HijackThis log for non-working cmd, regeidt, msconfig, taskmanager

[sgu]

Hello,

Attached below is HijackThis log. The problem I am facing (on XP Pro) is that tools such as cmd, msconfig, regedit, Alt-Ctrl-Del->TaskManager do not show up (or show up and disappear instantaneously).

In case it help, one odd thing I have noticed is: c:\windows\system32\explorer.exe of size 91 KB created on Monday, April 10, 2006, 9:43:58 AM.

Please help.

Thanks,

--sgu


Logfile of HijackThis v1.99.1
Scan saved at 10:32:38 PM, on 4/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\opt\Java\j2re1.4.2_06\bin\javaw.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\OfficeScan NT\pccntmon.exe
C:\opt\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\explorer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Pivotal\Relation\relation.exe
C:\Program Files\Pivotal\Relation\nserverc.exe
C:\PROGRA~1\Pivotal\Relation\msync.exe
C:\WINDOWS\System32\wuauclt1.exe
C:\opt\vim\vim63\gvim.exe
C:\opt\tcsh\tcsh.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\admin\tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-blv-proxy.boeing.com:31060
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [iTunesHelper] C:\opt\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Explorer] explorer.exe
O4 - HKLM\..\RunServices: [Microsoft Explorer] explorer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Microsoft Explorer] explorer.exe
O4 - HKCU\..\RunServices: [Microsoft Explorer] explorer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\opt\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://qp.mc.com/qp2.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://btconferencing.webex.com/cli...ex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://anywhere.mc.com/dana-cached/...niperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.mc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBE7F087-20EE-4C8E-9628-50FA2B5BE0A2}: Domain = ad.mc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBE7F087-20EE-4C8E-9628-50FA2B5BE0A2}: NameServer = 172.18.12.11,172.16.120.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ad.mc.com
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Desk Manager (rdm) - AT&T Research Labs Cambridge - C:\WINDOWS\WinVNC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: TSCensus Collection Client - Tally Systems Corp. - C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe

[sUBs]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * *

1. Download and run - bfu.zip
2. Checkmark the following boxes:
   • Use settings specified in script for the above option
   • Show log after script ends
3. Click the Web button located on the top right corner
4. Copy/Paste this url into the address bar of the Download script window:
   
   http://metallica.geekstogo.com/alcanshorty.bfu
   
   
5. Execute the script by clicking the Execute button.
6. When it finishes running, click the Save button for a copy of the log
7. Post the log created by the script when you have completed the fix

* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download and install Ewido Security Suite

• When installing, under "Additional Options",
  • uncheck - Install background guard
• Have Ewido update itself & then exit the program.

If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKLM\..\Run: [Microsoft Explorer] explorer.exe
O4 - HKLM\..\RunServices: [Microsoft Explorer] explorer.exe
O4 - HKCU\..\Run: [Microsoft Explorer] explorer.exe
O4 - HKCU\..\RunServices: [Microsoft Explorer] explorer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• C:\WINDOWS\System32\explorer.exe
  C:\WINDOWS\System32\wuauclt1.exe

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• .Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:

• HiJackThis log
• Online Scan
• Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[sgu]

Hello,


In essential steps, what I did:

1) Ran Bit Defender from: http://www.bitdefender.com/scan/licence.php

It reported the following:

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
Infected with: Generic.Qhost
Disinfection failed
Deleted

C:\WINDOWS\SYSTEM32\explorer.exe
Infected with: Backdoor.RBot.3B340EF4
Disinfection failed
Delete failed

C:\WINDOWS\SYSTEM32\tt
Infected with: Backdoor.BotGet.FtpB.Gen
Deleted

Found and removed bad stuff in
C:\System Volume Information\_restore...

2) In Windows Explorer, renamed C:\WINDOWS\SYSTEM32\explorer.exe and
deleted it.

3) Ran HijackThis and tried to get rid of the four "04 - HKLM\..\Run..."
references to explorer.exe. But it could only get rid of two of
the four references.

4) Rebooted (two Windows Explorers opened up); ran msconfig;
unchecked two boxes that wanted explorer.exe to run.

5) Rebooted. Ran HijackThis and removed the remaining
two "04 - HKLM\..\Run..." references to explorer.exe.
While in HijackThis, also removed a few other benign entries.

6) I deleted C:\WINDOWS\System32\wuauclt.exe
and C:\WINDOWS\System32\wuauclt1.exe.
After rebooting, there was a C:\WINDOWS\System32\wuauclt.exe of
size roughly 122 KBytes and with creation date Friday,
March 19, 2004, 3:45:14 PM and modified date Thursday,
May 26, 2005, 5:16:30 AM.

Attached below is the latest HijackThis

I can now run cmd, msconfig, regedit, and Alt-Ctrl-Del->Task Manager.

Thanks,

--SGU

Logfile of HijackThis v1.99.1
Scan saved at 8:25:09 PM, on 4/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\opt\Java\j2re1.4.2_06\bin\javaw.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\OfficeScan NT\pccntmon.exe
C:\opt\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\admin\tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-blv-proxy.boeing.com:31060
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [iTunesHelper] C:\opt\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\opt\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://qp.mc.com/qp2.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://btconferencing.webex.com/cli...ex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://anywhere.mc.com/dana-cached/...niperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.mc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ad.mc.com
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Desk Manager (rdm) - AT&T Research Labs Cambridge - C:\WINDOWS\WinVNC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: TSCensus Collection Client - Tally Systems Corp. - C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe

[sUBs]

Quote:

I deleted C:\WINDOWS\System32\wuauclt.exe

That is a legitimate file which is related Windows updates. Please do NOT delete anymore files that you're unsure of. The consequences of doing so may be most undesirable.

Did you encounter any difficulties running an online scan at Kaspersky? BitDefender is not what I requested for.

Please post Ewido's log.

[sgu]

I tried Kaspersky's on-line scan: download of scanner happened; download progress dialog box changed to dialog box that shows progress of scanning of files and detection -- but nothing happened after that!

