Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page nasty spyware infection
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 02-15-2006, 09:08 PM   #1 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 55
OS: XP


nasty spyware infection
Hello

I'd been running smoothly for a couple of months with no spyware problems of any kind, until my brother downloaded something that came packed with a multitude of spyware. In his haste, he attempted to delete limewire but ended up making things worse and now not only do I have to put up with pop ups, I also have to endure seeing limewire attempt to run by itself every minute or so and have a pop up window alert me that the installation is corrupt and that I need to reinstall the program. I tried to do this, but the installation cant be completed.

I would appreciate any help you could provide
Thanks in advance

Here is my hijack this log. I tried to run the analyzer but it tells me I have to update it and the link it takes me to is down.

Logfile of HijackThis v1.99.1
Scan saved at 10:36:23 PM, on 02/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Y29tcHVzYQ\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\win3208957-1335187.exe
C:\windows\winsysban8.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\LimeWire\LimeWire.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Support] syscfg.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\socks.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd8.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win3208957-1335187] C:\WINDOWS\win3208957-1335187.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\yqrqcc.exe reg_run
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban8.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\nwintsap.exe CORN001
O4 - HKLM\..\RunServices: [System Support] syscfg.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "compusa"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System Support] syscfg.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\nwintsap.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Connection Manager.lnk = C:\Program Files\CManager\CManager.exe
O4 - Global Startup: pwgw.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\jt6207joe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y29tcHVzYQ\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Once again, thanks!
manowar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-16-2006, 01:51 AM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


Please do the following:

Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close any programs you have open since this step requires a reboot.
  • From the l2mfix folder, double click l2mfix.bat
  • Select option #2 for Run Fix by typing 2 and then pressing enter ONCE.
Do NOT depress any keys on your keyboard until the tool request you to "press any key to reboot"

On the reboot notepad will open with a log. Copy/paste the contents of that log back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log does not open double click on it in the l2mfix folder to locate log.txt.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-17-2006, 06:56 PM   #3 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 55
OS: XP


L2MFIX LOG

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 448 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 520 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 3832 'explorer.exe'
Killing PID 3832 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\m646lghs1646.dll
Successfully Deleted: C:\WINDOWS\system32\m646lghs1646.dll
Deleting: C:\WINDOWS\system32\rIsdlg.dll
Successfully Deleted: C:\WINDOWS\system32\rIsdlg.dll
Deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\m646lghs1646.dll
C:\WINDOWS\system32\rIsdlg.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{01B19996-D33C-46B5-A0F3-38A522B55635}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{01B19996-D33C-46B5-A0F3-38A522B55635}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{01B19996-D33C-46B5-A0F3-38A522B55635}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{01B19996-D33C-46B5-A0F3-38A522B55635}\InprocServer32]
@="C:\\WINDOWS\\system32\\amisynth.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{743AEFA7-6B7D-4CE0-8F06-B5EAA7492C67}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{743AEFA7-6B7D-4CE0-8F06-B5EAA7492C67}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{743AEFA7-6B7D-4CE0-8F06-B5EAA7492C67}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{743AEFA7-6B7D-4CE0-8F06-B5EAA7492C67}\InprocServer32]
@="C:\\WINDOWS\\system32\\mvwebdvd.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{01B19996-D33C-46B5-A0F3-38A522B55635}"=-
"{743AEFA7-6B7D-4CE0-8F06-B5EAA7492C67}"=-
[-HKEY_CLASSES_ROOT\CLSID\{01B19996-D33C-46B5-A0F3-38A522B55635}]
[-HKEY_CLASSES_ROOT\CLSID\{743AEFA7-6B7D-4CE0-8F06-B5EAA7492C67}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/guard.tmp (188 bytes security) (deflated 4%)
adding: dlls/m646lghs1646.dll (188 bytes security) (deflated 5%)
adding: dlls/rIsdlg.dll (188 bytes security) (deflated 4%)
adding: backregs/01B19996-D33C-46B5-A0F3-38A522B55635.reg (188 bytes security) (deflated 70%)
adding: backregs/743AEFA7-6B7D-4CE0-8F06-B5EAA7492C67.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (188 bytes security) (deflated 54%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)

HIJACK THIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 8:59:20 PM, on 02/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Y29tcHVzYQ\command.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSC00.exe
C:\windows\winsysban9.exe
C:\WINDOWS\ms045187957-133.exe
C:\Program Files\Network\ipnetwork.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\PROGRA~1\COMMON~1\iooi\iooim.exe
C:\PROGRA~1\COMMON~1\iooi\iooia.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\eee2.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\webHancer\programs\whAgent.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsxE.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmqsdi.dll
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Support] syscfg.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\socks.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd9.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\yqrqcc.exe reg_run
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
O4 - HKLM\..\Run: [gimmygames] c:\\gimmygames9.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\nwintsap.exe CORN001
O4 - HKLM\..\Run: [ms045187957-133] C:\WINDOWS\ms045187957-133.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\system32\mmxp2passion.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [3464] c:\windows\eee2.exe
O4 - HKLM\..\RunServices: [System Support] syscfg.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "compusa"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System Support] syscfg.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe
O4 - HKCU\..\Run: [iooi] C:\PROGRA~1\COMMON~1\iooi\iooim.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\nwintsap.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Connection Manager.lnk = C:\Program Files\CManager\CManager.exe
O4 - Global Startup: pwgw.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y29tcHVzYQ\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

As you can see im loaded with spyware....thanks for your help
manowar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-18-2006, 12:14 AM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * *

Let's do this first..




Download and unzip - bfu.zip
Run the program and click the Web button located on the top right corner

Copy/Paste this url into the address bar of the Download script window:

http://metallica.geekstogo.com/alcanshorty.bfu


Execute the script by clicking the Execute button.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Download LSPFix.exe

WinPfind.zip - download & extract the contents to it's own folder at the root of drive C

Please download AproposFix.exe

TrackQoo.zip

Download and install Ewido Security Suite
  • When installing, under "Additional Options",
    • uncheck - Install background guard
  • Have Ewido update itself & then exit the program.
If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * *


Click Start -> Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Command Service (cmdService)
  2. Double-click on it to open the Properties dialog.
    - Change the Startup type to Disabled & then click on the Apply button
    - Stop the service by using the Stop button.
  3. Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service
  4. In the popup box that appears, copy/paste cmdService
  5. Click on the OK button & answer No if prompted to reboot

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsxE.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmqsdi.dll
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [System Support] syscfg.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\socks.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd9.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\yqrqcc.exe reg_run
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
O4 - HKLM\..\Run: [gimmygames] c:\\gimmygames9.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\nwintsap.exe CORN001
O4 - HKLM\..\Run: [ms045187957-133] C:\WINDOWS\ms045187957-133.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\system32\mmxp2passion.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [3464] c:\windows\eee2.exe
O4 - HKLM\..\RunServices: [System Support] syscfg.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [System Support] syscfg.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe
O4 - HKCU\..\Run: [iooi] C:\PROGRA~1\COMMON~1\iooi\iooim.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\nwintsap.exe
O4 - Global Startup: pwgw.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab


* * * * * * KILLBOX * * * * * * * * * * * * * * * * * * * * * * *


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • All files (if available)
Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy
  • C:\WINDOWS\Y29tcHVzYQ\command.exe
    C:\Program Files\outlook\outlook.exe
    C:\WINDOWS\SYSC00.exe
    C:\windows\winsysban9.exe
    C:\WINDOWS\ms045187957-133.exe
    c:\windows\eee2.exe
    C:\WINDOWS\nem220.dll
    C:\WINDOWS\system32\nsxE.dll
    C:\WINDOWS\system32\irsmqsdi.dll
    C:\WINDOWS\system32\syscfg.exe
    C:\WINDOWS\system32\socks.exe
    C:\Program Files\outlook\
    C:\WINDOWS\system32\winlog.exe
    C:\windows\winsysupd9.exe
    C:\WINDOWS\system32\yqrqcc.exe
    c:\gimmygames9.exe
    C:\WINDOWS\system32\nwintsap.exe
    C:\WINDOWS\system32\wintask.exe
    C:\WINDOWS\system32\mmxp2passion.exe
    C:\WINDOWS\system32\irssyncd.exe
    C:\WINDOWS\system32\nwintsap.exe
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run [b]missingfilesetup.exe[/color]. Then try Killbox again.


