Spyware Quake Attack

swhit32257 · 03-31-2006, 03:49 PM

Mayday! Or is that April Fools Day? Actually, not yet. This is legit, I'm afraid. I found some removal instructions, but i don't think everything worked right because spyware runs are still showing stuff even though the "main" program is gone (I think). Below is the HJT log. I'll add a panda log as well as Ewido and some other spyrun run reports later when they're complete. I can't get to Kaspersky's website to do that run. Any idea why that website always seems to be down? Anyways, thanks in advance! SWHIT32257
--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:42:41 PM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.linksys.com/registration/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://aolsvc.aol.com/onlinegames/so...tched/main.cab
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/ch...ploader_v7.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

**POADB** · 04-01-2006, 12:05 AM

Welcome to TSF.

We need to know exactly what you have run please. And if you have those Ewido and Panda reports that would be great. Once we know what you've tried all ready - we can advise a way forward.

swhit32257 · 04-01-2006, 04:41 AM

Here ya go...

CCLEANER: Cleaned up over 10M of old files

NORTON ANTIVIRUS: Clean Run

PANDA:
Incident Status Location

Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\My Shortcuts\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem.exe[Process.exe]

EWIDO:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:51:20 PM, 3/31/2006
+ Report-Checksum: 30A81E98

+ Scan result:

C:\WINDOWS\system32\interf.tlb -> Trojan.Small : Cleaned with backup

::Report End

AD-AWARE: Clean Run

SPYBOT S&D: Clean Run

SPYWARE DOCTOR: Clean Run

REGISTRY MECHANIC:
----------------------------------------------------------------------------------------------------
Registry Mechanic 5.1.0.224
----------------------------------------------------------------------------------------------------
Start of Scan
3/31/2006 5:29:05 PM
Your System Information :
CPU: Intel Pentium
IE: Internet Explorer 6.0.2900
MEMORY FREE: 606552
MEMORY TOTAL: 1047852
VIRTUAL FREE: 2018056
VIRTUAL TOTAL: 2097024
WINDOWS VER: Windows XP 5.1 (Build 2600)

----------------------------------------------------------------------------------------------------
Running processes: Process ID
----------------------------------------------------------------------------------------------------
[System Process] 0
System 4
smss.exe 512
csrss.exe 744
winlogon.exe 768
services.exe 816
lsass.exe 828
ati2evxx.exe 984
svchost.exe 1016
svchost.exe 1108
svchost.exe 1220
svchost.exe 1312
CCSETMGR.EXE 1468
CCEVTMGR.EXE 1564
SNDSrvc.exe 200
SPBBCSvc.exe 184
symlcsvc.exe 236
spoolsv.exe 544
AOLacsd.exe 700
aoltsmon.exe 1196
ehsched.exe 1276
ati2evxx.exe 1420
aoltpspd.exe 1480
ewidoctrl.exe 1488
ehrec.exe 1496
explorer.exe 1652
gearsec.exe 1668
MDM.EXE 1684
NAVAPSVC.EXE 1772
NPFMNTOR.EXE 1880
sdhelp.exe 1936
WRSSSDK.exe 596
wdfmgr.exe 696
wwSecure.exe 1440
hphmon05.exe 1996
AGRSMMSG.exe 2008
CCAPP.EXE 2016
SpySweeper.exe 2024
jusched.exe 2072
ctfmon.exe 2104
alg.exe 3200
wuauclt.exe 3520
wmiprvse.exe 3568
NSCSRVCE.EXE 3608
waol.exe 3920
shellmon.exe 2388
msmsgs.exe 3836
RegMech.exe 4040
----------------------------------------------------------------------------------------------------
Sections Scanned:
----------------------------------------------------------------------------------------------------

TMP - 2
Location: C:\Program Files\Norton AntiVirus\Savrt\0602NAV~.TMP\
Value : Temp file = C:\Program Files\Norton AntiVirus\Savrt\0602NAV~.TMP
Parsed :

TMP - 3
Location: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk\
Value : CHK file = C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk
Parsed :

TMP - 4
Location: C:\WINDOWS\system32\CatRoot2\edb.chk\
Value : CHK file = C:\WINDOWS\system32\CatRoot2\edb.chk
Parsed :

DEEP - 5
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
Value : C:\Documents and Settings\Administrator\Desktop\roguescanfix\Run.bat = C:\Documents and Settings\Administrator\Desktop\roguescanfix\Run.bat
Parsed : C:\Documents and Settings\Administrator\Desktop\roguescanfix\Run.bat

DEEP - 6
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
Value : C:\Documents and Settings\Administrator\Desktop\roguescanfix\BFU.exe = C:\Documents and Settings\Administrator\Desktop\roguescanfix\BFU.exe
Parsed : C:\Documents and Settings\Administrator\Desktop\roguescanfix\BFU.exe

DEEP - 7
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
Value : C:\WINDOWS\system32\dfrgsrv.exe = C:\WINDOWS\system32\dfrgsrv.exe
Parsed : C:\WINDOWS\system32\dfrgsrv.exe

DEEP - 8
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
Value : C:\Documents and Settings\Administrator\Desktop\smitRem.exe = C:\Documents and Settings\Administrator\Desktop\smitRem.exe
Parsed : C:\Documents and Settings\Administrator\Desktop\smitRem.exe

DEEP - 9
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
Value : c:\My Games\Poker Superstars 2\PokerSuperstars2.exe = c:\My Games\Poker Superstars 2\PokerSuperstars2.exe
Parsed : c:\My Games\Poker Superstars 2\PokerSuperstars2.exe

----------------------------------------------------------------------------------------------------
Registry Mechanic 5.1.0.224
----------------------------------------------------------------------------------------------------
End of Scan
3/31/2006 5:33:27 PM
Your System Information :
CPU: Intel Pentium
IE: Internet Explorer 6.0.2900
MEMORY FREE: 606552
MEMORY TOTAL: 1047852
VIRTUAL FREE: 2018056
VIRTUAL TOTAL: 2097024
WINDOWS VER: Windows XP 5.1 (Build 2600)

System Restore Point created

**POADB** · 04-01-2006, 05:06 AM

If you have run SmitRem - please post it's log. It should be here C:\smitrem.txt

swhit32257 · 04-01-2006, 07:30 AM

Found a smitfiles.log -- here it is

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 03/31/2006
The current time is: 17:39:48.62

Running from
C:\Documents and Settings\Administrator\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1652 'explorer.exe'
Killing PID 1652 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

**POADB** · 04-01-2006, 10:32 AM

OK - so we're on track.

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Before you begin, take a read through these instructions and download the programs that I've advised. Save the below instructions in notepad or wordpad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers open during the cleaning process unless otherwise prompted.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!! .

********************************DOWNLOADS********************************

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in the same directory as the HiJackThis program.

Please download this regfile to your desktop:FFixSQ

Unplug your computer from the Internet when you have finished downloading.

*********************************SETTING UP********************************

Enable the viewing of Hidden files

From Windows Explorer, go to Tools>Folder Options>View tab.
Enable the option for `Show hidden files and folder´
Disable the option for `Hide file extensions for known types´
Disable the option for `Hide protected operating system files´
Click Yes to confirm & then click OK

*********************************HJT FIXES**********************************

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in) -

*****************************MANUAL DELETIONS*****************************

Locate and delete the following file(s), if present:

C:\Windows\System32\stickrep.dll

********************************ONLINE SCAN********************************

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

********************************CHECK LIST********************************

In your next post, please include fresh logs from:

HiJackThis
Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

swhit32257 · 04-02-2006, 07:39 AM

OK, attached is a new hijackthis log. The Kasparev website will not work (always gets an error when I try to load it) so I cannot do a run at this time. Also, new symptom, attached is a popup message I get when the sysytem boots. Thanks, SWHIT32257

Logfile of HijackThis v1.99.1
Scan saved at 9:21:42 AM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\114390~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\114390~1\EE\AOLServiceHost.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.linksys.com/registration/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143904926\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://aolsvc.aol.com/onlinegames/so...tched/main.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/ch...ploader_v7.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

**POADB** · 04-02-2006, 12:25 PM

Lets see the Event Viewer Log:

Quote:

How to View Event Logs
To open Event Viewer, follow these steps:
1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, click Event Viewer.