Besides Bit Defender, I tried three other on-line scans. McAfee and Symantec did not report anything new. PandaSoftware (http://www.pandasoftware.com/actives..._principal.htm) reported the following:

Code:

    Incident                       | Status           | Location
    -------------------------------+------------------+-----------------
    Spyware:spyware/searchcentrix  | Not disinfected  | Windows Registry

Will try Ewido which requires download and install (don't want to try their on-line scan since it is still beta).

[sgu]

Hello,

Sorry about the delay; here are the requested logs. Kaspersky's scan still doesn't start after download. Attached below are

1) PandaSoftware's scan log
2) Ewido's scan log
3) HijackThis' log

Please advice.

Thanks,

--Suresh

1) PandaSoftware:

Incident Status Location

Spyware:spyware/searchcentrix Not disinfected Windows Registry

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@atwola[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@bluestreak[1].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@data.coremetrics[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@ehg.hitbox[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@go[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@questionmarket[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@servedby.advertising[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@statcounter[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@tribalfusion[2].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@www.affiliatefuel[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@zedo[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@atwola[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@bluestreak[1].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@data.coremetrics[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@ehg.hitbox[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@go[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@questionmarket[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@servedby.advertising[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@statcounter[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@tribalfusion[2].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@www.affiliatefuel[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\sgu\Cookies\sgu@zedo[1].txt

Potentially unwanted tool:Application/Pskill.A Not disinfected C:\admin\tools\pskill.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\admin\tools\VundoFix\VundoFix\process.exe
Potentially unwanted tool:Application/Pskill.K Not disinfected C:\opt\wu\pskill.exe

2) Ewido:

__________________________________________________
ewido security suite online scanner
http://www.ewido.net
__________________________________________________

Name: TrackingCookie.2o7
Path: C:\Documents and Settings\sgu\Cookies\sgu@2o7[2].txt
Risk: Medium

Name: TrackingCookie.Addynamix
Path: C:\Documents and Settings\sgu\Cookies\sgu@ads.addynamix[1].txt
Risk: Medium

Name: TrackingCookie.Pointroll
Path: C:\Documents and Settings\sgu\Cookies\sgu@ads.pointroll[1].txt
Risk: Medium

Name: TrackingCookie.Adtech
Path: C:\Documents and Settings\sgu\Cookies\sgu@adtech[2].txt
Risk: Medium

Name: TrackingCookie.Advertising
Path: C:\Documents and Settings\sgu\Cookies\sgu@advertising[2].txt
Risk: Medium

Name: TrackingCookie.2o7
Path: C:\Documents and Settings\sgu\Cookies\sgu@americanexpress.122.2o7[1].txt
Risk: Medium

Name: TrackingCookie.Falkag
Path: C:\Documents and Settings\sgu\Cookies\sgu@as-us.falkag[1].txt
Risk: Medium

Name: TrackingCookie.Atdmt
Path: C:\Documents and Settings\sgu\Cookies\sgu@atdmt[2].txt
Risk: Medium

Name: TrackingCookie.Bluestreak
Path: C:\Documents and Settings\sgu\Cookies\sgu@bluestreak[1].txt
Risk: Medium

Name: TrackingCookie.Bridgetrack
Path: C:\Documents and Settings\sgu\Cookies\sgu@citi.bridgetrack[2].txt
Risk: Medium

Name: TrackingCookie.Coremetrics
Path: C:\Documents and Settings\sgu\Cookies\sgu@data.coremetrics[1].txt
Risk: Medium

Name: TrackingCookie.Doubleclick
Path: C:\Documents and Settings\sgu\Cookies\sgu@doubleclick[1].txt
Risk: Medium

Name: TrackingCookie.Ru4
Path: C:\Documents and Settings\sgu\Cookies\sgu@edge.ru4[1].txt
Risk: Medium

Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\sgu\Cookies\sgu@ehg-dig.hitbox[2].txt
Risk: Medium

Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\sgu\Cookies\sgu@ehg-knightridder.hitbox[2].txt
Risk: Medium

Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\sgu\Cookies\sgu@ehg.hitbox[2].txt
Risk: Medium

Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\sgu\Cookies\sgu@hitbox[2].txt
Risk: Medium

Name: TrackingCookie.Mediaplex
Path: C:\Documents and Settings\sgu\Cookies\sgu@mediaplex[2].txt
Risk: Medium

Name: TrackingCookie.Overture
Path: C:\Documents and Settings\sgu\Cookies\sgu@perf.overture[1].txt
Risk: Medium

Name: TrackingCookie.Qksrv
Path: C:\Documents and Settings\sgu\Cookies\sgu@qksrv[2].txt
Risk: Medium

Name: TrackingCookie.Questionmarket
Path: C:\Documents and Settings\sgu\Cookies\sgu@questionmarket[2].txt
Risk: Medium

Name: TrackingCookie.Advertising
Path: C:\Documents and Settings\sgu\Cookies\sgu@servedby.advertising[2].txt
Risk: Medium

Name: TrackingCookie.Statcounter
Path: C:\Documents and Settings\sgu\Cookies\sgu@statcounter[1].txt
Risk: Medium

Name: TrackingCookie.Tacoda
Path: C:\Documents and Settings\sgu\Cookies\sgu@tacoda[2].txt
Risk: Medium

Name: TrackingCookie.Trafficmp
Path: C:\Documents and Settings\sgu\Cookies\sgu@trafficmp[1].txt
Risk: Medium

Name: TrackingCookie.Tribalfusion
Path: C:\Documents and Settings\sgu\Cookies\sgu@tribalfusion[1].txt
Risk: Medium

Name: TrackingCookie.Adserver
Path: C:\Documents and Settings\sgu\Cookies\sgu@z1.adserver[1].txt
Risk: Medium

Name: TrackingCookie.Zedo
Path: C:\Documents and Settings\sgu\Cookies\sgu@zedo[1].txt
Risk: Medium