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:
  • Internet Optimizer
    webHancer
    Toolbar888
    TheSearchAccelerator
    Network
    VCClient
Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Program Files\Internet Optimizer\
    C:\Program Files\webHancer\
    C:\Program Files\Toolbar888\
    C:\Program Files\TheSearchAccelerator\
    C:\Program Files\Network\
    C:\Program Files\Common Files\VCClient\
    C:\PROGRA~1\COMMON~1\iooi\
    C:\WINDOWS\Y29tcHVzYQ\

* * * * * *


Run a scan with Hijackthis, verify if these entries still exist:
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer

If they exist, we would be required to run LSPFix.exe

Instructions for using LSPFix
  1. Double click on LSPFix.exe to run it.
  2. Once running, you will be required to tick the disclaimer - "I know what I'm doing".
  3. You'll find a windows with 2 panes.
    In the left pane which is labeled 'Keep', select all instances of this file:
    • Webhdll.dll
  4. Then click on the arrow pointing to the right, >>.
    This will move the entry to the right pane labeled 'Remove'
  5. Click the Finish button to complete the fix.
Only entries similar to Webhdll.dll need to be removed. If you see any other entries in the right pane, move them back to the "Keep" pane & post the filenames to inform me.


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, it woud create log.txt file in the aproposfix folder.


* * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * DEEP SCAN * * * * * * * * * * * * * * * * * * * *


1. From within the WinPFind folder, double click WinPFind.exe
2. Click Start Scan
3. Once the Scan is complete, it will create a report in a text file
4. Go to the WinPFind folder & locate WinPFind.txt
5. Post the results in your next reply!

** This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


From within TrackQoo.zip, double-click on TrackQoo1.vbs. Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next reply.
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

In your next post, please include fresh logs from:
  • L2Mfix's log
  • HiJackThis log
  • Online Scan
  • Ewido
  • WinPfind
  • TrackQoo1.vbs
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-20-2006, 10:59 AM   #5 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 55
OS: XP


Ok,one question before I proceed...
I accidentaly erased the My Pictures folder,meaning I emptied the recycle bin with it in it...really stupid mistake! I am really hoping to be able to recover it because I have many pictures, videos, and other data in it that is very valuable to me. My question is, if I perform the steps above do I risk wiping out the files completely and losing all chances of recovering them? If so, I would have to wait until I recover the folder(if its possible...) before I keep on cleaning my system.
By the way, do you know any free online program that can recover files that have been erased? I really need some help here.

As always, thank you!
manowar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-20-2006, 11:04 AM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


If you intend to recover that folder, STOP using this computer now. Shut it down. further usage reduces the chance of any recovery.

Then use another computer to do a google search for free file recovery. I found this from the net.

http://www.pcinspector.de/file_recovery/uk/download.htm

We'll continue, once you have recovered your folder
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-01-2006, 08:07 PM   #7 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 55
OS: XP


Hello, sorry for the delay, but Ive been extremely busy .
Its been a long time....I recovered a few files but the majority were lost. I also ran ad aware and deleted some of the spyware I found and now my computer boots on again, but I know theres still a zillion things to fix. I would greatly appreciate if you could help me out....heres a new log from today:


Logfile of HijackThis v1.99.1
Scan saved at 8:57:35 PM, on 04/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\vcsixoo.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\SYSC00.exe
C:\Program Files\Network\ipnetwork.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\ms0687957-13351.exe
C:\windows\mousepad7.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\win3208957-1335187.exe
C:\WINDOWS\ms05187957-1335.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\errorhandler.exe
C:\PROGRA~1\COMMON~1\SMANTE~1\arpa.exe
C:\Documents and Settings\compusa\Application Data\s?stem32\l?***.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\CManager\CManager.exe
C:\DOCUME~1\compusa\LOCALS~1\Temp\cinfo.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - _{C1263025-7507-ED31-660A-69BE43ECF559} - (no file)
R3 - URLSearchHook: (no name) - _{3F6A142D-85C5-DB37-9D09-AF98CE10A2EE} - (no file)
R3 - URLSearchHook: (no name) - _{0B47242D-A8F5-9905-B03D-EBB588248FAF} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,xcajacv.exe
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmqsdi.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Support] syscfg.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\socks.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [loader.exed482a.exeR] C:\WINDOWS\system32\loader.exed482a.exeR
O4 - HKLM\..\Run: [tusgpc] C:\WINDOWS\system32\tusgpc.exe
O4 - HKLM\..\Run: [ms0687957-13351] C:\WINDOWS\ms0687957-13351.exe
O4 - HKLM\..\Run: [sys011335187957-] C:\WINDOWS\sys011335187957-.exe
O4 - HKLM\..\Run: [NNSCAG638.EXE.org] C:\WINDOWS\system32\NNSCAG638.EXE.org
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [mcspy.exeion.exeg] C:\WINDOWS\system32\mcspy.exeion.exeg
O4 - HKLM\..\Run: [wrapperouter.exeg] C:\WINDOWS\system32\wrapperouter.exeg
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [win3208957-1335187] C:\WINDOWS\win3208957-1335187.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\system32\expload.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname7.exe
O4 - HKLM\..\Run: [ms05187957-1335] C:\WINDOWS\ms05187957-1335.exe
O4 - HKLM\..\Run: [win320957-13351879] C:\WINDOWS\win320957-13351879.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [w00b8150.dll] RUNDLL32.EXE w00b8150.dll,I2 000116f8000b8150
O4 - HKLM\..\Run: [vcsixooA] C:\WINDOWS\vcsixooA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [{AA-A6-60-0B-ZN}] c:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\mwinlrag.exe CORN001
O4 - HKLM\..\RunServices: [System Support] syscfg.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "compusa"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [System Support] syscfg.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [order_Shell] C:\Documents and Settings\compusa\order_afja.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [slntq] C:\WINDOWS\system32\wwcbpw.exe reg_run
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\SMANTE~1\arpa.exe" -vt yazr
O4 - HKCU\..\Run: [Pmn] C:\Documents and Settings\compusa\Application Data\s?stem32\l?***.exe
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwinlrag.exe
O4 - Startup: Z_Start.lnk = C:\ZICORN001.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Connection Manager.lnk = C:\Program Files\CManager\CManager.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: directpt - C:\WINDOWS\SYSTEM32\directpt.dll
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\guard.tmp (file missing)
O21 - SSODL: SysTray.Exiv - {2963ECFC-4E5C-2f3b-B334-D67434FC72E0} - C:\WINDOWS\system32\ampjakcp.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\vcsixoo.exe

Thank you!
manowar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-01-2006, 10:38 PM   #8 (permalink)
Analyst, Security Team
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,331
OS: Windows 98 & Windows XP Home/Pro

My System

Try to do frequent data backups...just in case disaster strikes, like you have here...