The Application, Security, and System logs are displayed in the Event Viewer window.

How to View Event Details
To view the details of an event, follow these steps:
1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.
3. In the details pane, double-click the event that you want to view.

The Event Properties dialog box containing header information and a description of the event is displayed.

To copy the details of the event, click the Copy button, then open a new document in the program in which you want to paste the event (for example, Microsoft Word), and then click Paste on the Edit menu.

To view the description of the previous or next event, click the UP ARROW or DOWN ARROW.

Once you have found Event viewer from either of the above instructions. Click Application and then Export List from one of the icons on the toolbar above it.

Save the log and then post it in your next post.

swhit32257 · 04-02-2006, 12:39 PM

Here's the logs (see attachments). Also - One more "symptom" to report. My desktop is changing on its own. FYI - Spybot Search and Destroy found and deleted some kind of a windows desktop thing, but it still has not changed back to my settings.

swhit32257 · 04-03-2006, 03:26 PM

Bumping up...

Also, I need to report another symptom. When I boot, norton is under the impression that my microsoft windows update is turned off, yet it says it is on. I must physically turn it off and back on to clear it up. Not sure what that means, but maybe it means something to you guys. Thanks! SWHIT32257

If it'll help, i ran another panda scan this morning and hjt just now...here's the latest logs:

PANDA:
Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\My Shortcuts\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem.exe[Process.exe]
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 5:26:20 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\ehome\ehRec.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1143904926\ee\aolsoftware.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.linksys.com/registration/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143904926\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1144058459921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://aolsvc.aol.com/onlinegames/so...tched/main.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/ch...ploader_v7.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

**POADB** · 04-04-2006, 12:54 AM

Download and run - bfu.zip
Checkmark the following boxes:
- Use settings specified in script for the above option
- Show log after script ends
Click the Web button located on the top right corner
Copy/Paste this url into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu
Execute the script by clicking the Execute button.
When it finishes running, click the Save button for a copy of the log
Post the log created by the script when you have completed the fix

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Before you begin, take a read through these instructions and download the programs that I've advised. Save the below instructions in notepad or wordpad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers open during the cleaning process unless otherwise prompted.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

Please allow yourself a few spare hours. Below are instructions for virus a scan(s) that can take longer then 2 hours.

It is also important you don't miss a step and perform everything in the right order!! .

********************************DOWNLOADS********************************

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in the same directory as the HiJackThis program.

Download smitRem.exe and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Download Ewido Security Suite - Install & Update it's database but do not run it yet.

If you have not already installed Ad-Aware SE 1.06, download and update aawsepersonal.exe

Download DelO15Domains.inf - Right click on this & choose "Save As..." DelO15Domains.inf

Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

Unplug your computer from the Internet when you have finished downloading.

********************************SAFE MODE********************************

REBOOT TO SAFE MODE

Restart the computer. The computer begins processing a set of instructions known as BIOS.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
Continue to do so until the 'Windows Advanced Options' menu appears.
Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

********************************ADDITIONAL SCANS******************************

Open Ad-aware and close ALL other windows.

1. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:

In the General window make sure the following are selected in green:
- Automatically save log-file
- Automatically quarantine objects prior to removal
- Safe Mode (always request confirmation)
- Prompt to update outdated definitions - set the number of days = 7
Click on the Scanning button on the left and select in green:
- Scan Within Archives
- Under Select drives & folders to scan:
  - choose all hard drives
- Scan Active Processes
- Scan Registry
- Deep Scan Registry
- Scan my IE favorites for banned URL’s
- Scan my Hosts file
Click on the Advanced button on the left and select in green:
- Move deleted files to recycle bin
- include addtional object information
- DeSelect - include negligible objects information
- Don't log streams smaller than 0 bytes
- Don't log ADS with the following names: CA_INOCULATEIT
Click the Tweak button:
1. Under Scanning Engine:
  - Unload recognized processes during scanning
  - Ignore spanned files when scanning cab archives
  - Scan registry for all users instead of current user only
2. Under Cleaning Engine:
  - Let Windows remove files in use at next reboot
3. Under Log Files:
  - Include basic Ad-aware SE settings in logfile
  - Include additional Ad-aware SE settings in logfile
  - Include computer & username in logfile
  - Please DeSelect: Include Module list in logfile

2. Click on Proceed to save the settings.
3. Click Start
4. Choose - Perform Full System Scan
5. DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
6. Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
7. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
8. Right-click on the list and choose Select All
9. Click Next to finish removing the items that were found

********************************EWIDO SCAN********************************

Run Ewido:

Click [Scanner]
Click [Complete System Scan] to begin scanning.
Click [OK] when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
Once finished, click the Save report button
Save the report to your desktop

Close Ewido

********************************RUN SMITREM********************************

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

********************************DESKTOP REPAIR*****************************

Next go to Control Panel click Display>Desktop>Customize Desktop>Website
Under the 'Web pages' box, Uncheck everything present.

Reboot back to normal mode, and post the SmitRem.txt file, the BFU log and a new HJT log & Ewido results..

swhit32257 · 04-04-2006, 02:36 PM

SmitRem.txt file

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 04/04/2006
The current time is: 16:22:44.12

Running from
C:\Program Files\smitRem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 4508 'explorer.exe'
Killing PID 4508 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

BFU log
BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 5:39:41 AM, on 4/4/2006

Script completed.

HJT log
Logfile of HijackThis v1.99.1
Scan saved at 4:35:23 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.linksys.com/registration/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://aolsvc.aol.com/onlinegames/so...tched/main.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/ch...ploader_v7.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Ewido results
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:20:21 PM, 4/4/2006
+ Report-Checksum: 2AC89E51

+ Scan result:

No infected objects found.

::Report End

swhit32257 · 04-04-2006, 06:41 PM

Symptom update -- the popup and desktop situations are continuing. I was FINALLY able to run a Kasparev scan (just through AOL, interestingly enought but not in IE). Lots of problems. See the log below:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, April 04, 2006 8:18:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 4/04/2006
Kaspersky Anti-Virus database records: 174982
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 222461
Number of viruses found: 5
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 02:32:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\559C0369.exe Infected: Trojan-Downloader.Win32.Zlob.is skipped
C:\My Installers\eCodec-v4.401.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.jz skipped
C:\My Installers\eCodec-v4.401.exe/data0008 Infected: Trojan-Downloader.Win32.Zlob.jy skipped
C:\My Installers\eCodec-v4.401.exe NSIS: infected - 2 skipped
C:\My Installers\eCodec-v4.401.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP269\A0087265.exe Infected: Trojan-Downloader.Win32.Zlob.jx skipped
C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP269\A0087271.tlb Infected: Trojan-Downloader.Win32.Zlob.js skipped
C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP270\A0087361.exe Infected: Trojan-Downloader.Win32.Zlob.js skipped
C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP271\A0087413.tlb Infected: Trojan-Downloader.Win32.Zlob.js skipped

Scan process completed.