Name: Adware.Gator
Path: HKLM\SOFTWARE\Gator.com
Risk: Medium

Name: Adware.Gator
Path: HKLM\SOFTWARE\Gator.com\AppInfo
Risk: Medium

Name: Adware.Gator
Path: HKLM\SOFTWARE\Gator.com\CMEII
Risk: Medium

Name: Adware.Gator
Path: HKLM\SOFTWARE\Gator.com\GInternet
Risk: Medium

Name: Adware.Gator
Path: HKLM\SOFTWARE\Gator.com\GInternet\Proxy
Risk: Medium

Name: Adware.WebEx
Path: C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP88\A0007927.dll
Risk: Medium

3) HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 5:47:28 PM, on 4/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\opt\Java\j2re1.4.2_06\bin\javaw.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\CClient.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Tally Systems Corp\TSCensus\bin\TSUsage32.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\OfficeScan NT\pccntmon.exe
C:\opt\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\MSSQL7\Binn\sqlmangr.exe
c:\admin\tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-blv-proxy.boeing.com:31060
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [iTunesHelper] C:\opt\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\opt\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://qp.mc.com/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://btconferencing.webex.com/cli...ex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://anywhere.mc.com/dana-cached/...niperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.mc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ad.mc.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ad.mc.com
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Desk Manager (rdm) - AT&T Research Labs Cambridge - C:\WINDOWS\WinVNC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: TSCensus Collection Client - Tally Systems Corp. - C:\Program Files\Tally Systems Corp\TSCensus\bin\CClientSvc.exe

[sgu]

PS: Although the computer seems to be working fine, I am bothered by the following:

1) gator.com in registery detected by Ewido is not mentioned in HijackThis log. Also, since it is not in the HijackThis log, I am not sure how best to get rid of these entries.

2) Ewido reports Adware.WebEx in the file

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP88\A0007927.dll

This is a 61 KB file, created on Monday, March 06, 2006, 9:58:41 AM and last modified on Wednesday, July 09, 2003, 5:36:54 PM I don't understand how the last modified time can be older than the creation time! Also, Properties->Version Tab->info on Original File Name says "ieatgpc.dll" -- don't like "i eat [g]pc"!

3) On April 15, I had deleted the cookies -- not sure where the bad cookies reported by Panda and Ewido are coming from!

Please advice.

Thanks,

--sgu

[sgu]

Hello again,

Here's Kaspersky's scan log. It looks huge, but I think the only critical items not found the earlier scans are:

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP69\A0006815.exe//Disk1/ieatgpc.dll Infected: not-a-virus:AdWare.Win32.WebEx
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP69\A0006815.exe Infected: not-a-virus:AdWare.Win32.WebEx
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP88\A0007927.dll Infected: not-a-virus:AdWare.Win32.WebEx

Please advice.

PS: Three bugs in Kasparesky
-- they think April 25, 2006 has passed!
-- during the scan, the info box on the right said release date was "Sunday, April 25, 2006" so they think Sunday was April 25, 2006
-- during the scan, the info box on the right lower corner said 178287 records, but the summary says 189735 records.

Thanks,

--sgu

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, April 24, 2006 20:27:08
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/04/2006
Kaspersky Anti-Virus database records: 189735
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 111128
Number of viruses found: 31
Number of infected objects: 193
Number of suspicious objects: 6
Duration of the scan process: 5362 sec