OK, do the steps that sUBs gave you earlier. We need those logs when you are done.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-06-2006, 02:38 PM   #9 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 55
OS: XP


Ok guys, thanks for your patience....here it goes:

Kaspersky Log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, April 06, 2006 6:33:30 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 5/04/2006
Kaspersky Anti-Virus database records: 186274
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 107279
Number of viruses found: 210
Number of infected objects: 1509
Number of suspicious objects: 0
Duration of the scan process: 02:23:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\compusa\drsmartload529a.exe Infected: Trojan-Downloader.Win32.Adload.s skipped
C:\Documents and Settings\compusa\ps.exe Infected: Trojan-Dropper.Win32.Agent.mf skipped
C:\Documents and Settings\compusa user\Application Data\WіnSxS\mmc.exe Infected: Trojan-Downloader.Win32.PurityScan.w skipped
C:\Documents and Settings\niñas\My Documents\My eBooks\thecrowamp.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\Documents and Settings\niñas\My Documents\My eBooks\thecrowamp.exe/WISE0022.BIN Infected: not-a-virus:AdWare.Win32.EZula.z skipped
C:\Documents and Settings\niñas\My Documents\My eBooks\thecrowamp.exe/WISE0023.BIN Infected: Trojan-Downloader.Win32.Agent.er skipped
C:\Documents and Settings\niñas\My Documents\My eBooks\thecrowamp.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\niñas\ps.exe Infected: Trojan-Dropper.Win32.Agent.mf skipped
C:\hijackthis\backups\backup-20060326-233519-154.dll Infected: not-a-virus:AdWare.Win32.Mirar.e skipped
C:\hijackthis\backups\backup-20060326-233519-233.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\krw1dn.exe Infected: Trojan-Downloader.Win32.Agent.agy skipped
C:\NNSCAA638.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Program Files\Common Files\CMEII\GDwldEng.dll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\Program Files\Common Files\CMEII\GStore.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\Program Files\Common Files\CMEII\GStoreServer.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\Program Files\Common Files\csshare\plugins0942\npzango.dll Infected: not-a-virus:AdWare.Win32.WinAD.aw skipped
C:\Program Files\Common Files\GMT\GatorRes.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\Program Files\Common Files\GMT\GUninstaller.exe Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00015.dll Infected: Trojan-Spy.Win32.Small.dg skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00016.dll Infected: Trojan-Spy.Win32.Small.dg skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00017.dll Infected: Trojan-Spy.Win32.Small.dg skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00017.exe Infected: Trojan-Spy.Win32.Small.dg skipped
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00018.dll Infected: Trojan-Spy.Win32.Small.dg skipped
C:\Program Files\Fxelg\Jprvln.exe Infected: Trojan.Win32.Small.cy skipped
C:\Program Files\Jalmp\jalmp.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\Program Files\Jalmp\uninstall.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\Program Files\Mozilla Firefox\l2mfix\dlls\m646lghs1646.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Mozilla Firefox\plugins\npzango.dll Infected: not-a-virus:AdWare.Win32.WinAD.aw skipped
C:\Program Files\Norton AntiVirus\Quarantine\00210569 Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\01140BA0 Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\01205561 Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\0198574B Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\01B15548.exe/data0002 Infected: Trojan.Win32.Registrator.b skipped
C:\Program Files\Norton AntiVirus\Quarantine\01B15548.exe/data0003 Infected: Trojan-Downloader.Win32.Small.aly skipped
C:\Program Files\Norton AntiVirus\Quarantine\01B15548.exe NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\01B15548.exe CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\01F94A21 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\021F2558 Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\025F4028 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\025F41FE Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\02612684.exe/data0002 Infected: Trojan.Win32.Registrator.b skipped
C:\Program Files\Norton AntiVirus\Quarantine\02612684.exe/data0003 Infected: Trojan-Downloader.Win32.Small.aly skipped
C:\Program Files\Norton AntiVirus\Quarantine\02612684.exe NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\02612684.exe CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\026F13E0 Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\027E5BE5 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\02C53630 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\031E7550 Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\032B2C38 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\032C4C06 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\03B95BC9 Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\041E4548 Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\046D22D2 Infected: not-a-virus:AdWare.Win32.WebSearch.af skipped
C:\Program Files\Norton AntiVirus\Quarantine\04CC73E9 Infected: not-a-virus:AdWare.Win32.Apropos.i skipped
C:\Program Files\Norton AntiVirus\Quarantine\053A53E7 Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\05FE5600 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Program Files\Norton AntiVirus\Quarantine\06644C08 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Program Files\Norton AntiVirus\Quarantine\066523D4 Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\069F36AA Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\069F3BAE Infected: Trojan.Win32.StartPage.nk skipped
C:\Program Files\Norton AntiVirus\Quarantine\06CA420F Infected: Trojan-Downloader.Win32.Agent.hw skipped
C:\Program Files\Norton AntiVirus\Quarantine\06E47F62 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Program Files\Norton AntiVirus\Quarantine\07083769 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\071C0353 Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\07313817 Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\07586FC6 Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\07707760 Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Program Files\Norton AntiVirus\Quarantine\0773215D Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\07764B59 Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\077A7556 Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\083B5E1D Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\085270DB Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\08E94E3E Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\091E5CEA Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\09301EBB Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\097F13F9 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\09E72DCD Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\0AD92DC5 Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\0B8D74CE Infected: not-a-virus:AdWare.Win32.EliteBar.z skipped
C:\Program Files\Norton AntiVirus\Quarantine\0C5A25E3 Infected: not-a-virus:AdWare.Win32.SideFind skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CA4479E Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CB5032E Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\0E04515E Infected: not-a-virus:AdWare.Win32.Wintol.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\0E290965 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\0E55722F Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\0E980870 Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\0EA65076 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\0EBC6836 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\0F243922 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\0F554097 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\10112289 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\118F11FF Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Program Files\Norton AntiVirus\Quarantine\11F50806 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Program Files\Norton AntiVirus\Quarantine\11F65FD3 Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\11F97FC1 Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\12547D63/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\12547D63 NSIS: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\12547D63 CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\125B7E0E/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Program Files\Norton AntiVirus\Quarantine\125B7E0E/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Program Files\Norton AntiVirus\Quarantine\125B7E0E NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\125B7E0E CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\12704688 Infected: Trojan-Downloader.Win32.Agent.lg skipped
C:\Program Files\Norton AntiVirus\Quarantine\12AC3F52 Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\12AD46CA Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Program Files\Norton AntiVirus\Quarantine\12C17415 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Program Files\Norton AntiVirus\Quarantine\12C30D36.exe Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\13123559 Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\13350450 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\135A7B89 Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\13E22CDA Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\142E3F06 Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\144822E1 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\14783237 Infected: Trojan-Downloader.Win32.Wintool.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\14AF18E9 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\14DF5FA5 Infected: Trojan-Downloader.Win32.IstBar.ij skipped
C:\Program Files\Norton AntiVirus\Quarantine\151242CF Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\1524235A/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer skipped
C:\Program Files\Norton AntiVirus\Quarantine\1524235A WiseSFX: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\1524235A WiseSFX Dropper: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\1524235A CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\16F22657 Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\18246D4A Infected: not-a-virus:AdWare.Win32.Wintol.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\189953D8.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\19E62E2D Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\19F250CC Infected: P2P-Worm.Win32.Krepper.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\1A0909C8.class Infected: Trojan.Java.ClassLoader.z skipped
manowar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-06-2006, 11:35 PM   #10 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 55
OS: XP


Disregard the earlier post. I send the kaspersky log as an attachment because it is too long to copy paste.

Ok guys, thanks for your patience....here it goes:


Asprofix Log

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\compusa user\Desktop\aproposfix

************



Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!

-------------------------------------------------------------------------
Ewido Log

I had some problems running ewido and had to run the program 3 times...it stopped working so I had to re install it and let it scan again but I do not have the log
----------------------------------------------------------------------
Winpfind

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 4/1/2006 8:15:56 AM 467968 C:\visfx500.exe
qoologic 4/2/2006 8:04:20 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 2/19/2006 9:43:28 AM 70910 C:\WINDOWS\51=L.exe
UPX! 3/8/2006 5:02:36 PM 70910 C:\WINDOWS\7020.exe
UPX! 8/22/2004 6:04:56 PM 69120 C:\WINDOWS\daemon.dll
UPX! 2/24/2006 10:27:58 PM 24296 C:\WINDOWS\icont.exe
aspack 2/22/2006 7:18:16 PM 84480 C:\WINDOWS\kl1.exe
UPX! 2/26/2006 9:37:24 PM 70910 C:\WINDOWS\letn.exe
UPX! 2/19/2006 11:13:10 AM 70910 C:\WINDOWS\seli.exe
FSG! 2/22/2006 7:21:06 PM 26714 C:\WINDOWS\tool3.exe
UPX! 3/8/2006 5:01:46 PM 189942 C:\WINDOWS\whCC-GIANT.exe