**POADB** · 04-05-2006, 01:13 AM

Empty Norton's Quarantine:
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\

and delete this file:

C:\My Installers\eCodec-v4.401.exe

Did you perform this step of my instructions:[b]

Quote:

********************************DESKTOP REPAIR*****************************

Next go to Control Panel click Display>Desktop>Customize Desktop>Website
Under the 'Web pages' box, Uncheck everything present.

Download WinPfind.zip - Unzip to Drive C

Reboot your computer to SAFE MODE

Locate & double-click on WinPFind.exe.

Click Start Scan
Once the Scan is Complete
1. Go to the WinPFind folder & locate WinPFind.txt
2. Post the results in your next post!

* This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

swhit32257 · 04-05-2006, 03:30 AM

Nothing to uncheck for the DESKTOP REPAIR piece. See below for the WINPFIND log as well as a current HJT log:

WINPFIND:
--------------------------------------------------------------------------
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 3/31/2006 6:31:34 PM 183197 C:\smitRem.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 2/2/2005 9:58:34 PM 293716 C:\WINDOWS\Golden Palace Casino PT setup.exe
PECompact2 9/29/2005 1:49:40 PM 15968671 C:\WINDOWS\lpt$vpn.867
qoologic 9/29/2005 1:49:40 PM 15968671 C:\WINDOWS\lpt$vpn.867
SAHAgent 9/29/2005 1:49:40 PM 15968671 C:\WINDOWS\lpt$vpn.867
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
UPX! 7/25/2005 2:04:32 AM 57344 C:\WINDOWS\Unwash6.exe
PECompact2 9/29/2005 1:49:40 PM 15968671 C:\WINDOWS\VPTNFILE.867
qoologic 9/29/2005 1:49:40 PM 15968671 C:\WINDOWS\VPTNFILE.867
SAHAgent 9/29/2005 1:49:40 PM 15968671 C:\WINDOWS\VPTNFILE.867
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 9/29/2003 2:39:06 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 6/24/2005 6:04:36 PM 161280 C:\WINDOWS\SYSTEM32\fmod.dll
PTech 2/14/2006 10:20:14 AM 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 3/9/2006 8:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/9/2006 8:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 9/29/2003 2:25:34 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 4/1/2006 7:48:06 AM 763616 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 4/1/2006 7:48:06 AM 763616 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 4/1/2006 7:48:06 AM 763616 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 4/1/2006 7:48:06 AM 763616 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/4/2006 8:50:20 PM S 2048 C:\WINDOWS\bootstat.dat
4/4/2006 8:51:46 PM H 31767 C:\WINDOWS\system32\vsconfig.xml
4/1/2006 7:50:40 AM H 4212 C:\WINDOWS\system32\zllictbl.dat
2/15/2006 2:49:00 AM S 9639 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912475.cat
2/8/2006 7:58:30 PM S 22339 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912945.cat
2/14/2006 10:20:42 AM S 7086 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WGA.cat
4/5/2006 5:15:46 AM H 1024 C:\WINDOWS\system32\config\default.LOG
4/5/2006 5:15:52 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
4/5/2006 3:50:38 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
4/5/2006 5:28:02 AM H 1024 C:\WINDOWS\system32\config\software.LOG
4/5/2006 5:15:46 AM H 1024 C:\WINDOWS\system32\config\system.LOG
3/14/2006 6:08:24 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
2/13/2006 8:33:34 PM S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
3/21/2006 7:05:02 AM S 27322 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
2/13/2006 8:33:34 PM S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
3/21/2006 7:05:02 AM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
4/4/2006 8:50:38 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/21/2005 10:25:50 AM 299008 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 9/29/2003 3:41:26 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/29/2003 2:27:48 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 9/29/2003 2:45:06 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 7:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Realtek Semiconductor Corp. 9/15/2005 5:26:52 PM 266240 C:\WINDOWS\SYSTEM32\RTSndMgr.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/29/2003 3:22:02 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/29/2003 3:41:26 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/29/2003 2:27:48 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/29/2003 2:45:06 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 9/29/2003 3:22:02 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 4/20/2004 8:45:12 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 5/4/2004 3:05:08 PM 309760 C:\WINDOWS\SYSTEM32\ReinstallBackups\0016\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/11/2004 5:30:12 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/10/2004 10:18:00 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
5/11/2004 7:44:04 AM 1221 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
5/11/2004 5:30:12 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
5/10/2004 10:18:00 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini
4/2/2006 7:13:40 PM 191 C:\Documents and Settings\Administrator\Application Data\G-Force Prefs (WindowsMediaPlayer).txt

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp view = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP view : c:\program files\hp\digital imaging\bin\hpdtlk02.dll
{C4069E3A-68F1-403E-B40E-20066696354B} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP view : c:\program files\hp\digital imaging\bin\hpdtlk02.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{C4069E3A-68F1-403E-B40E-20066696354B} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP view : c:\program files\hp\digital imaging\bin\hpdtlk02.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{4982D40A-C53B-4615-B15B-B5B5E98D167C} = AOL Toolbar : C:\Program Files\AOL Toolbar\toolbar.dll
{4E7BD74F-2B8D-469E-99FF-FD60BB9AAE2D} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPHUPD05 c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 C:\WINDOWS\System32\hphmon05.exe
AGRSMMSG AGRSMMSG.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
AOL Fast Start "C:\Program Files\America Online 9.0\AOL.EXE" -b

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\bhoreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^IMStart.lnk
backup C:\WINDOWS\pss\IMStart.lnkStartup
location Startup
item IMStart
backup C:\WINDOWS\pss\IMStart.lnkStartup
location Startup
item IMStart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk
backup C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
location Startup
command C:\PROGRA~1\MI1933~1\OFFICE11\ONENOTEM.EXE /tsr
item Microsoft Office OneNote 2003 Quick Launch
backup C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
location Startup
command C:\PROGRA~1\MI1933~1\OFFICE11\ONENOTEM.EXE /tsr
item Microsoft Office OneNote 2003 Quick Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^SpamSubtract.lnk
backup C:\WINDOWS\pss\SpamSubtract.lnkStartup
location Startup
command C:\PROGRA~1\INTERM~1\SPAMSU~1\SpamSub.exe
item SpamSubtract
backup C:\WINDOWS\pss\SpamSubtract.lnkStartup
location Startup
command C:\PROGRA~1\INTERM~1\SPAMSU~1\SpamSub.exe
item SpamSubtract

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk
backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor
backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk
backup C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MI1933~1\OFFICE11\ONENOTEM.EXE /tsr
item Microsoft Office OneNote 2003 Quick Launch
backup C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MI1933~1\OFFICE11\ONENOTEM.EXE /tsr
item Microsoft Office OneNote 2003 Quick Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PopSubtract.lnk
backup C:\WINDOWS\pss\PopSubtract.lnkCommon Startup
location Common Startup
item PopSubtract
backup C:\WINDOWS\pss\PopSubtract.lnkCommon Startup
location Common Startup
item PopSubtract

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\bagent.exe
item Quicken Scheduled Updates
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\bagent.exe
item Quicken Scheduled Updates

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk
backup C:\WINDOWS\pss\SpySubtract.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\INTERM~1\SPYSUB~1\spysub.exe -autostart
item SpySubtract
backup C:\WINDOWS\pss\SpySubtract.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\INTERM~1\SPYSUB~1\spysub.exe -autostart
item SpySubtract