Infected Object Name - Virus Name

C:\admin\tools\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101

C:\OfficeScan NT\SUSPECT\0i09u5rug08r89589gjrg.eml/[From george@reilly.org][Date Mon, 31 Jan 2005 12:52:45 +0100]/id43342_vim-dev.pif Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\0i09u5rug08r89589gjrg.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\agradou.eml/[From ackahn@netapp.com][Date Sat, 8 Jan 2005 14:37:02 -0300]/:(.doc.bat Infected: Email-Worm.Win32.NetSky.af
C:\OfficeScan NT\SUSPECT\agradou.eml Infected: Email-Worm.Win32.NetSky.af
C:\OfficeScan NT\SUSPECT\archive1213.jar-4f861510-23e4d6cc.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.ak
C:\OfficeScan NT\SUSPECT\archive1213.jar-4f861510-23e4d6cc.zip/VB.class Infected: Trojan.Java.ClassLoader.ak
C:\OfficeScan NT\SUSPECT\archive1213.jar-4f861510-23e4d6cc.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\OfficeScan NT\SUSPECT\archive1213.jar-4f861510-23e4d6cc.zip Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\OfficeScan NT\SUSPECT\delivery_error__vim_vim_org_.eml/[From leitner@math.fu-berlin.de][Date Mon, 28 Nov 2005 22:40:50 +0900]/data19513.zip/data.eml .scr Infected: Email-Worm.Win32.NetSky.r
C:\OfficeScan NT\SUSPECT\delivery_error__vim_vim_org_.eml/[From leitner@math.fu-berlin.de][Date Mon, 28 Nov 2005 22:40:50 +0900]/data19513.zip Infected: Email-Worm.Win32.NetSky.r
C:\OfficeScan NT\SUSPECT\delivery_error__vim_vim_org_.eml Infected: Email-Worm.Win32.NetSky.r
C:\OfficeScan NT\SUSPECT\delivery_failure_notice__id_00004b5f_.eml/[From vinschen@redhat.com][Date Sat, 5 Mar 2005 08:44:28 -0300]/www.vim.org.vim-dev.session-00004B5F.com Infected: Email-Worm.Win32.NetSky.z
C:\OfficeScan NT\SUSPECT\delivery_failure_notice__id_00004b5f_.eml Infected: Email-Worm.Win32.NetSky.z
C:\OfficeScan NT\SUSPECT\delivery__vim_vim_org_.eml/[From vinschen@redhat.com][Date Tue, 18 Oct 2005 23:53:10 +0200]/mail23654.pif Infected: Email-Worm.Win32.NetSky.r
C:\OfficeScan NT\SUSPECT\delivery__vim_vim_org_.eml Infected: Email-Worm.Win32.NetSky.r
C:\OfficeScan NT\SUSPECT\document_1d8.VIR/[From ackahn@netapp.com][Date Mon, 28 Mar 2005 10:00:20 +0200]/Details.zip/Details.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\OfficeScan NT\SUSPECT\document_1d8.VIR/[From ackahn@netapp.com][Date Mon, 28 Mar 2005 10:00:20 +0200]/Details.zip Infected: Email-Worm.Win32.NetSky.aa
C:\OfficeScan NT\SUSPECT\document_1d8.VIR Infected: Email-Worm.Win32.NetSky.aa
C:\OfficeScan NT\SUSPECT\document_all.eml/[From vinschen@redhat.com][Date Tue, 22 Feb 2005 09:25:42 +0700]/document.scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\document_all.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\does_it_matter_.eml/[From bram@moolenaar.net][Date Tue, 22 Feb 2005 21:48:19 +0530]/text01.doc Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\does_it_matter_.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\does_it_matter__2b0.VIR/[From mikmach@wp.pl][Date Fri, 7 Apr 2006 14:33:46 -0700]/d4334938.scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\does_it_matter__2b0.VIR Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\error.eml/[From philips_24@yahoo.com][Date Thu, 22 Sep 2005 12:27:21 +0530]/document.zip/document.scr Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\error.eml/[From philips_24@yahoo.com][Date Thu, 22 Sep 2005 12:27:21 +0530]/document.zip Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\error.eml Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\error_270.VIR/[From hari_vim@yahoo.com][Date Tue, 21 Feb 2006 08:51:22 +0100]/message.bat Infected: Net-Worm.Win32.Mytob.h
C:\OfficeScan NT\SUSPECT\error_270.VIR Infected: Net-Worm.Win32.Mytob.h
C:\OfficeScan NT\SUSPECT\good_day.eml/[From ackahn@netapp.com][Date Wed, 21 Sep 2005 10:30:35 +0530]/readme.zip/readme.doc .scr Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\good_day.eml/[From ackahn@netapp.com][Date Wed, 21 Sep 2005 10:30:35 +0530]/readme.zip Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\good_day.eml Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\good_day_278.VIR/[From ackahn@netapp.com][Date Mon, 30 Jan 2006 23:09:14 +0530]/document.zip/document.pif Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\good_day_278.VIR/[From ackahn@netapp.com][Date Mon, 30 Jan 2006 23:09:14 +0530]/document.zip Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\good_day_278.VIR Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\good_day_608.VIR/[From george@reilly.org][Date Mon, 10 Oct 2005 18:41:45 -0500]/body.scr Infected: Net-Worm.Win32.Mytob.x
C:\OfficeScan NT\SUSPECT\good_day_608.VIR Infected: Net-Worm.Win32.Mytob.x
C:\OfficeScan NT\SUSPECT\good_day_6a8.VIR/[From george@reilly.org][Date Mon, 23 Jan 2006 00:20:02 -0600]/document.zip/document.pif Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\good_day_6a8.VIR/[From george@reilly.org][Date Mon, 23 Jan 2006 00:20:02 -0600]/document.zip Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\good_day_6a8.VIR Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\hello.eml/[From bram@moolenaar.net][Date Wed, 28 Sep 2005 13:33:13 +0530]/readme.zip/readme.pif Infected: Net-Worm.Win32.Mytob.q
C:\OfficeScan NT\SUSPECT\hello.eml/[From bram@moolenaar.net][Date Wed, 28 Sep 2005 13:33:13 +0530]/readme.zip Infected: Net-Worm.Win32.Mytob.q
C:\OfficeScan NT\SUSPECT\hello.eml Infected: Net-Worm.Win32.Mytob.q
C:\OfficeScan NT\SUSPECT\hello_1e0.VIR/[From mattn_jp@hotmail.com][Date Tue, 21 Feb 2006 18:46:20 +0100]/message.exe Infected: Net-Worm.Win32.Mytob.h
C:\OfficeScan NT\SUSPECT\hello_1e0.VIR Infected: Net-Worm.Win32.Mytob.h
C:\OfficeScan NT\SUSPECT\hello_290.VIR/[From ackahn@netapp.com][Date Wed, 22 Feb 2006 16:39:33 +0800]/data.pif Infected: Net-Worm.Win32.Mytob.ab