Checking %System% folder...
UPX! 2/17/2006 9:25:44 PM 45568 C:\WINDOWS\SYSTEM32\0o8w6vci.dll
UPX! 10/7/2005 1:14:52 PM 308224 C:\WINDOWS\SYSTEM32\avisynth.dll
FSG! 4/7/2005 8:53:00 PM 398742 C:\WINDOWS\SYSTEM32\Clgqctk1.xml
PEC2 3/8/2006 5:00:24 PM 67072 C:\WINDOWS\SYSTEM32\cloudsim.exe
PECompact2 3/8/2006 5:00:24 PM 67072 C:\WINDOWS\SYSTEM32\cloudsim.exe
aspack 3/18/2005 6:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack 5/26/2005 4:34:52 PM 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
PEC2 8/29/2002 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/26/2004 6:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/26/2004 6:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
WinShutDown 3/26/2006 9:54:56 PM R S 235093 C:\WINDOWS\SYSTEM32\dn2801fue.dll
ad-w-a-r-e.com 3/26/2006 9:54:56 PM R S 235093 C:\WINDOWS\SYSTEM32\dn2801fue.dll
WinShutDown 4/1/2006 11:27:02 AM R S 235023 C:\WINDOWS\SYSTEM32\dnns0157e.dll
ad-w-a-r-e.com 4/1/2006 11:27:02 AM R S 235023 C:\WINDOWS\SYSTEM32\dnns0157e.dll
WinShutDown 3/26/2006 9:19:30 PM R S 236300 C:\WINDOWS\SYSTEM32\e8202ifmg82a2.dll
ad-w-a-r-e.com 3/26/2006 9:19:30 PM R S 236300 C:\WINDOWS\SYSTEM32\e8202ifmg82a2.dll
PEC2 2/22/2006 7:21:30 PM 22016 C:\WINDOWS\SYSTEM32\eaioeiib.exe
WinShutDown 4/1/2006 12:18:34 PM R S 235473 C:\WINDOWS\SYSTEM32\en02l1do1.dll
ad-w-a-r-e.com 4/1/2006 12:18:34 PM R S 235473 C:\WINDOWS\SYSTEM32\en02l1do1.dll
WinShutDown 3/26/2006 10:45:14 PM R S 236036 C:\WINDOWS\SYSTEM32\en8ql1l51.dll
ad-w-a-r-e.com 3/26/2006 10:45:14 PM R S 236036 C:\WINDOWS\SYSTEM32\en8ql1l51.dll
UPX! 4/1/2006 8:11:28 AM 1375912 C:\WINDOWS\SYSTEM32\expload.exe
WinShutDown 4/1/2006 1:24:14 PM R S 234895 C:\WINDOWS\SYSTEM32\fp2603fse.dll
ad-w-a-r-e.com 4/1/2006 1:24:14 PM R S 234895 C:\WINDOWS\SYSTEM32\fp2603fse.dll
WinShutDown 4/1/2006 12:42:46 PM R S 236257 C:\WINDOWS\SYSTEM32\ir8ul5l91.dll
ad-w-a-r-e.com 4/1/2006 12:42:46 PM R S 236257 C:\WINDOWS\SYSTEM32\ir8ul5l91.dll
WinShutDown 4/1/2006 11:27:12 AM R S 235017 C:\WINDOWS\SYSTEM32\jt2o07f3e.dll
ad-w-a-r-e.com 4/1/2006 11:27:12 AM R S 235017 C:\WINDOWS\SYSTEM32\jt2o07f3e.dll
WinShutDown 3/26/2006 10:42:14 PM R S 236036 C:\WINDOWS\SYSTEM32\ldgif13n.dll
ad-w-a-r-e.com 3/26/2006 10:42:14 PM R S 236036 C:\WINDOWS\SYSTEM32\ldgif13n.dll
PECompact2 3/9/2006 8:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/9/2006 8:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 12/3/2002 3:02:58 AM 491520 C:\WINDOWS\SYSTEM32\NCTAudioFile.dll
aspack 12/15/2003 12:43:18 PM 657920 C:\WINDOWS\SYSTEM32\NCTAudioFile2.dll
aspack 12/3/2002 4:07:08 AM 168448 C:\WINDOWS\SYSTEM32\NCTAudioPlayer.dll
aspack 12/3/2002 3:11:10 AM 143872 C:\WINDOWS\SYSTEM32\NCTWMAFile.dll
UPX! 1/27/2006 4:41:22 PM 84480 C:\WINDOWS\SYSTEM32\nsa15.dll
UPX! 2/13/2006 8:09:08 AM 95232 C:\WINDOWS\SYSTEM32\nsf108.dll
UPX! 1/18/2006 5:19:02 PM 84480 C:\WINDOWS\SYSTEM32\nso3F.dll
UPX! 2/13/2006 8:09:08 AM 95232 C:\WINDOWS\SYSTEM32\nsy13.dll
FSG! 4/23/2005 9:27:58 AM 398742 C:\WINDOWS\SYSTEM32\Nsytplk1.xml
UPX! 2/13/2006 8:09:08 AM 95232 C:\WINDOWS\SYSTEM32\nsz10B.dll
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
PEC2 2/28/2002 3:42:54 PM 13107200 C:\WINDOWS\SYSTEM32\oembios.bin
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 2/26/2006 9:37:18 PM 224768 C:\WINDOWS\SYSTEM32\realarcade_seedcorn_stub.exe
FSG! 4/22/2005 3:21:02 PM 398742 C:\WINDOWS\SYSTEM32\Rotqwsk1.xml
UPX! 4/1/2006 8:23:08 AM 51712 C:\WINDOWS\SYSTEM32\w00b8150.dll
winsync 8/29/2002 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 2/14/2006 6:30:38 PM 239440 C:\WINDOWS\SYSTEM32\whCC-CLICK.exe
aspack 12/28/2005 5:33:44 PM H 699392 C:\WINDOWS\SYSTEM32\wodfamoh.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/4/2006 3:58:58 PM S 2048 C:\WINDOWS\bootstat.dat
4/1/2006 8:18:54 AM S 50688 C:\WINDOWS\NDNuninstall6_38.exe
4/1/2006 8:23:38 AM S 183296 C:\WINDOWS\NDNuninstall7_22.exe
4/1/2006 11:01:44 PM H 54156 C:\WINDOWS\QTFont.qfn
4/1/2006 8:19:42 AM R S 0 C:\WINDOWS\system32\d8j02i1mg8.dll
3/26/2006 9:54:56 PM R S 235093 C:\WINDOWS\system32\dn2801fue.dll
4/1/2006 11:27:02 AM R S 235023 C:\WINDOWS\system32\dnns0157e.dll
3/26/2006 9:19:30 PM R S 236300 C:\WINDOWS\system32\e8202ifmg82a2.dll
4/1/2006 12:18:34 PM R S 235473 C:\WINDOWS\system32\en02l1do1.dll
3/26/2006 10:45:14 PM R S 236036 C:\WINDOWS\system32\en8ql1l51.dll
4/1/2006 1:24:14 PM R S 234895 C:\WINDOWS\system32\fp2603fse.dll
4/1/2006 12:42:46 PM R S 236257 C:\WINDOWS\system32\ir8ul5l91.dll
4/1/2006 11:27:12 AM R S 235017 C:\WINDOWS\system32\jt2o07f3e.dll
3/26/2006 10:42:14 PM R S 236036 C:\WINDOWS\system32\ldgif13n.dll
4/4/2006 3:58:46 PM H 8192 C:\WINDOWS\system32\config\default.LOG
4/4/2006 3:59:24 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
4/4/2006 3:59:00 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
4/4/2006 4:13:30 PM H 73728 C:\WINDOWS\system32\config\software.LOG
4/4/2006 3:59:14 PM H 1064960 C:\WINDOWS\system32\config\system.LOG
3/17/2006 4:02:02 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
2/24/2006 10:13:00 PM S 20551 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
2/24/2006 10:12:58 PM S 408 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
2/24/2006 10:13:00 PM S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
2/24/2006 10:12:58 PM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
3/17/2006 7:27:36 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\bd7685ff-5ec1-4f68-a8ea-ed3244dac518
3/17/2006 7:27:36 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
4/4/2006 3:57:06 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Avance Logic, Inc. 6/29/2002 7:05:00 PM 617984 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 11/2/2004 10:01:34 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 3/4/2005 3:36:44 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/6/2001 3:14:22 PM 24665 C:\WINDOWS\SYSTEM32\plugincpl131.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 8/26/1996 3:12:00 AM 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Avance Logic, Inc. 6/29/2002 7:05:00 PM 617984 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\ALSNDMGR.CPL
Intel Corporation 7/1/2004 12:00:42 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0016\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/31/2005 12:29:52 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/31/2004 10:44:20 PM 694 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Connection Manager.lnk
2/11/2003 4:48:02 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/11/2003 8:36:24 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
12/21/2005 3:05:04 PM 1802 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
2/11/2003 4:48:02 PM HS 84 C:\Documents and Settings\compusa user\Start Menu\Programs\Startup\desktop.ini
4/1/2006 5:17:00 PM 676 C:\Documents and Settings\compusa user\Start Menu\Programs\Startup\Zeno.lnk