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk
backup C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup
item Updates from HP
backup C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup
item Updates from HP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOL Spyware Protection
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLSP Scheduler
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLSP Scheduler
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOLDialer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLDial
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLDial
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIPTA
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HostManager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLHostManager
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLHostManager
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hpsysdrv
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpsysdrv
hkey HKLM
command c:\windows\system\hpsysdrv.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpsysdrv
hkey HKLM
command c:\windows\system\hpsysdrv.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KBD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBD
hkey HKLM
command C:\HP\KBD\KBD.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBD
hkey HKLM
command C:\HP\KBD\KBD.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Pure Networks Port Magic
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PortAOL
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PortAOL
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
LinkResolveIgnoreLinkInfo 0
NoResolveSearch 1
NoActiveDesktopChanges 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
{450D8FBA-AD25-11D0-98A8-0800361B1103} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoAddingComponents 0
NoComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoCloseDragDropBands 0
NoMovingBands 0
NoHTMLWallPaper
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ComDlg32

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoDesktop 0
NoNetHood 0
HideClock 0
NoManageMyComputerVerb 0
NoLowDiskSpaceChecks 0
NoCDBurning 0
NoStartMenuPinnedList 0
NoStartMenuMFUprogramsList 1
NoUserNameInStartMenu 0
NoStartMenuSubFolders 0
NoCommonGroups 0
ClearRecentDocsOnExit 1
NoPrinterTabs 0
NoDeletePrinter 0
NoAddPrinter 0
NoPrinters 0
NoNetworkConnections 0
NoFavoritesMenu 0
NoSetFolders 0
NoSMHelp 0
NoChangeStartMenu 0
NoViewContextMenu 0
NoFileMenu 0
NoDrives 0
NoControlPanel 0
NoShellSearchButton 0
NoToolbarCustomize 0
NoRecentDocsNetHood 0
NoChangeAnimation 0
NoChangeKeyboardNavigationIndicators 0
NoRecentDocsHistory 0
MaxRecentDocs 11
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0
ForceActiveDesktopOn 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0
NoDispAppearancePage 0
NoDispBackgroundPage 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/5/2006 5:28:19 AM

========================================================

HJT
------------------------------------------------------------------------
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 3/31/2006 6:31:34 PM 183197 C:\smitRem.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 2/2/2005 9:58:34 PM 293716 C:\WINDOWS\Golden Palace Casino PT setup.exe
PECompact2 9/29/2005 1:49:40 PM 15968671 C:\WINDOWS\lpt$vpn.867
qoologic 9/29/2005 1:49:40 PM 15968671 C:\WINDOWS\lpt$vpn.867
SAHAgent 9/29/2005 1:49:40 PM 15968671 C:\WINDOWS\lpt$vpn.867
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
UPX! 7/25/2005 2:04:32 AM 57344 C:\WINDOWS\Unwash6.exe
PECompact2 9/29/2005 1:49:40 PM 15968671 C:\WINDOWS\VPTNFILE.867
qoologic 9/29/2005 1:49:40 PM 15968671 C:\WINDOWS\VPTNFILE.867
SAHAgent 9/29/2005 1:49:40 PM 15968671 C:\WINDOWS\VPTNFILE.867
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 9/29/2003 2:39:06 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 6/24/2005 6:04:36 PM 161280 C:\WINDOWS\SYSTEM32\fmod.dll
PTech 2/14/2006 10:20:14 AM 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 3/9/2006 8:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/9/2006 8:10:36 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 9/29/2003 2:25:34 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 4/1/2006 7:48:06 AM 763616 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 4/1/2006 7:48:06 AM 763616 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 4/1/2006 7:48:06 AM 763616 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 4/1/2006 7:48:06 AM 763616 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/4/2006 8:50:20 PM S 2048 C:\WINDOWS\bootstat.dat
4/4/2006 8:51:46 PM H 31767 C:\WINDOWS\system32\vsconfig.xml
4/1/2006 7:50:40 AM H 4212 C:\WINDOWS\system32\zllictbl.dat
2/15/2006 2:49:00 AM S 9639 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912475.cat
2/8/2006 7:58:30 PM S 22339 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912945.cat
2/14/2006 10:20:42 AM S 7086 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WGA.cat
4/5/2006 5:15:46 AM H 1024 C:\WINDOWS\system32\config\default.LOG
4/5/2006 5:15:52 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
4/5/2006 3:50:38 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
4/5/2006 5:28:02 AM H 1024 C:\WINDOWS\system32\config\software.LOG
4/5/2006 5:15:46 AM H 1024 C:\WINDOWS\system32\config\system.LOG
3/14/2006 6:08:24 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
2/13/2006 8:33:34 PM S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
3/21/2006 7:05:02 AM S 27322 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
2/13/2006 8:33:34 PM S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
3/21/2006 7:05:02 AM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
4/4/2006 8:50:38 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/21/2005 10:25:50 AM 299008 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 9/29/2003 3:41:26 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/29/2003 2:27:48 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 9/29/2003 2:45:06 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 7:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Realtek Semiconductor Corp. 9/15/2005 5:26:52 PM 266240 C:\WINDOWS\SYSTEM32\RTSndMgr.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/29/2003 3:22:02 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/29/2003 3:41:26 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/29/2003 2:27:48 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/29/2003 2:45:06 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 9/29/2003 3:22:02 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 4/20/2004 8:45:12 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 5/4/2004 3:05:08 PM 309760 C:\WINDOWS\SYSTEM32\ReinstallBackups\0016\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/11/2004 5:30:12 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/10/2004 10:18:00 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
5/11/2004 7:44:04 AM 1221 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
5/11/2004 5:30:12 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
5/10/2004 10:18:00 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini
4/2/2006 7:13:40 PM 191 C:\Documents and Settings\Administrator\Application Data\G-Force Prefs (WindowsMediaPlayer).txt

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp view = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP view : c:\program files\hp\digital imaging\bin\hpdtlk02.dll
{C4069E3A-68F1-403E-B40E-20066696354B} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP view : c:\program files\hp\digital imaging\bin\hpdtlk02.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{C4069E3A-68F1-403E-B40E-20066696354B} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP view : c:\program files\hp\digital imaging\bin\hpdtlk02.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{4982D40A-C53B-4615-B15B-B5B5E98D167C} = AOL Toolbar : C:\Program Files\AOL Toolbar\toolbar.dll
{4E7BD74F-2B8D-469E-99FF-FD60BB9AAE2D} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HPHUPD05 c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 C:\WINDOWS\System32\hphmon05.exe
AGRSMMSG AGRSMMSG.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
AOL Fast Start "C:\Program Files\America Online 9.0\AOL.EXE" -b

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\bhoreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^IMStart.lnk
backup C:\WINDOWS\pss\IMStart.lnkStartup
location Startup
item IMStart
backup C:\WINDOWS\pss\IMStart.lnkStartup
location Startup
item IMStart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk
backup C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
location Startup
command C:\PROGRA~1\MI1933~1\OFFICE11\ONENOTEM.EXE /tsr
item Microsoft Office OneNote 2003 Quick Launch
backup C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
location Startup
command C:\PROGRA~1\MI1933~1\OFFICE11\ONENOTEM.EXE /tsr
item Microsoft Office OneNote 2003 Quick Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^SpamSubtract.lnk
backup C:\WINDOWS\pss\SpamSubtract.lnkStartup
location Startup
command C:\PROGRA~1\INTERM~1\SPAMSU~1\SpamSub.exe
item SpamSubtract
backup C:\WINDOWS\pss\SpamSubtract.lnkStartup
location Startup
command C:\PROGRA~1\INTERM~1\SPAMSU~1\SpamSub.exe
item SpamSubtract

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk
backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor
backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk
backup C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MI1933~1\OFFICE11\ONENOTEM.EXE /tsr
item Microsoft Office OneNote 2003 Quick Launch
backup C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MI1933~1\OFFICE11\ONENOTEM.EXE /tsr
item Microsoft Office OneNote 2003 Quick Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PopSubtract.lnk
backup C:\WINDOWS\pss\PopSubtract.lnkCommon Startup
location Common Startup
item PopSubtract
backup C:\WINDOWS\pss\PopSubtract.lnkCommon Startup
location Common Startup
item PopSubtract