C:\OfficeScan NT\SUSPECT\hello_290.VIR Infected: Net-Worm.Win32.Mytob.ab
C:\OfficeScan NT\SUSPECT\hello_340.VIR/[From george@reilly.org][Date Thu, 1 Dec 2005 15:48:54 +0600]/text.pif Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\hello_340.VIR Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\hello_7e8.VIR/[From dany.stamant@sympatico.ca][Date Wed, 19 Oct 2005 15:45:28 +0700]/document.exe Infected: Net-Worm.Win32.Mytob.c
C:\OfficeScan NT\SUSPECT\hello_7e8.VIR Infected: Net-Worm.Win32.Mytob.c
C:\OfficeScan NT\SUSPECT\hello_c0.VIR/[From ackahn@netapp.com][Date Sat, 19 Nov 2005 19:09:04 +0530]/readme.scr Infected: Net-Worm.Win32.Mytob.dam
C:\OfficeScan NT\SUSPECT\hello_c0.VIR Infected: Net-Worm.Win32.Mytob.dam
C:\OfficeScan NT\SUSPECT\hello_d8.VIR/[From bram@moolenaar.net][Date Fri, 3 Jun 2005 20:46:56 -0700]/lzxoe.scr Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\hello_d8.VIR Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\hello_f0.VIR/[From ackahn@netapp.com][Date Fri, 18 Nov 2005 09:57:05 +0530]/doc.scr Infected: Net-Worm.Win32.Mytob.dam
C:\OfficeScan NT\SUSPECT\hello_f0.VIR Infected: Net-Worm.Win32.Mytob.dam
C:\OfficeScan NT\SUSPECT\hi.eml/[From ron@ronware.org][Date Tue, 8 Nov 2005 20:01:27 +0530]/doc.pif Infected: Net-Worm.Win32.Mytob.c
C:\OfficeScan NT\SUSPECT\hi.eml Infected: Net-Worm.Win32.Mytob.c
C:\OfficeScan NT\SUSPECT\important_website.eml/[From zbyszek@unccvax.ucc.edu][Date Mon, 31 Jan 2005 14:12:57 +0530]/website_sgovindachar.zip/document.txt .exe Infected: Virus.Win32.Kriz.4029
C:\OfficeScan NT\SUSPECT\important_website.eml/[From zbyszek@unccvax.ucc.edu][Date Mon, 31 Jan 2005 14:12:57 +0530]/website_sgovindachar.zip Infected: Virus.Win32.Kriz.4029
C:\OfficeScan NT\SUSPECT\important_website.eml Infected: Virus.Win32.Kriz.4029
C:\OfficeScan NT\SUSPECT\information.eml/[From george@reilly.org][Date Wed, 5 Oct 2005 11:51:33 +0530]/news01_vim-dev.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\information.eml/[From george@reilly.org][Date Wed, 5 Oct 2005 11:51:33 +0530]/news01_vim-dev.zip Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\information.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\information_23c.VIR/[From ackahn@netapp.com][Date Thu, 3 Mar 2005 21:13:57 -0300]/disco.zip/disco.doc.exe Infected: Email-Worm.Win32.NetSky.b
C:\OfficeScan NT\SUSPECT\information_23c.VIR/[From ackahn@netapp.com][Date Thu, 3 Mar 2005 21:13:57 -0300]/disco.zip Infected: Email-Worm.Win32.NetSky.b
C:\OfficeScan NT\SUSPECT\information_23c.VIR Infected: Email-Worm.Win32.NetSky.b
C:\OfficeScan NT\SUSPECT\information_7f4.VIR/[From ackahn@netapp.com][Date Mon, 21 Mar 2005 08:48:21 +0100]/Informations.zip/Informations.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\OfficeScan NT\SUSPECT\information_7f4.VIR/[From ackahn@netapp.com][Date Mon, 21 Mar 2005 08:48:21 +0100]/Informations.zip Infected: Email-Worm.Win32.NetSky.aa
C:\OfficeScan NT\SUSPECT\information_7f4.VIR Infected: Email-Worm.Win32.NetSky.aa
C:\OfficeScan NT\SUSPECT\i_cannot_forget_you_.eml/[From wanted121@hotmail.com][Date Mon, 31 Jan 2005 10:11:11 -0500]/photo.doc Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\i_cannot_forget_you_.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\mail_delivery_system.eml/[From george@reilly.org][Date Sun, 18 Sep 2005 13:52:18 +0530]/message.exe Infected: Net-Worm.Win32.Mytob.bx
C:\OfficeScan NT\SUSPECT\mail_delivery_system.eml Infected: Net-Worm.Win32.Mytob.bx
C:\OfficeScan NT\SUSPECT\mail_delivery_system__vim_vim_org_.eml/[From george@reilly.org][Date Tue, 19 Apr 2005 13:03:10 +0200]/message15014.zip/data.eml .scr Infected: Email-Worm.Win32.NetSky.r
C:\OfficeScan NT\SUSPECT\mail_delivery_system__vim_vim_org_.eml/[From george@reilly.org][Date Tue, 19 Apr 2005 13:03:10 +0200]/message15014.zip Infected: Email-Worm.Win32.NetSky.r
C:\OfficeScan NT\SUSPECT\mail_delivery_system__vim_vim_org_.eml Infected: Email-Worm.Win32.NetSky.r
C:\OfficeScan NT\SUSPECT\mail_delivery__failure_sgovindachar_yahoo_com__2ac.VIR/[From nena@admin.boletines.com][Date Tue, 1 Feb 2005 23:17:19 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\OfficeScan NT\SUSPECT\mail_delivery__failure_sgovindachar_yahoo_com__2ac.VIR/[From nena@admin.boletines.com][Date Tue, 1 Feb 2005 23:17:19 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\OfficeScan NT\SUSPECT\mail_delivery__failure_sgovindachar_yahoo_com__2ac.VIR/[From nena@admin.boletines.com][Date Tue, 1 Feb 2005 23:17:19 -0500]/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\mail_delivery__failure_sgovindachar_yahoo_com__2ac.VIR Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\mail_delivery__failure_sgovindachar_yahoo_com__75c.VIR/[From fgferrei@unalmed.edu.co][Date Mon, 31 Jan 2005 12:53:37 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\OfficeScan NT\SUSPECT\mail_delivery__failure_sgovindachar_yahoo_com__75c.VIR/[From fgferrei@unalmed.edu.co][Date Mon, 31 Jan 2005 12:53:37 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\OfficeScan NT\SUSPECT\mail_delivery__failure_sgovindachar_yahoo_com__75c.VIR/[From fgferrei@unalmed.edu.co][Date Mon, 31 Jan 2005 12:53:37 -0500]/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\mail_delivery__failure_sgovindachar_yahoo_com__75c.VIR Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\mail_delivery__failure_sgovindachar_yahoo_com__788.VIR/[From arultms@ddsl.net][Date Tue, 8 Mar 2005 14:34:02 +0530]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\OfficeScan NT\SUSPECT\mail_delivery__failure_sgovindachar_yahoo_com__788.VIR/[From arultms@ddsl.net][Date Tue, 8 Mar 2005 14:34:02 +0530]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\OfficeScan NT\SUSPECT\mail_delivery__failure_sgovindachar_yahoo_com__788.VIR/[From arultms@ddsl.net][Date Tue, 8 Mar 2005 14:34:02 +0530]/message.scr Infected: Virus.Win32.Kriz.4029