Checking files in %USERPROFILE%\Application Data folder...
2/11/2003 8:36:24 AM HS 62 C:\Documents and Settings\compusa user\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{C408B91E-9283-4425-8473-C0222B3802FF} = C:\WINDOWS\system32\guard.tmp
{1FD167D2-E7B9-4011-972D-E53966F4D4D9} = C:\WINDOWS\system32\iGlmdd5.dll
{27A344CD-40C4-4586-88B6-2D4CA6782CE7} = C:\WINDOWS\system32\onbcbcp.dll
{FFB12E6E-D597-4AA3-9A81-102E204EC7D7} =
{596C2A12-B54C-4709-AECE-8523D5C2522A} =
{D8A995D2-14CA-4FAB-B72A-7CF161AAFF17} =
{B2D09079-32A6-498E-AC88-B7368F0B632B} = C:\WINDOWS\system32\guard.tmp

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\CoreShellAgent
{516EC4D3-4AD9-11D5-AA6A-00E0189008B3} = C:\PROGRA~1\CORECO~1\THECOR~1\System\CORESH~1.CLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
= C:\WINDOWS\system32\dmonwv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4ABF810A-F11D-4169-9D5F-7D274F2270A1}
MenuText = Java :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
CHotkey mHotkey.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
loadadv64 C:\WINDOWS\system32\loadadv64
loader.exed482a.exeR C:\WINDOWS\system32\loader.exed482a.exeR
tusgpc C:\WINDOWS\system32\tusgpc.exe
ms0687957-13351 C:\WINDOWS\ms0687957-13351.exe
sys011335187957- C:\WINDOWS\sys011335187957-.exe
NNSCAG638.EXE.org C:\WINDOWS\system32\NNSCAG638.EXE.org
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
win3208957-1335187 C:\WINDOWS\win3208957-1335187.exe
ms05187957-1335 C:\WINDOWS\ms05187957-1335.exe
win320957-13351879 C:\WINDOWS\win320957-13351879.exe
w00b8150.dll RUNDLL32.EXE w00b8150.dll,I2 000116f8000b8150
vcsixooA C:\WINDOWS\vcsixooA.exe
{AA-A6-60-0B-ZN} c:\windows\system32\dwdsregt.exe CORN001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
washindex C:\Program Files\Cookie Washer\washidx.exe "compusa"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
MoneyAgent "C:\Program Files\Microsoft Money\System\Money Express.exe"
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
CleanUp! C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
SysTray.Exiv {2963ECFC-4E5C-2f3b-B334-D67434FC72E0} = C:\WINDOWS\system32\ampjakcp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe,xcajacv.exe
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\directpt
= directpt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL
= C:\WINDOWS\system32\guard.tmp

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/4/2006 4:22:32 PM

------------------------------------------------------------------------

these entries did not exist so I did not run LSPFix:
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer

------------------------------------------------------------------------

TrackQoo1.vbs does not run, do I do not include the log.

Finaly

Hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 4:33:18 PM, on 04/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - _{C1263025-7507-ED31-660A-69BE43ECF559} - (no file)
R3 - URLSearchHook: (no name) - _{3F6A142D-85C5-DB37-9D09-AF98CE10A2EE} - (no file)
R3 - URLSearchHook: (no name) - _{0B47242D-A8F5-9905-B03D-EBB588248FAF} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,xcajacv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [loader.exed482a.exeR] C:\WINDOWS\system32\loader.exed482a.exeR
O4 - HKLM\..\Run: [NNSCAG638.EXE.org] C:\WINDOWS\system32\NNSCAG638.EXE.org
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [win3208957-1335187] C:\WINDOWS\win3208957-1335187.exe
O4 - HKLM\..\Run: [ms05187957-1335] C:\WINDOWS\ms05187957-1335.exe
O4 - HKLM\..\Run: [win320957-13351879] C:\WINDOWS\win320957-13351879.exe
O4 - HKLM\..\Run: [w00b8150.dll] RUNDLL32.EXE w00b8150.dll,I2 000116f8000b8150
O4 - HKLM\..\Run: [vcsixooA] C:\WINDOWS\vcsixooA.exe
O4 - HKLM\..\Run: [{AA-A6-60-0B-ZN}] c:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "compusa"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [order_Shell] C:\Documents and Settings\compusa\order_afja.exe
O4 - HKCU\..\Run: [slntq] C:\WINDOWS\system32\wwcbpw.exe reg_run
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\SMANTE~1\arpa.exe" -vt yazr
O4 - HKCU\..\Run: [Pmn] C:\Documents and Settings\compusa\Application Data\s?stem32\l?***.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Connection Manager.lnk = C:\Program Files\CManager\CManager.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\guard.tmp (file missing)
O21 - SSODL: SysTray.Exiv - {2963ECFC-4E5C-2f3b-B334-D67434FC72E0} - C:\WINDOWS\system32\ampjakcp.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\vcsixoo.exe (file missing)

Thanks for your huge help so far, the computer is running a bit more stable now....
Attached Files
File Type: txt kaspersky log.txt (335.4 KB, 1 views)
manowar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-07-2006, 12:26 AM   #11 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


Please generate an uninstall list
Launch HijackThis & go to Config > Misc Tools - Open Uninstall Manager
Click the Save List button & post the the resultant log here.

Please highlight any entries that looks suspicious to you
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-07-2006, 02:21 AM   #12 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


This is in addition to my earlier instructions...

Download the file attached to this post - Fix-It.zip
Save it to Desktop but do not execute till we get to Safe Mode.


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - _{C1263025-7507-ED31-660A-69BE43ECF559} - (no file)
R3 - URLSearchHook: (no name) - _{3F6A142D-85C5-DB37-9D09-AF98CE10A2EE} - (no file)
R3 - URLSearchHook: (no name) - _{0B47242D-A8F5-9905-B03D-EBB588248FAF} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,xcajacv.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [loader.exed482a.exeR] C:\WINDOWS\system32\loader.exed482a.exeR
O4 - HKLM\..\Run: [NNSCAG638.EXE.org] C:\WINDOWS\system32\NNSCAG638.EXE.org
O4 - HKLM\..\Run: [win3208957-1335187] C:\WINDOWS\win3208957-1335187.exe
O4 - HKLM\..\Run: [ms05187957-1335] C:\WINDOWS\ms05187957-1335.exe
O4 - HKLM\..\Run: [win320957-13351879] C:\WINDOWS\win320957-13351879.exe
O4 - HKLM\..\Run: [w00b8150.dll] RUNDLL32.EXE w00b8150.dll,I2 000116f8000b8150
O4 - HKLM\..\Run: [vcsixooA] C:\WINDOWS\vcsixooA.exe
O4 - HKLM\..\Run: [{AA-A6-60-0B-ZN}] c:\windows\system32\dwdsregt.exe CORN001
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [order_Shell] C:\Documents and Settings\compusa\order_afja.exe
O4 - HKCU\..\Run: [slntq] C:\WINDOWS\system32\wwcbpw.exe reg_run
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\SMANTE~1\arpa.exe" -vt yazr
O4 - HKCU\..\Run: [Pmn] C:\Documents and Settings\compusa\Application Data\s?stem32\l?***.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\guard.tmp (file missing)
O21 - SSODL: SysTray.Exiv - {2963ECFC-4E5C-2f3b-B334-D67434FC72E0} - C:\WINDOWS\system32\ampjakcp.dll (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\vcsixoo.exe (file missing)


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * *


Locate the file you downloaded earlier & double click on it.
Double click on the executable within & allow it to run.
It may appear as if nothing is happening. So, please be patient as this may take a few moments.

