Have had no popups and have not recieved any messages that the host file has been changed either.

I will pronounce this thread resolved and I want to thank you for your excellent help with this.

Feel free to mark this as resolved.

Thanks.

[tetonbob]

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• IE-SPYAD
  IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
• AVG
  
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please respond to this thread one more time so we can mark this thread as resolved.

[khelbena]

Hey TetonBob,
Sorry I had to go out of town last week and wasn't able to reply to this.

Thanks for the grat job with helping me clean this up. PLease move this to the resolved section if you haven't already.