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\bagent.exe
item Quicken Scheduled Updates
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\bagent.exe
item Quicken Scheduled Updates

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk
backup C:\WINDOWS\pss\SpySubtract.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\INTERM~1\SPYSUB~1\spysub.exe -autostart
item SpySubtract
backup C:\WINDOWS\pss\SpySubtract.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\INTERM~1\SPYSUB~1\spysub.exe -autostart
item SpySubtract

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk
backup C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup
item Updates from HP
backup C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup
item Updates from HP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOL Spyware Protection
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLSP Scheduler
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLSP Scheduler
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOLDialer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLDial
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLDial
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIPTA
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
command C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HostManager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLHostManager
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLHostManager
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hpsysdrv
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpsysdrv
hkey HKLM
command c:\windows\system\hpsysdrv.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpsysdrv
hkey HKLM
command c:\windows\system\hpsysdrv.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KBD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBD
hkey HKLM
command C:\HP\KBD\KBD.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBD
hkey HKLM
command C:\HP\KBD\KBD.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Pure Networks Port Magic
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PortAOL
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PortAOL
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
LinkResolveIgnoreLinkInfo 0
NoResolveSearch 1
NoActiveDesktopChanges 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
{450D8FBA-AD25-11D0-98A8-0800361B1103} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoAddingComponents 0
NoComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoCloseDragDropBands 0
NoMovingBands 0
NoHTMLWallPaper
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ComDlg32

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoDesktop 0
NoNetHood 0
HideClock 0
NoManageMyComputerVerb 0
NoLowDiskSpaceChecks 0
NoCDBurning 0
NoStartMenuPinnedList 0
NoStartMenuMFUprogramsList 1
NoUserNameInStartMenu 0
NoStartMenuSubFolders 0
NoCommonGroups 0
ClearRecentDocsOnExit 1
NoPrinterTabs 0
NoDeletePrinter 0
NoAddPrinter 0
NoPrinters 0
NoNetworkConnections 0
NoFavoritesMenu 0
NoSetFolders 0
NoSMHelp 0
NoChangeStartMenu 0
NoViewContextMenu 0
NoFileMenu 0
NoDrives 0
NoControlPanel 0
NoShellSearchButton 0
NoToolbarCustomize 0
NoRecentDocsNetHood 0
NoChangeAnimation 0
NoChangeKeyboardNavigationIndicators 0
NoRecentDocsHistory 0
MaxRecentDocs 11
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0
ForceActiveDesktopOn 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0
NoDispAppearancePage 0
NoDispBackgroundPage 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/5/2006 5:28:19 AM

swhit32257 · 04-05-2006, 03:32 AM

Sorry, heres the HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 5:30:48 AM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\My Installers\WinPFind\winpfind.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.linksys.com/registration/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://aolsvc.aol.com/onlinegames/so...tched/main.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/ch...ploader_v7.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Ried · 04-05-2006, 06:45 AM

Hello swhit32257,

Delete the following file:

C:\WINDOWS\ Golden Palace Casino PT setup.exe

If it resists deletion, boot into Safe Mode and delete from there.

-------------------------------

Please run another scan at Kaspersky and post the results here.

I'd also like to see the following:

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
Please copy and past the List from the notebook here.

swhit32257 · 04-05-2006, 04:03 PM

File is deleted. I'll run Kasparev tonight...here's the other log you wanted:

Ad-Aware SE Personal
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 7.0.7
Agere Systems PCI Soft Modem
Air Mogul
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Deskbar
AOL Toolbar
AOL Uninstaller
AOL You've Got Pictures Screensaver
ATI Control Panel
ATI Display Driver
AVG Free Edition
Blasterball 2 from WildGames (remove only)
ccCommon
CCleaner (remove only)
Citrix ICA Web Client (Minimal Installation)
Cruise Ship Tycoon
EA SPORTS online 2005
EA.com Matchup
EA.com Update
Easy Internet Sign-up
Elf Bowling - Bocce Style! (remove only)
Elf Bowling 6 Air Biscuits 1.0 (remove only)
ewido security suite
FIFA 2002
Game Console - WildGames
High Definition Audio Driver Package - KB835221
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB912475)
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Image Zone for Media Center PC
HP Image Zone Plus 3.5
HP Multimedia Keyboard Software
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.5
HP Software Update
HPIZ350
Internet Worm Protection
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0 Update 6
Kaspersky On-line Scanner
Lavasoft VX2 Cleaner
Law and Order Criminal Intent
Learn2 Player (Uninstall Only)
LiveUpdate 2.7 (Symantec Corporation)
Macromedia Shockwave Player
Madden NFL 2005
Memories Disc Creator 2.0
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Works 7.0
Microsoft Zoo Tycoon
Mystery Case Files
Mystery Case Files - Huntsville (remove only)
NAVShortcut
Netscape Browser (remove only)
NHL® 2003
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Norton WMI Update
overland
Pacific Poker
Panda ActiveScan
Paradise Poker
PC-Doctor for Windows
PConPoint v3.5
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from WildGames (remove only)
Polar Golfer from WildGames (remove only)
Polar Golfer Pineapple Cup from WildGames (remove only)
Pure Networks Port Magic
QuickTime
RealArcade
RealPlayer
Realtek High Definition Audio Driver
Registry Mechanic 5.1
RegistryFix v5.5
River Belle Free Play Poker
School Tycoon
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Ski Resort Tycoon
SPBBC
Spy Sweeper
Spybot - Search & Destroy 1.3
Spyware Doctor 3.5
Symantec
Toolkit View(HP)
Update for Windows XP (KB898461)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Updates from HP
WildTangent Web Driver
Window Washer
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinPatrol
ZoneAlarm

Ried · 04-05-2006, 04:26 PM

Hi,

I'm going to play a hunch here and it will only take you a few extra minutes to carry out.

Download FixSF.reg and save the file to your desktop by right clicking and selecting "save file as".(This is not the same file you downloaded at the beginning of this fix)

Double-click the file and when it asks if you would like to merge the information, press the Yes button and then the OK button.

-----------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

-----------------------------------

Find and Delete the following Files and Folders. (Do not worry if the SpyFalcon/SpywareQuake Folder is/are not found)

C:\Windows\System32\dxmpp.dll
C:\WINDOWS\system32\dfrgsrv.exe
C:\Windows\System32\ginuerep.dll
C:\Windows\System32\stickrep.dll
C:\Program Files\SpyFalcon
C:\Program Files\SpywareQuake

-----------------------------------

I understand nothing was found here earlier, but please check one more time in case it may have finally been revealed:

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

-----------------------------------

Reboot into Normal Mode.

Any improvement in the background? I'll also be awaiting the Kaspersky results

swhit32257 · 04-05-2006, 05:11 PM

Reid, I'm very sad.

(1) My system won't boot into safe mode..just shows a screen full of files and stops (last files shown are in the driver directory -- last one was mup, I think)

(2) When I rebooted, none of the files you wanted deleted were there (and yes the settings were set to view everything).

(3) My spysweeper settings are now corrupt. It says to reinstall.

(4) My norton settings are now corrupt. They were result to default.

(5) My symptom with the windows auto update happened again in Norton (I had to go in, turn it off and turn it back on again to clear it out).

(6) The pop up message occurred again.

(7) I keep losing my internet connection (although I've had that issue on again and off again for a long time).