When it finishes, it shall produce 2 logs for which you should post back here.


* * * * * * DEEP SCAN * * * * * * * * * * * * * * * * * * * *


I shall also require you to do another WinPFind scan.

1. Go to the WinPFind folder & double click WinPFind.exe
2. Click Start Scan
3. Once the Scan is complete, it will create a report in a text file
4. Go to the WinPFind folder & locate WinPFind.txt
5. Post the results in your next reply!


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • The 2 logs produced by Fix-It
  • Uninstall list
  • WinPfind
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
Last edited by sUBs; 04-09-2006 at 11:32 PM.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-09-2006, 10:40 PM   #13 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 55
OS: XP


Here are the logs...the only one missing is the Fix-it log. I tried running it but it told me there was a problem completing the setup and that I needed to restart the computer and try again. I did this but the same thing happened again.


HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 12:32:02 AM, on 04/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CManager\CManager.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "compusa"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [slntq] C:\WINDOWS\system32\wwcbpw.exe reg_run
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Connection Manager.lnk = C:\Program Files\CManager\CManager.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

-------------------------------------------------------------------

UNINSTALL LIST

2Wire Gateway
ACE-HIGH MP3 WAV WMA OGG Converter
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.5
Adobe Stock Photos 1.0
Alive MP3 WAV Converter version 3.1.6.8
America Online
American McGee's Alice(tm)
ArcSoft PhotoImpression 5 (Shared Components)
Audacity 1.2.1
Avance AC'97 Audio
AviSynth 2.5
BellSouth® FastAccess® Connection Manager
BigFix
BitLord 1.1
BitTorrent 4.0.1
BroadJump Client Foundation
Cacheman 5.50
Call of Duty
Call of Duty - United Offensive
CC_ccStart
ccCommon
CleanUp!
CompuServe
Conexant SoftK56 Modem(M)
Cookie Washer (AOL)
DAEMON Tools
Direct Show Ogg Vorbis Filter (remove only)
DivX
DivX Player
ewido anti-malware
Free iPod Video Converter 1.26
GoldWave v5.08
Google Earth
HijackThis 1.99.1
Hitman 2: Silent Assassin
HP DeskJet 610C Series (Remove only)
Intel(R) Extreme Graphics Driver
InterActual Player
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment Standard Edition v1.3.1
JumpStart Advanced Kindergarten
Kaspersky On-line Scanner
Kazaa Lite Resurrection 0.0.7.6 F
Lim0nMSNProxy 2.3
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
LucasArts' Outlaws
Macromedia Flash Player 8
Macromedia Shockwave Player
Medal of Honor Allied Assault
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Halo
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Windows Journal Viewer
Microsoft Works 6.0
Mozilla Firefox (1.5)
Mplayer.com
MSN Messenger 7.5
MSRedist
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
Multimedia Keyboard Driver Ver1.0 (KB-0108)
My MP3 Organizer version 2 BUILD 8
Nero 6 Ultra Edition
NiBiRu
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
PC Inspector File Recovery
PCFriendly
Popup Manager (remove only)
PowerDVD
QuickTime
RamBooster
RealPlayer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Sony Vegas 4.0e
Star Wars JK II Jedi Outcast
Symantec Script Blocking Installer
SymNet
The Core Media Player 4.0
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VideoMach 3.5.2
Winamp (remove only)
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip

------------------------------------------------------------------

WINPFIND LOG

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 4/1/2006 8:15:56 AM 467968 C:\visfx500.exe
qoologic 4/2/2006 8:04:20 PM 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 2/19/2006 9:43:28 AM 70910 C:\WINDOWS\51=L.exe
UPX! 3/8/2006 5:02:36 PM 70910 C:\WINDOWS\7020.exe
UPX! 8/22/2004 6:04:56 PM 69120 C:\WINDOWS\daemon.dll
UPX! 2/24/2006 10:27:58 PM 24296 C:\WINDOWS\icont.exe
aspack 2/22/2006 7:18:16 PM 84480 C:\WINDOWS\kl1.exe
UPX! 2/26/2006 9:37:24 PM 70910 C:\WINDOWS\letn.exe
UPX! 2/19/2006 11:13:10 AM 70910 C:\WINDOWS\seli.exe
FSG! 2/22/2006 7:21:06 PM 26714 C:\WINDOWS\tool3.exe
UPX! 3/8/2006 5:01:46 PM 189942 C:\WINDOWS\whCC-GIANT.exe