C:\OfficeScan NT\SUSPECT\mail_delivery__failure_sgovindachar_yahoo_com__788.VIR Infected: Virus.Win32.Kriz.4029
C:\OfficeScan NT\SUSPECT\mail_system__vim_dev_vim_org__194.VIR/[From ackahn@netapp.com][Date Tue, 6 Sep 2005 11:15:12 +0900]/data26840.zip/mail.eml .scr Infected: Email-Worm.Win32.NetSky.r
C:\OfficeScan NT\SUSPECT\mail_system__vim_dev_vim_org__194.VIR/[From ackahn@netapp.com][Date Tue, 6 Sep 2005 11:15:12 +0900]/data26840.zip Infected: Email-Worm.Win32.NetSky.r
C:\OfficeScan NT\SUSPECT\mail_system__vim_dev_vim_org__194.VIR Infected: Email-Worm.Win32.NetSky.r
C:\OfficeScan NT\SUSPECT\news.eml/[From dany.stamant@sympatico.ca][Date Sun, 10 Jul 2005 12:17:34 +0530]/info02.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\news.eml/[From dany.stamant@sympatico.ca][Date Sun, 10 Jul 2005 12:17:34 +0530]/info02.zip Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\news.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\owjnatd.eml/[From aab@cichlid.com][Date Thu, 9 Feb 2006 19:53:51 -0500]/wseb.zip/wseb.htm .scr Infected: Email-Worm.Win32.Mydoom.m
C:\OfficeScan NT\SUSPECT\owjnatd.eml/[From aab@cichlid.com][Date Thu, 9 Feb 2006 19:53:51 -0500]/wseb.zip Infected: Email-Worm.Win32.Mydoom.m
C:\OfficeScan NT\SUSPECT\owjnatd.eml Infected: Email-Worm.Win32.Mydoom.m
C:\OfficeScan NT\SUSPECT\picture.eml/[From ackahn@netapp.com][Date Mon, 27 Dec 2004 20:27:11 +0900]/all_pictures.pif Infected: Email-Worm.Win32.NetSky.ac
C:\OfficeScan NT\SUSPECT\picture.eml Infected: Email-Worm.Win32.NetSky.ac
C:\OfficeScan NT\SUSPECT\private_document.eml/[From george@reilly.org][Date Mon, 27 Mar 2006 02:26:58 +0530]/your_document.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\private_document.eml/[From george@reilly.org][Date Mon, 27 Mar 2006 02:26:58 +0530]/your_document.zip Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\private_document.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\report_234.VIR/[From ackahn@netapp.com][Date Fri, 4 Mar 2005 12:33:06 +0700]/friend.zip/friend.scr Infected: Email-Worm.Win32.NetSky.c
C:\OfficeScan NT\SUSPECT\report_234.VIR/[From ackahn@netapp.com][Date Fri, 4 Mar 2005 12:33:06 +0700]/friend.zip Infected: Email-Worm.Win32.NetSky.c
C:\OfficeScan NT\SUSPECT\report_234.VIR Infected: Email-Worm.Win32.NetSky.c
C:\OfficeScan NT\SUSPECT\returned_mail__see_transcript_for_details_23c.VIR/[From geulig@nentec.de][Date Thu, 27 Jan 2005 13:26:51 +0700]/document.zip/document.html .exe Infected: Email-Worm.Win32.Mydoom.m
C:\OfficeScan NT\SUSPECT\returned_mail__see_transcript_for_details_23c.VIR/[From geulig@nentec.de][Date Thu, 27 Jan 2005 13:26:51 +0700]/document.zip Infected: Email-Worm.Win32.Mydoom.m
C:\OfficeScan NT\SUSPECT\returned_mail__see_transcript_for_details_23c.VIR Infected: Email-Worm.Win32.Mydoom.m
C:\OfficeScan NT\SUSPECT\re__administration.eml/[From jjones@genie.com][Date Mon, 31 Jan 2005 18:39:50 +0530]/msg.zip/details.txt .pif Infected: Virus.Win32.Kriz.4029
C:\OfficeScan NT\SUSPECT\re__administration.eml/[From jjones@genie.com][Date Mon, 31 Jan 2005 18:39:50 +0530]/msg.zip Infected: Virus.Win32.Kriz.4029
C:\OfficeScan NT\SUSPECT\re__administration.eml Infected: Virus.Win32.Kriz.4029
C:\OfficeScan NT\SUSPECT\re__administration_27c.VIR/[From ron@ronware.org][Date Tue, 15 Nov 2005 15:49:17 +0200]/readme.pif Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__administration_27c.VIR Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__bill.eml/[From ackahn@netapp.com][Date Wed, 22 Feb 2006 09:20:18 -0600]/bill.txt Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__bill.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__document88.eml/[From ackahn@netapp.com][Date Wed, 11 Jan 2006 15:12:32 -0300]/Document88.pif Infected: Email-Worm.Win32.NetSky.s
C:\OfficeScan NT\SUSPECT\re__document88.eml Infected: Email-Worm.Win32.NetSky.s
C:\OfficeScan NT\SUSPECT\re__encrypted_mail.eml/[From dany.stamant@sympatico.ca][Date Sat, 23 Jul 2005 12:36:43 +0530]/details.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__encrypted_mail.eml/[From dany.stamant@sympatico.ca][Date Sat, 23 Jul 2005 12:36:43 +0530]/details.zip Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__encrypted_mail.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__hello.eml/[From ron@ronware.org][Date Thu, 6 Oct 2005 10:35:42 -0500]/summary2004_vim.doc.pif Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__hello.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__here_is_the_document.eml/[From eljay@adobe.com][Date Mon, 21 Feb 2005 09:55:31 +0800]/document_full.pif Infected: Email-Worm.Win32.NetSky.d
C:\OfficeScan NT\SUSPECT\re__here_is_the_document.eml Infected: Email-Worm.Win32.NetSky.d
C:\OfficeScan NT\SUSPECT\re__hi.eml/[From ackahn@netapp.com][Date Sat, 17 Sep 2005 10:09:00 -0300]/letter32_vim.pif Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__hi.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__list.eml/[From dany.stamant@sympatico.ca][Date Sat, 7 Jan 2006 11:24:50 -0700]/archive.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__list.eml/[From dany.stamant@sympatico.ca][Date Sat, 7 Jan 2006 11:24:50 -0700]/archive.zip Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__list.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__question.eml/[From vinschen@redhat.com][Date Mon, 2 Jan 2006 18:19:05 +0900]/sample01.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__question.eml/[From vinschen@redhat.com][Date Mon, 2 Jan 2006 18:19:05 +0900]/sample01.zip Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__question.