Now that I'm back on, I'll have to start kasparav again. In the meantime (groveling on my knees) - HELP! Thanks, SWHIT32257

03-31-2006, 03:49 PM	#1 (permalink)
swhit32257 Registered User Join Date: Sep 2005 Posts: 132 OS: Vista	Spyware Quake Attack Mayday! Or is that April Fools Day? Actually, not yet. This is legit, I'm afraid. I found some removal instructions, but i don't think everything worked right because spyware runs are still showing stuff even though the "main" program is gone (I think). Below is the HJT log. I'll add a panda log as well as Ewido and some other spyrun run reports later when they're complete. I can't get to Kaspersky's website to do that run. Any idea why that website always seems to be down? Anyways, thanks in advance! SWHIT32257 -------------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 5:42:41 PM, on 3/31/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINDOWS\ehome\ehSched.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\gearsec.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\wwSecure.exe C:\WINDOWS\System32\hphmon05.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.linksys.com/registration/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://aolsvc.aol.com/onlinegames/so...tched/main.cab O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in) - O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in) - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/ch...ploader_v7.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

04-01-2006, 12:05 AM	#2 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	Welcome to TSF. We need to know exactly what you have run please. And if you have those Ewido and Panda reports that would be great. Once we know what you've tried all ready - we can advise a way forward. __________________

04-01-2006, 05:06 AM	#4 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	If you have run SmitRem - please post it's log. It should be here C:\smitrem.txt __________________

04-01-2006, 10:32 AM	#6 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	OK - so we're on track. Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". Before you begin, take a read through these instructions and download the programs that I've advised. Save the below instructions in notepad or wordpad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers open during the cleaning process unless otherwise prompted. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. It is also important you don't miss a step and perform everything in the right order!! . ******************************DOWNLOADS**************************** Please download these additional files/programs. Do not run them unless instructed to do so. Unless otherwise stated, they should be stored in the same directory as the HiJackThis program. Please download this regfile to your desktop:FFixSQ Unplug your computer from the Internet when you have finished downloading. *****************************SETTING UP**************************** Enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options>View tab. Enable the option for `Show hidden files and folder´ Disable the option for `Hide file extensions for known types´ Disable the option for `Hide protected operating system files´ Click Yes to confirm & then click OK *****************************HJT FIXES****************************** Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in) - O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in) - *************************MANUAL DELETIONS************************* Locate and delete the following file(s), if present: C:\Windows\System32\stickrep.dll ****************************ONLINE SCAN**************************** Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text** button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan ******************************CHECK LIST****************************** In your next post, please include fresh logs from: HiJackThis Online scan Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________

04-04-2006, 12:54 AM	#11 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	Download and run - bfu.zip Checkmark the following boxes: Use settings specified in script for the above option Show log after script ends Click the Web button located on the top right corner Copy/Paste this url into the address bar of the Download script window: http://metallica.geekstogo.com/alcanshorty.bfu Execute the script by clicking the Execute button. When it finishes running, click the Save button for a copy of the log Post the log created by the script when you have completed the fix Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". Before you begin, take a read through these instructions and download the programs that I've advised. Save the below instructions in notepad or wordpad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers open during the cleaning process unless otherwise prompted. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. Please allow yourself a few spare hours. Below are instructions for virus a scan(s) that can take longer then 2 hours. It is also important you don't miss a step and perform everything in the right order!! . ******************************DOWNLOADS**************************** Please download these additional files/programs. Do not run them unless instructed to do so. Unless otherwise stated, they should be stored in the same directory as the HiJackThis program. Download smitRem.exe and save the file to your desktop. Right click on the file and extract it to it's own folder on the desktop. Download Ewido Security Suite - Install & Update it's database but do not run it yet. If you have not already installed Ad-Aware SE 1.06, download and update aawsepersonal.exe Download DelO15Domains.inf - Right click on this & choose "Save As..." DelO15Domains.inf Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards. Unplug your computer from the Internet when you have finished downloading. ****************************SAFE MODE**************************** REBOOT TO SAFE MODE Restart the computer. The computer begins processing a set of instructions known as BIOS. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the 'Windows Advanced Options' menu appears. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode. ****************************ADDITIONAL SCANS************************** Open Ad-aware and close ALL other windows. 1. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window: In the General window make sure the following are selected in green: Automatically save log-file Automatically quarantine objects prior to removal Safe Mode (always request confirmation) Prompt to update outdated definitions - set the number of days = 7 Click on the Scanning button on the left and select in green: Scan Within Archives Under Select drives & folders to scan: choose all hard drives Scan Active Processes Scan Registry Deep Scan Registry Scan my IE favorites for banned URL’s Scan my Hosts file Click on the Advanced button on the left and select in green: Move deleted files to recycle bin include addtional object information DeSelect - include negligible objects information Don't log streams smaller than 0 bytes Don't log ADS with the following names: CA_INOCULATEIT Click the Tweak button: Under Scanning Engine: Unload recognized processes during scanning Ignore spanned files when scanning cab archives Scan registry for all users instead of current user only Under Cleaning Engine: Let Windows remove files in use at next reboot Under Log Files: Include basic Ad-aware SE settings in logfile Include additional Ad-aware SE settings in logfile Include computer & username in logfile Please DeSelect: Include Module list in logfile 2. Click on Proceed to save the settings. 3. Click Start 4. Choose - Perform Full System Scan 5. DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. 6. Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically. 7. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window 8. Right-click on the list and choose Select All 9. Click Next to finish removing the items that were found ****************************EWIDO SCAN**************************** Run Ewido: Click [Scanner] Click [Complete System Scan] to begin scanning. Click [OK] when prompted to clean files With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK]. Once finished, click the Save report button Save the report to your desktop Close Ewido ****************************RUN SMITREM**************************** Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ****************************DESKTOP REPAIR************************* Next go to Control Panel** click Display>Desktop>Customize Desktop>Website Under the 'Web pages' box, Uncheck everything present. Reboot back to normal mode, and post the SmitRem.txt file, the BFU log and a new HJT log & Ewido results.. __________________ Last edited by POADB; 04-04-2006 at 12:56 AM.