Checking %System% folder...
UPX! 2/17/2006 9:25:44 PM 45568 C:\WINDOWS\SYSTEM32\0o8w6vci.dll
UPX! 10/7/2005 1:14:52 PM 308224 C:\WINDOWS\SYSTEM32\avisynth.dll
FSG! 4/7/2005 8:53:00 PM 398742 C:\WINDOWS\SYSTEM32\Clgqctk1.xml
PEC2 3/8/2006 5:00:24 PM 67072 C:\WINDOWS\SYSTEM32\cloudsim.exe
PECompact2 3/8/2006 5:00:24 PM 67072 C:\WINDOWS\SYSTEM32\cloudsim.exe
aspack 3/18/2005 6:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack 5/26/2005 4:34:52 PM 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
PEC2 8/29/2002 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/26/2004 6:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/26/2004 6:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
WinShutDown 3/26/2006 9:54:56 PM R S 235093 C:\WINDOWS\SYSTEM32\dn2801fue.dll
ad-w-a-r-e.com 3/26/2006 9:54:56 PM R S 235093 C:\WINDOWS\SYSTEM32\dn2801fue.dll
WinShutDown 4/1/2006 11:27:02 AM R S 235023 C:\WINDOWS\SYSTEM32\dnns0157e.dll
ad-w-a-r-e.com 4/1/2006 11:27:02 AM R S 235023 C:\WINDOWS\SYSTEM32\dnns0157e.dll
WinShutDown 3/26/2006 9:19:30 PM R S 236300 C:\WINDOWS\SYSTEM32\e8202ifmg82a2.dll
ad-w-a-r-e.com 3/26/2006 9:19:30 PM R S 236300 C:\WINDOWS\SYSTEM32\e8202ifmg82a2.dll
PEC2 2/22/2006 7:21:30 PM 22016 C:\WINDOWS\SYSTEM32\eaioeiib.exe
WinShutDown 4/1/2006 12:18:34 PM R S 235473 C:\WINDOWS\SYSTEM32\en02l1do1.dll
ad-w-a-r-e.com 4/1/2006 12:18:34 PM R S 235473 C:\WINDOWS\SYSTEM32\en02l1do1.dll
WinShutDown 3/26/2006 10:45:14 PM R S 236036 C:\WINDOWS\SYSTEM32\en8ql1l51.dll
ad-w-a-r-e.com 3/26/2006 10:45:14 PM R S 236036 C:\WINDOWS\SYSTEM32\en8ql1l51.dll
UPX! 4/1/2006 8:11:28 AM 1375912 C:\WINDOWS\SYSTEM32\expload.exe
WinShutDown 4/1/2006 1:24:14 PM R S 234895 C:\WINDOWS\SYSTEM32\fp2603fse.dll
ad-w-a-r-e.com 4/1/2006 1:24:14 PM R S 234895 C:\WINDOWS\SYSTEM32\fp2603fse.dll
WinShutDown 4/1/2006 12:42:46 PM R S 236257 C:\WINDOWS\SYSTEM32\ir8ul5l91.dll
ad-w-a-r-e.com 4/1/2006 12:42:46 PM R S 236257 C:\WINDOWS\SYSTEM32\ir8ul5l91.dll
WinShutDown 4/1/2006 11:27:12 AM R S 235017 C:\WINDOWS\SYSTEM32\jt2o07f3e.dll
ad-w-a-r-e.com 4/1/2006 11:27:12 AM R S 235017 C:\WINDOWS\SYSTEM32\jt2o07f3e.dll
WinShutDown 3/26/2006 10:42:14 PM R S 236036 C:\WINDOWS\SYSTEM32\ldgif13n.dll
ad-w-a-r-e.com 3/26/2006 10:42:14 PM R S 236036 C:\WINDOWS\SYSTEM32\ldgif13n.dll
PECompact2 3/9/2006 8:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/9/2006 8:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 12/3/2002 3:02:58 AM 491520 C:\WINDOWS\SYSTEM32\NCTAudioFile.dll
aspack 12/15/2003 12:43:18 PM 657920 C:\WINDOWS\SYSTEM32\NCTAudioFile2.dll
aspack 12/3/2002 4:07:08 AM 168448 C:\WINDOWS\SYSTEM32\NCTAudioPlayer.dll
aspack 12/3/2002 3:11:10 AM 143872 C:\WINDOWS\SYSTEM32\NCTWMAFile.dll
UPX! 1/27/2006 4:41:22 PM 84480 C:\WINDOWS\SYSTEM32\nsa15.dll
UPX! 2/13/2006 8:09:08 AM 95232 C:\WINDOWS\SYSTEM32\nsf108.dll
UPX! 1/18/2006 5:19:02 PM 84480 C:\WINDOWS\SYSTEM32\nso3F.dll
UPX! 2/13/2006 8:09:08 AM 95232 C:\WINDOWS\SYSTEM32\nsy13.dll
FSG! 4/23/2005 9:27:58 AM 398742 C:\WINDOWS\SYSTEM32\Nsytplk1.xml
UPX! 2/13/2006 8:09:08 AM 95232 C:\WINDOWS\SYSTEM32\nsz10B.dll
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
PEC2 2/28/2002 3:42:54 PM 13107200 C:\WINDOWS\SYSTEM32\oembios.bin
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 2/26/2006 9:37:18 PM 224768 C:\WINDOWS\SYSTEM32\realarcade_seedcorn_stub.exe
FSG! 4/22/2005 3:21:02 PM 398742 C:\WINDOWS\SYSTEM32\Rotqwsk1.xml
UPX! 4/1/2006 8:23:08 AM 51712 C:\WINDOWS\SYSTEM32\w00b8150.dll
winsync 8/29/2002 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 2/14/2006 6:30:38 PM 239440 C:\WINDOWS\SYSTEM32\whCC-CLICK.exe
aspack 12/28/2005 5:33:44 PM H 699392 C:\WINDOWS\SYSTEM32\wodfamoh.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/9/2006 10:29:18 PM S 2048 C:\WINDOWS\bootstat.dat
4/1/2006 8:18:54 AM S 50688 C:\WINDOWS\NDNuninstall6_38.exe
4/1/2006 8:23:38 AM S 183296 C:\WINDOWS\NDNuninstall7_22.exe
4/9/2006 4:35:32 AM H 54156 C:\WINDOWS\QTFont.qfn
4/1/2006 8:19:42 AM R S 0 C:\WINDOWS\system32\d8j02i1mg8.dll
3/26/2006 9:54:56 PM R S 235093 C:\WINDOWS\system32\dn2801fue.dll
4/1/2006 11:27:02 AM R S 235023 C:\WINDOWS\system32\dnns0157e.dll
3/26/2006 9:19:30 PM R S 236300 C:\WINDOWS\system32\e8202ifmg82a2.dll
4/1/2006 12:18:34 PM R S 235473 C:\WINDOWS\system32\en02l1do1.dll
3/26/2006 10:45:14 PM R S 236036 C:\WINDOWS\system32\en8ql1l51.dll
4/1/2006 1:24:14 PM R S 234895 C:\WINDOWS\system32\fp2603fse.dll
4/1/2006 12:42:46 PM R S 236257 C:\WINDOWS\system32\ir8ul5l91.dll
4/1/2006 11:27:12 AM R S 235017 C:\WINDOWS\system32\jt2o07f3e.dll
3/26/2006 10:42:14 PM R S 236036 C:\WINDOWS\system32\ldgif13n.dll
4/9/2006 10:29:06 PM H 8192 C:\WINDOWS\system32\config\default.LOG
4/9/2006 10:29:58 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
4/9/2006 10:29:20 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
4/9/2006 11:18:18 PM H 77824 C:\WINDOWS\system32\config\software.LOG
4/9/2006 10:29:26 PM H 974848 C:\WINDOWS\system32\config\system.LOG
3/17/2006 4:02:02 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
2/24/2006 10:13:00 PM S 20551 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
2/24/2006 10:12:58 PM S 408 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
2/24/2006 10:13:00 PM S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
2/24/2006 10:12:58 PM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
3/17/2006 7:27:36 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\bd7685ff-5ec1-4f68-a8ea-ed3244dac518
3/17/2006 7:27:36 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
4/9/2006 10:13:04 PM H 6 C:\WINDOWS\Tasks\SA.DAT
4/8/2006 12:09:28 AM HS 113 C:\WINDOWS\temp\History\History.IE5\desktop.ini
4/8/2006 12:09:26 AM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\desktop.ini
4/8/2006 12:09:26 AM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\4XU38TEZ\desktop.ini
4/8/2006 12:09:26 AM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\KDUJWHEF\desktop.ini
4/8/2006 12:09:26 AM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\KXQF0DAF\desktop.ini
4/8/2006 12:09:26 AM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\WTUFCP67\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Avance Logic, Inc. 6/29/2002 7:05:00 PM 617984 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 11/2/2004 10:01:34 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 3/4/2005 3:36:44 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/6/2001 3:14:22 PM 24665 C:\WINDOWS\SYSTEM32\plugincpl131.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 8/26/1996 3:12:00 AM 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Avance Logic, Inc. 6/29/2002 7:05:00 PM 617984 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\ALSNDMGR.CPL
Intel Corporation 7/1/2004 12:00:42 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0016\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/31/2005 12:29:52 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/31/2004 10:44:20 PM 694 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Connection Manager.lnk
2/11/2003 4:48:02 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/11/2003 8:36:24 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
12/21/2005 3:05:04 PM 1802 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
2/11/2003 4:48:02 PM HS 84 C:\Documents and Settings\compusa user\Start Menu\Programs\Startup\desktop.ini
4/1/2006 5:17:00 PM 676 C:\Documents and Settings\compusa user\Start Menu\Programs\Startup\Zeno.lnk

Checking files in %USERPROFILE%\Application Data folder...
2/11/2003 8:36:24 AM HS 62 C:\Documents and Settings\compusa user\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{C408B91E-9283-4425-8473-C0222B3802FF} = C:\WINDOWS\system32\guard.tmp
{1FD167D2-E7B9-4011-972D-E53966F4D4D9} = C:\WINDOWS\system32\iGlmdd5.dll
{27A344CD-40C4-4586-88B6-2D4CA6782CE7} = C:\WINDOWS\system32\onbcbcp.dll
{FFB12E6E-D597-4AA3-9A81-102E204EC7D7} =
{596C2A12-B54C-4709-AECE-8523D5C2522A} =
{D8A995D2-14CA-4FAB-B72A-7CF161AAFF17} =
{B2D09079-32A6-498E-AC88-B7368F0B632B} = C:\WINDOWS\system32\guard.tmp

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\CoreShellAgent
{516EC4D3-4AD9-11D5-AA6A-00E0189008B3} = C:\PROGRA~1\CORECO~1\THECOR~1\System\CORESH~1.CLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
= C:\WINDOWS\system32\dmonwv.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
CHotkey mHotkey.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
washindex C:\Program Files\Cookie Washer\washidx.exe "compusa"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
MoneyAgent "C:\Program Files\Microsoft Money\System\Money Express.exe"
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
CleanUp! C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/9/2006 11:26:10 PM


----------------------------------------------------------------

Thank you
manowar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-09-2006, 11:32 PM   #14 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


Quote:
the only one missing is the Fix-it log. I tried running it but it told me there was a problem completing the setup and that I needed to restart the computer and try again.
I'll be honest with you & I hope you don't take this the wrong way. I really do appreciate a faster response rate from you. This thread started in February & it's a bit ridiculous for it to stretch to 2 months. I understand that your busy schedule may not allow you to commit much time to this but the virus/malware isn't gonna sit around twiddling it's thumbs doing nothing awaiting for you to kill it.