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__read_it_immediately.eml/[From george@reilly.org][Date Sat, 23 Apr 2005 10:29:10 +0900]/application.txt.pif Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__read_it_immediately.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__re__approved.eml/[From vinschen@redhat.com][Date Wed, 4 Jan 2006 01:41:45 +0900]/information.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__re__approved.eml/[From vinschen@redhat.com][Date Wed, 4 Jan 2006 01:41:45 +0900]/information.zip Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__re__approved.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__re__bill.eml/[From eljay@adobe.com][Date Mon, 10 Apr 2006 04:21:25 +0200]/bill.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__re__bill.eml/[From eljay@adobe.com][Date Mon, 10 Apr 2006 04:21:25 +0200]/bill.zip Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__re__bill.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__re__word_document.eml/[From ackahn@netapp.com][Date Sun, 30 Oct 2005 07:39:48 +0100]/document_vim-dev.pif Infected: Email-Worm.Win32.NetSky.x
C:\OfficeScan NT\SUSPECT\re__re__word_document.eml Infected: Email-Worm.Win32.NetSky.x
C:\OfficeScan NT\SUSPECT\re__screensaver.eml/[From ackahn@netapp.com][Date Sat, 22 Oct 2005 20:09:37 +0700]/screensaver.pif Infected: Email-Worm.Win32.NetSky.x
C:\OfficeScan NT\SUSPECT\re__screensaver.eml Infected: Email-Worm.Win32.NetSky.x
C:\OfficeScan NT\SUSPECT\re__test.eml/[From eljay@adobe.com][Date Sun, 29 Jan 2006 13:24:46 -0800]/document_vim.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__test.eml/[From eljay@adobe.com][Date Sun, 29 Jan 2006 13:24:46 -0800]/document_vim.zip Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__test.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__thanks_.eml/[From eljay@adobe.com][Date Mon, 16 Jan 2006 10:14:04 -0600]/message.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__thanks_.eml/[From eljay@adobe.com][Date Mon, 16 Jan 2006 10:14:04 -0600]/message.zip Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__thanks_.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\re__your_archive.eml/[From eljay@adobe.com][Date Tue, 22 Feb 2005 19:13:46 +0200]/your_archive.pif Infected: Email-Worm.Win32.NetSky.d
C:\OfficeScan NT\SUSPECT\re__your_archive.eml Infected: Email-Worm.Win32.NetSky.d
C:\OfficeScan NT\SUSPECT\server_report.eml/[From george@reilly.org][Date Thu, 22 Sep 2005 11:00:14 +0530]/data.zip/data.htm .scr Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\server_report.eml/[From george@reilly.org][Date Thu, 22 Sep 2005 11:00:14 +0530]/data.zip Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\server_report.eml Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\server_report_1d8.VIR/[From bram@moolenaar.net][Date Fri, 23 Dec 2005 13:57:41 +0700]/file.pif Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\server_report_1d8.VIR Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\snulpb.eml/[From ackahn@netapp.com][Date Tue, 25 Oct 2005 14:08:52 +0200]/document.zip/document.scr Infected: Net-Worm.Win32.Mytob.q
C:\OfficeScan NT\SUSPECT\snulpb.eml/[From ackahn@netapp.com][Date Tue, 25 Oct 2005 14:08:52 +0200]/document.zip Infected: Net-Worm.Win32.Mytob.q
C:\OfficeScan NT\SUSPECT\snulpb.eml Infected: Net-Worm.Win32.Mytob.q
C:\OfficeScan NT\SUSPECT\spamed_.eml/[From dany.stamant@sympatico.ca][Date Thu, 29 Sep 2005 17:01:22 +0700]/abuse_list.exe Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\spamed_.eml Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\status.eml/[From ackahn@netapp.com][Date Sun, 23 Oct 2005 17:53:35 -0700]/data.zip/data.doc .scr Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\status.eml/[From ackahn@netapp.com][Date Sun, 23 Oct 2005 17:53:35 -0700]/data.zip Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\status.eml Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\status_22c.VIR/[From george@reilly.org][Date Sat, 19 Nov 2005 11:51:22 +0530]/file.zip/file.pif Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\status_22c.VIR/[From george@reilly.org][Date Sat, 19 Nov 2005 11:51:22 +0530]/file.zip Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\status_22c.VIR Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\status_280.VIR/[From ackahn@netapp.com][Date Tue, 19 Jul 2005 09:10:16 -0600]/message.pif Infected: Net-Worm.Win32.Mytob.a
C:\OfficeScan NT\SUSPECT\status_280.VIR Infected: Net-Worm.Win32.Mytob.a
C:\OfficeScan NT\SUSPECT\test.eml/[From bram@moolenaar.net][Date Wed, 21 Dec 2005 14:43:54 +0700]/data.scr Infected: Net-Worm.Win32.Mytob.a
C:\OfficeScan NT\SUSPECT\test.eml Infected: Net-Worm.Win32.Mytob.a
C:\OfficeScan NT\SUSPECT\test_64c.VIR/[From bram@moolenaar.net][Date Fri, 5 May 2006 00:04:46 +0700]/message.pif Infected: Net-Worm.Win32.Mytob.c
C:\OfficeScan NT\SUSPECT\test_64c.VIR Infected: Net-Worm.Win32.Mytob.c
C:\OfficeScan NT\SUSPECT\vim_digest_of__get_59339_59341.eml/[From Suresh Govindachar<sgovindachar@yahoo.com>][Date Tue, 13 Dec 2005 21:17:13 +0000]/vim_59341.ezm/[From george@reilly.org][Date Thu, 1 Dec 2005 15:48:54 +0600]/text.pif Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\vim_digest_of__get_59339_59341.eml/[From Suresh Govindachar<sgovindachar@yahoo.com>][Date Tue, 13 Dec 2005 21:17:13 +0000]/vim_59341.ezm Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\vim_digest_of__get_59339_59341.eml Infected: Net-Worm.Win32.Mytob.u
C:\OfficeScan NT\SUSPECT\you_cannot_do_that_.eml/[From vinschen@redhat.com][Date Tue, 22 Feb 2005 16:58:46 +0100]/document05.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\you_cannot_do_that_.eml/[From vinschen@redhat.com][Date Tue, 22 Feb 2005 16:58:46 +0100]/document05.zip Infected: Email-Worm.Win32.NetSky.q
C:\OfficeScan NT\SUSPECT\you_cannot_do_that_.eml Infected: Email-Worm.Win32.NetSky.q