04-01-2006, 04:41 AM	#3 (permalink)
swhit32257 Registered User Join Date: Sep 2005 Posts: 132 OS: Vista	Here ya go... CCLEANER: Cleaned up over 10M of old files NORTON ANTIVIRUS: Clean Run PANDA: Incident Status Location Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Potentially unwanted tool:Application/Processor Not disinfected C:\My Shortcuts\smitRem.exe[Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\SmitRem\smitRem\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem.exe[Process.exe] EWIDO: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 8:51:20 PM, 3/31/2006 + Report-Checksum: 30A81E98 + Scan result: C:\WINDOWS\system32\interf.tlb -> Trojan.Small : Cleaned with backup ::Report End AD-AWARE: Clean Run SPYBOT S&D: Clean Run SPYWARE DOCTOR: Clean Run REGISTRY MECHANIC: ---------------------------------------------------------------------------------------------------- Registry Mechanic 5.1.0.224 ---------------------------------------------------------------------------------------------------- Start of Scan 3/31/2006 5:29:05 PM Your System Information : CPU: Intel Pentium IE: Internet Explorer 6.0.2900 MEMORY FREE: 606552 MEMORY TOTAL: 1047852 VIRTUAL FREE: 2018056 VIRTUAL TOTAL: 2097024 WINDOWS VER: Windows XP 5.1 (Build 2600) ---------------------------------------------------------------------------------------------------- Running processes: Process ID ---------------------------------------------------------------------------------------------------- [System Process] 0 System 4 smss.exe 512 csrss.exe 744 winlogon.exe 768 services.exe 816 lsass.exe 828 ati2evxx.exe 984 svchost.exe 1016 svchost.exe 1108 svchost.exe 1220 svchost.exe 1312 CCSETMGR.EXE 1468 CCEVTMGR.EXE 1564 SNDSrvc.exe 200 SPBBCSvc.exe 184 symlcsvc.exe 236 spoolsv.exe 544 AOLacsd.exe 700 aoltsmon.exe 1196 ehsched.exe 1276 ati2evxx.exe 1420 aoltpspd.exe 1480 ewidoctrl.exe 1488 ehrec.exe 1496 explorer.exe 1652 gearsec.exe 1668 MDM.EXE 1684 NAVAPSVC.EXE 1772 NPFMNTOR.EXE 1880 sdhelp.exe 1936 WRSSSDK.exe 596 wdfmgr.exe 696 wwSecure.exe 1440 hphmon05.exe 1996 AGRSMMSG.exe 2008 CCAPP.EXE 2016 SpySweeper.exe 2024 jusched.exe 2072 ctfmon.exe 2104 alg.exe 3200 wuauclt.exe 3520 wmiprvse.exe 3568 NSCSRVCE.EXE 3608 waol.exe 3920 shellmon.exe 2388 msmsgs.exe 3836 RegMech.exe 4040 ---------------------------------------------------------------------------------------------------- Sections Scanned: ---------------------------------------------------------------------------------------------------- TMP - 2 Location: C:\Program Files\Norton AntiVirus\Savrt\0602NAV~.TMP\ Value : Temp file = C:\Program Files\Norton AntiVirus\Savrt\0602NAV~.TMP Parsed : TMP - 3 Location: C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk\ Value : CHK file = C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk Parsed : TMP - 4 Location: C:\WINDOWS\system32\CatRoot2\edb.chk\ Value : CHK file = C:\WINDOWS\system32\CatRoot2\edb.chk Parsed : DEEP - 5 Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache Value : C:\Documents and Settings\Administrator\Desktop\roguescanfix\Run.bat = C:\Documents and Settings\Administrator\Desktop\roguescanfix\Run.bat Parsed : C:\Documents and Settings\Administrator\Desktop\roguescanfix\Run.bat DEEP - 6 Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache Value : C:\Documents and Settings\Administrator\Desktop\roguescanfix\BFU.exe = C:\Documents and Settings\Administrator\Desktop\roguescanfix\BFU.exe Parsed : C:\Documents and Settings\Administrator\Desktop\roguescanfix\BFU.exe DEEP - 7 Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache Value : C:\WINDOWS\system32\dfrgsrv.exe = C:\WINDOWS\system32\dfrgsrv.exe Parsed : C:\WINDOWS\system32\dfrgsrv.exe DEEP - 8 Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache Value : C:\Documents and Settings\Administrator\Desktop\smitRem.exe = C:\Documents and Settings\Administrator\Desktop\smitRem.exe Parsed : C:\Documents and Settings\Administrator\Desktop\smitRem.exe DEEP - 9 Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache Value : c:\My Games\Poker Superstars 2\PokerSuperstars2.exe = c:\My Games\Poker Superstars 2\PokerSuperstars2.exe Parsed : c:\My Games\Poker Superstars 2\PokerSuperstars2.exe ---------------------------------------------------------------------------------------------------- Registry Mechanic 5.1.0.224 ---------------------------------------------------------------------------------------------------- End of Scan 3/31/2006 5:33:27 PM Your System Information : CPU: Intel Pentium IE: Internet Explorer 6.0.2900 MEMORY FREE: 606552 MEMORY TOTAL: 1047852 VIRTUAL FREE: 2018056 VIRTUAL TOTAL: 2097024 WINDOWS VER: Windows XP 5.1 (Build 2600) System Restore Point created

04-01-2006, 07:30 AM	#5 (permalink)
swhit32257 Registered User Join Date: Sep 2005 Posts: 132 OS: Vista	Found a smitfiles.log -- here it is smitRem © log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Fri 03/31/2006 The current time is: 17:39:48.62 Running from C:\Documents and Settings\Administrator\Desktop\smitRem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1652 'explorer.exe' Killing PID 1652 'explorer.exe' Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :)

04-03-2006, 03:26 PM	#10 (permalink)
swhit32257 Registered User Join Date: Sep 2005 Posts: 132 OS: Vista	Bumping up... Also, I need to report another symptom. When I boot, norton is under the impression that my microsoft windows update is turned off, yet it says it is on. I must physically turn it off and back on to clear it up. Not sure what that means, but maybe it means something to you guys. Thanks! SWHIT32257 If it'll help, i ran another panda scan this morning and hjt just now...here's the latest logs: PANDA: Incident Status Location Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Potentially unwanted tool:Application/Processor Not disinfected C:\My Shortcuts\smitRem.exe[Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\SmitRem\smitRem\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem.exe[Process.exe] HJT: Logfile of HijackThis v1.99.1 Scan saved at 5:26:20 PM, on 4/3/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\ehome\ehSched.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\ehome\ehRec.exe C:\WINDOWS\System32\gearsec.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\wwSecure.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\1143904926\ee\aolsoftware.exe C:\WINDOWS\System32\hphmon05.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\America Online 9.0\waol.exe C:\Program Files\America Online 9.0\shellmon.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.linksys.com/registration/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143904926\ee\AOLSoftware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1144058459921 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://aolsvc.aol.com/onlinegames/so...tched/main.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/ch...ploader_v7.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

04-04-2006, 02:36 PM	#12 (permalink)
swhit32257 Registered User Join Date: Sep 2005 Posts: 132 OS: Vista	SmitRem.txt file smitRem © log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Tue 04/04/2006 The current time is: 16:22:44.12 Running from C:\Program Files\smitRem\smitRem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 4508 'explorer.exe' Killing PID 4508 'explorer.exe' Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\System32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) BFU log BFU v1.00.9 Windows XP SP2 (WinNT 5.01.2600 SP2) Script started at 5:39:41 AM, on 4/4/2006 Script completed. HJT log Logfile of HijackThis v1.99.1 Scan saved at 4:35:23 PM, on 4/4/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\hphmon05.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\ehome\ehSched.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\gearsec.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\wwSecure.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\America Online 9.0\waol.exe C:\Program Files\America Online 9.0\shellmon.exe C:\WINDOWS\explorer.exe C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.linksys.com/registration/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://aolsvc.aol.com/onlinegames/so...tched/main.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/ch...ploader_v7.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe Ewido results --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 4:20:21 PM, 4/4/2006 + Report-Checksum: 2AC89E51 + Scan result: No infected objects found. ::Report End

04-04-2006, 06:41 PM	#13 (permalink)
swhit32257 Registered User Join Date: Sep 2005 Posts: 132 OS: Vista	Symptom update -- the popup and desktop situations are continuing. I was FINALLY able to run a Kasparev scan (just through AOL, interestingly enought but not in IE). Lots of problems. See the log below: ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Tuesday, April 04, 2006 8:18:25 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 4/04/2006 Kaspersky Anti-Virus database records: 174982 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan Statistics: Total number of scanned objects: 222461 Number of viruses found: 5 Number of infected objects: 9 Number of suspicious objects: 0 Duration of the scan process: 02:32:06 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\559C0369.exe Infected: Trojan-Downloader.Win32.Zlob.is skipped C:\My Installers\eCodec-v4.401.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.jz skipped C:\My Installers\eCodec-v4.401.exe/data0008 Infected: Trojan-Downloader.Win32.Zlob.jy skipped C:\My Installers\eCodec-v4.401.exe NSIS: infected - 2 skipped C:\My Installers\eCodec-v4.401.exe UPX: infected - 2 skipped C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP269\A0087265.exe Infected: Trojan-Downloader.Win32.Zlob.jx skipped C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP269\A0087271.tlb Infected: Trojan-Downloader.Win32.Zlob.js skipped C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP270\A0087361.exe Infected: Trojan-Downloader.Win32.Zlob.js skipped C:\System Volume Information\_restore{705F393B-7BA4-487A-8373-6B62B26D1958}\RP271\A0087413.tlb Infected: Trojan-Downloader.Win32.Zlob.js skipped Scan process completed.