Your previous problem with Fix-It may be due to Norton's script blocking. Please disable it so that you may run the script. I have amended Fix-it so as to minimise the chances of an error. As fix-it is the main ingredient of the fix, that means we have to re-do most of our earlier efforts.

Download the file attached to this post - Fix-It.zip
Save it to Desktop but do not execute till we get to Safe Mode.


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKCU\..\Run: [slntq] C:\WINDOWS\system32\wwcbpw.exe reg_run


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * *


Locate the file you downloaded earlier & double click on it.
Double click on the executable within & allow it to run.
It may appear as if nothing is happening. So, please be patient as this may take a few moments.

When it finishes, it shall produce 2 logs for which you should post back here.


* * * * * * DEEP SCAN * * * * * * * * * * * * * * * * * * * *


I shall also require you to do another WinPFind scan.

1. Go to the WinPFind folder & double click WinPFind.exe
2. Click Start Scan
3. Once the Scan is complete, it will create a report in a text file
4. Go to the WinPFind folder & locate WinPFind.txt
5. Post the results in your next reply!


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • The 2 logs produced by Fix-It
  • Uninstall list
  • WinPfind
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
Last edited by sUBs; 04-11-2006 at 11:45 AM.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2006, 09:05 AM   #15 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 55
OS: XP


Hello,

you are right about the response rate. Sorry for taking so long. I'll do my best to answer faster from now on and appreciate the fact that you still take the time to fix this thread.

Ok, as for Fix-It, this new file doesnt run either. When I double click it a command prompt appears saying ''the system cannot find the path specified''.
When I tried it last time at least it would run, but it would freeze halfway through the installation...
manowar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2006, 10:45 AM   #16 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


Quote:
When I double click it a command prompt appears saying ''the system cannot find the path specified''.
That error message is okay. It only shows up when some of the earlier malware files have been removed prior to running fix-it.

Did it produce any logs for you? Please check if you have these files

1. C:\Q-LOG.txt
2. C:\sUBs.txt

If so, kindly post them
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2006, 05:49 PM   #17 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 55
OS: XP


No logs were produced....
manowar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2006, 07:14 PM   #18 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


Please verify if any of these files/folders still exist on your machine:

C:\Program Files\Common Files\CMEII
C:\Program Files\Fxelg
C:\Program Files\Jalmp
C:\Program Files\Common Files\GMT

C:\Documents and Settings\compusa\drsmartload529a.exe
C:\Documents and Settings\compusa\ps.exe
C:\Documents and Settings\niñas\My Documents\My eBooks\thecrowamp.exe
C:\Documents and Settings\niñas\ps.exe
C:\hijackthis\backups\backup-20060326-233519-154.dll
C:\krw1dn.exe
C:\NNSCAA638.exe
C:\Program Files\Common Files\csshare\plugins0942\npzango.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm000*.*
C:\Program Files\Mozilla Firefox\plugins\npzango.dll
C:\secure32.html
C:\visfx500.exe
C:\WINDOWS\51=L.exe
C:\WINDOWS\7020.exe
C:\WINDOWS\876056.exe
C:\WINDOWS\icont.exe
C:\WINDOWS\kl1.exe
C:\WINDOWS\ldlpxuuq.exe
C:\WINDOWS\letn.exe
C:\WINDOWS\mm63.ocx
C:\WINDOWS\mm83.ocx
C:\WINDOWS\ms05187957-1335.exe
C:\WINDOWS\NDNuninstall6*.*
C:\WINDOWS\Odgygqyc.dll
C:\WINDOWS\offun.exe
C:\WINDOWS\pf78.exe
C:\WINDOWS\pf78bb.exe
C:\WINDOWS\rlvknlg.exe
C:\WINDOWS\seli.exe
C:\WINDOWS\sms112x.exe
C:\WINDOWS\surv3.exe
C:\WINDOWS\sys011335187957-.exe
C:\WINDOWS\SYSTEM32\0o8w6vci.dll
C:\WINDOWS\system32\adstartup.exe
C:\WINDOWS\system32\cfvm.dll
C:\WINDOWS\SYSTEM32\Clgqctk1.xml
C:\WINDOWS\system32\cloudsim.exe
C:\WINDOWS\system32\directprt.sys
C:\WINDOWS\system32\dist001.exe
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\dn2801fue.dll
C:\WINDOWS\SYSTEM32\dnns0157e.dll
C:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\e8202ifmg82a2.dll
C:\WINDOWS\SYSTEM32\eaioeiib.exe
C:\WINDOWS\system32\en02l1do1.dll
C:\WINDOWS\SYSTEM32\en8ql1l51.dll
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\SYSTEM32\expload.exe
C:\WINDOWS\system32\fp2603fse.dll
C:\WINDOWS\system32\FT_SilentSudokuInstaller.exe
C:\WINDOWS\system32\GSM3-0511.exe
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\hfajebj.exe
C:\WINDOWS\system32\hoasyfh.vxd
C:\WINDOWS\system32\hpapyaf.exe
C:\WINDOWS\system32\hqauygl.dll
C:\WINDOWS\system32\huiheck.exe
C:\WINDOWS\system32\huiqyet.sys
C:\WINDOWS\system32\iGlmdd5.dll
C:\WINDOWS\system32\install_ID6.exe
C:\WINDOWS\system32\ir8ul5l91.dll
C:\WINDOWS\system32\irismon.dll
C:\WINDOWS\system32\jt2o07f3e.dll
C:\WINDOWS\system32\ldgif13n.dll
C:\WINDOWS\system32\loadadv64
C:\WINDOWS\system32\loader.exed482a.exeR
C:\WINDOWS\system32\mcspy.exe
C:\WINDOWS\system32\mmxp2passion.exe
C:\WINDOWS\system32\modgxyz.exe
C:\WINDOWS\system32\NNSCAG638.exe.org
C:\WINDOWS\system32\nsa15.dll
C:\WINDOWS\system32\nsf108.dll
C:\WINDOWS\SYSTEM32\nso3F.dll
C:\WINDOWS\system32\nsy13.dll
C:\WINDOWS\SYSTEM32\Nsytplk1.xml
C:\WINDOWS\system32\nsz10B.dll
C:\WINDOWS\system32\onbcbcp.dll
C:\WINDOWS\system32\pre?.exe
C:\WINDOWS\system32\qspsnns.dll
C:\WINDOWS\SYSTEM32\realarcade_seedcorn_stub.exe
C:\WINDOWS\system32\repairs302972994.dll
C:\WINDOWS\system32\rk.bin
C:\WINDOWS\SYSTEM32\Rotqwsk1.xml
C:\WINDOWS\system32\s_install_ID8.exe
C:\WINDOWS\system32\Setup95.exe
C:\WINDOWS\system32\SWin32.dl
C:\WINDOWS\system32\Tagasuarus5.exe
C:\WINDOWS\system32\tusgp*.*
C:\WINDOWS\system32\unpack.exe
C:\WINDOWS\system32\urue.dll
C:\WINDOWS\system32\w00b8150.dll
C:\WINDOWS\system32\whCC-CLICK.exe
C:\WINDOWS\SYSTEM32\wodfamoh.dll
C:\WINDOWS\tool?.exe
C:\WINDOWS\toolbar.exe
C:\WINDOWS\uni_eh.exe
C:\WINDOWS\unin101.exe
C:\WINDOWS\vcsixooA.exe
C:\WINDOWS\whCC-GIANT.exe
C:\WINDOWS\win3208957*
C:\WINDOWS\YazzleBundle*
F:\Documents and Settings\Administrator\My Documents\BACKUP ADRIANA\Carta\BACKUP\cs1005.exe
F:\Recovered Pics\cluster 108690.JPG
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2006, 08:48 PM   #19 (permalink)
Registered User
 
Join Date: Feb 2005
Posts: 55
OS: XP


Just to make sure, am I suppose to delete them if I find them?
manowar is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 04-10-2006, 09:18 PM   #20 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,480
OS: N/A


Just let me know if they exist. Some of the filenames have * (asterix) which are wildcards. You may accidentally delete legit files.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 09:15 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85