04-05-2006, 03:32 AM	#16 (permalink)
swhit32257 Registered User Join Date: Sep 2005 Posts: 132 OS: Vista	Sorry, heres the HJT log... Logfile of HijackThis v1.99.1 Scan saved at 5:30:48 AM, on 4/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\hphmon05.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\ehome\ehSched.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\gearsec.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\wwSecure.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE C:\Program Files\America Online 9.0\waol.exe C:\Program Files\America Online 9.0\shellmon.exe C:\My Installers\WinPFind\winpfind.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Messenger\msmsgs.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.linksys.com/registration/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://aolsvc.aol.com/onlinegames/so...tched/main.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/ch...ploader_v7.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

04-05-2006, 06:45 AM	#17 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,064 OS: WinXP and Vista	Hello swhit32257, Delete the following file: C:\WINDOWS\ Golden Palace Casino PT setup.exe If it resists deletion, boot into Safe Mode and delete from there. ------------------------------- Please run another scan at Kaspersky and post the results here. I'd also like to see the following: Open HijackThis Click on the "Configure" button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Please copy and past the List from the notebook here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-05-2006, 04:03 PM	#18 (permalink)
swhit32257 Registered User Join Date: Sep 2005 Posts: 132 OS: Vista	File is deleted. I'll run Kasparev tonight...here's the other log you wanted: Ad-Aware SE Personal Adobe Atmosphere Player for Acrobat and Adobe Reader Adobe Reader 7.0.7 Agere Systems PCI Soft Modem Air Mogul AOL Coach Version 2.0(Build:20041026.5 en) AOL Connectivity Services AOL Deskbar AOL Toolbar AOL Uninstaller AOL You've Got Pictures Screensaver ATI Control Panel ATI Display Driver AVG Free Edition Blasterball 2 from WildGames (remove only) ccCommon CCleaner (remove only) Citrix ICA Web Client (Minimal Installation) Cruise Ship Tycoon EA SPORTS online 2005 EA.com Matchup EA.com Update Easy Internet Sign-up Elf Bowling - Bocce Style! (remove only) Elf Bowling 6 Air Biscuits 1.0 (remove only) ewido security suite FIFA 2002 Game Console - WildGames High Definition Audio Driver Package - KB835221 HighMAT Extension to Microsoft Windows XP CD Writing Wizard HijackThis 1.99.1 Hotfix for Windows Media Format SDK (KB902344) Hotfix for Windows XP (KB888795) Hotfix for Windows XP (KB896344) Hotfix for Windows XP (KB912475) HP Deskjet Preloaded Printer Drivers HP Image Zone 3.5 HP Image Zone for Media Center PC HP Image Zone Plus 3.5 HP Multimedia Keyboard Software HP Photo & Imaging 3.5 - HP Devices HP PSC & OfficeJet 3.5 HP Software Update HPIZ350 Internet Worm Protection InterVideo WinDVD Creator 2 InterVideo WinDVD Player iTunes J2SE Runtime Environment 5.0 Update 6 Kaspersky On-line Scanner Lavasoft VX2 Cleaner Law and Order Criminal Intent Learn2 Player (Uninstall Only) LiveUpdate 2.7 (Symantec Corporation) Macromedia Shockwave Player Madden NFL 2005 Memories Disc Creator 2.0 MetaFrame Presentation Server Web Client for Win32 Microsoft .NET Framework 1.0 Hotfix (KB887998) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB886903) Microsoft .NET Framework 2.0 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Office OneNote 2003 Microsoft Office Professional Edition 2003 Microsoft Plus! Digital Media Edition Microsoft Works 7.0 Microsoft Zoo Tycoon Mystery Case Files Mystery Case Files - Huntsville (remove only) NAVShortcut Netscape Browser (remove only) NHL® 2003 Norton AntiVirus 2006 Norton AntiVirus 2006 (Symantec Corporation) Norton AntiVirus Help Norton AntiVirus Parent MSI Norton AntiVirus SYMLT MSI Norton Protection Center Norton WMI Update overland Pacific Poker Panda ActiveScan Paradise Poker PC-Doctor for Windows PConPoint v3.5 Photosmart 140,240,7200,7600,7700,7900 Series Polar Bowler from WildGames (remove only) Polar Golfer from WildGames (remove only) Polar Golfer Pineapple Cup from WildGames (remove only) Pure Networks Port Magic QuickTime RealArcade RealPlayer Realtek High Definition Audio Driver Registry Mechanic 5.1 RegistryFix v5.5 River Belle Free Play Poker School Tycoon Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893066) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Ski Resort Tycoon SPBBC Spy Sweeper Spybot - Search & Destroy 1.3 Spyware Doctor 3.5 Symantec Toolkit View(HP) Update for Windows XP (KB898461) Update for Windows XP (KB900930) Update for Windows XP (KB904942) Update for Windows XP (KB910437) Update for Windows XP (KB912945) Updates from HP WildTangent Web Driver Window Washer Windows Genuine Advantage v1.3.0254.0 Windows Installer 3.1 (KB893803) Windows Media Connect Windows Media Format Runtime Windows Media Format SDK Hotfix - KB891122 Windows Media Player 10 Windows Media Player 9 Hotfix [See KB885492 for more information] Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB887797 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Service Pack 2 WinPatrol ZoneAlarm

04-05-2006, 04:26 PM	#19 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,064 OS: WinXP and Vista	Hi, I'm going to play a hunch here and it will only take you a few extra minutes to carry out. Download FixSF.reg and save the file to your desktop by right clicking and selecting "save file as".(This is not the same file you downloaded at the beginning of this fix) Double-click the file and when it asks if you would like to merge the information, press the Yes button and then the OK button. ----------------------------------- Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. ----------------------------------- Find and Delete the following Files and Folders. (Do not worry if the SpyFalcon/SpywareQuake Folder is/are not found) C:\Windows\System32\dxmpp.dll C:\WINDOWS\system32\dfrgsrv.exe C:\Windows\System32\ginuerep.dll C:\Windows\System32\stickrep.dll C:\Program Files\SpyFalcon C:\Program Files\SpywareQuake ----------------------------------- I understand nothing was found here earlier, but please check one more time in case it may have finally been revealed: Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: · "Security Info" · "Warning Message" · "Security Desktop" · "Warning Homepage" · "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. ----------------------------------- Reboot into Normal Mode. Any improvement in the background? I'll also be awaiting the Kaspersky results __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-05-2006, 05:11 PM	#20 (permalink)
swhit32257 Registered User Join Date: Sep 2005 Posts: 132 OS: Vista	Reid, I'm very sad. (1) My system won't boot into safe mode..just shows a screen full of files and stops (last files shown are in the driver directory -- last one was mup, I think) (2) When I rebooted, none of the files you wanted deleted were there (and yes the settings were set to view everything). (3) My spysweeper settings are now corrupt. It says to reinstall. (4) My norton settings are now corrupt. They were result to default. (5) My symptom with the windows auto update happened again in Norton (I had to go in, turn it off and turn it back on again to clear it out). (6) The pop up message occurred again. (7) I keep losing my internet connection (although I've had that issue on again and off again for a long time). Now that I'm back on, I'll have to start kasparav again. In the meantime (groveling on my knees) - HELP! Thanks, SWHIT32257