C:\opt\RealVNC\vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4

C:\opt\src\RealVNC\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\opt\src\RealVNC\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\opt\src\RealVNC\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\opt\src\RealVNC\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\opt\src\RealVNC\vnc-4.0-x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\opt\src\RealVNC\vnc-4.0-x86_win32_viewer.zip/vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4
C:\opt\src\RealVNC\vnc-4.0-x86_win32_viewer.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4

C:\opt\WebEx\atplay_exe___for_viewer//Disk1/ieatgpc.dll Infected: not-a-virus:AdWare.Win32.WebEx
C:\opt\WebEx\atplay_exe___for_viewer Infected: not-a-virus:AdWare.Win32.WebEx

C:\opt\wu\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP69\A0006815.exe//Disk1/ieatgpc.dll Infected: not-a-virus:AdWare.Win32.WebEx
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP69\A0006815.exe Infected: not-a-virus:AdWare.Win32.WebEx
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP88\A0007927.dll Infected: not-a-virus:AdWare.Win32.WebEx

C:\WINDOWS\omnithread_rt.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.g
C:\WINDOWS\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1540

Scan process completed.

[sUBs]

Webex is a program that's used for web conferencing. It's being tagged along with VNC as being riskware. The scanners are merely doing their job, alerting us of possibles loopholes in the system. Your machine apears to a work machine. If so, I suspect that you shall have need for those programs.

You appear to be pretty clean as it is. However, those quarantined files from Trend's Officescan should be removed. Please delete the contents of this folder leaving the parent folder empty - C:\OfficeScan NT\SUSPECT\.



After you have done so, go to Start > Run - type or copy/paste the followingin & click the 'OK' button

cmd /k reg delete "HKLM\SOFTWARE\Gator.com" /f



This will clear the System Volume Information folder
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

• Tick on the checkbox - Turn off System Restore on all drives
• Click Apply

Turn it back 'On' by unticking the same checkbox & click OK


Let me know how that went.

[sgu]

Hello,

Almost done ...

1) Deleted everything inside C:\OfficeScan NT\SUSPECT\.

2) Read up on reg /? and reg delete /? and issued command

reg delete "HKLM\SOFTWARE\Gator.com"

from cmd window.


3) Wasn't sure if command "control sysdm.cpl,,4" should be issued with or without '&' and so used Right-Click "My Computer" -> Properties -> "System Restore" tab to turn system restore Off and back On

Reran PandaSoftware's ActiveSacn -- it still reports Spyware:spyware/searchcentrix described on

http://www.pandasoftware.com/virus_i...eteccion=96188

How would I get rid of this? The files mentioned in the "Prevention and Cure" tab of the above link (namely the files with names such as "expand search", "search-o-matic toolbar" "search-o-webalize search utility" "webalize" and "windirect") do not exist inside C:\Windows. So I suspect I need to only get rid of registry entries mentioned in the "Tech details" tab -- but seeing which of those are in my registry and deleting them is beyond my capability.

Please advice.

Thanks,

-sgu

[sUBs]

Quote:

Reran PandaSoftware's ActiveSacn -- it still reports Spyware:spyware/searchcentrix

This is the standard speech I use for such occasions.

Quote:

These are orphaned entries. It's an entry in your Registry that references a non existant file. It's perfectly harmless without the accompanying file. Panda detects it but does not pinpoint the location of the said entry. If it had provided the location, we may have it removed via manual Registry editing. I do not recommend that you rummaged through the Registry looking for this entry. We do not want to risk causing irrepairable damage to the Registry.

But since you have shown such initiative in reading up on reg delete /?, let's try to do some registry fishing ( I make no promises that we'll find anything)

Download & extract this file to it's own folder - Registry Search

Launch Registry Search
In the search box, enter these keywords & click "Ok".

Searchcentrix
mygeek
Somatic
Dynamic Toolbar
dynamic tollbar
gssomatic
pqhelper
s4helper
seantb
webalize
wzhelper
eek4free
SearchOMatic
Visicom
barbho
GSIM

Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply

[sgu]

Hello,

Here's what I did before I saw your latest response.

Created a .bat file with the following stuff in it and ran it.

Code:

reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"  /s
reg query "HKLM\Software\Searchcentrix"    /s
reg query "HKLM\software\mygeekinstalled"  /s
reg query "HKCR\SomaticCAB.Setup"          /s
reg query "HKCU\software\Dynamic Toolbar"  /s
reg query "HKU\.default\software\dynamic tollbar"     /s
reg query "HKCR\gssomatic.gssomatic"                  /s
reg query "HKLM\software\classes\gssomatic.gssomatic" /s
reg query "HKLM\software\classes\somatic.somatic"     /s
reg query "HKLM\software\classes\barbho.class1"       /s
reg query "HKLM\software\classes\gssomatic.gssomatic" /s
reg query "HKLM\software\classes\mygeek.com"         /s
reg query "HKLM\software\classes\pqhelper.pqhelper"  /s
reg query "HKLM\software\classes\s4helper.s4helper"  /s
reg query "HKLM\software\classes\seantb.seantb"      /s
reg query "HKLM\software\classes\somatic.somatic"    /s
reg query "HKLM\software\classes\spoolsvv.class1"    /s
reg query "HKLM\software\classes\webalize.webalize"  /s
reg query "HKLM\software\classes\wzhelper.wzhelper"  /s
reg query "HKCU\Software\Microsoft\Internet Explorer\Main"    /s
reg query "HKLM\Software\Microsoft\Internet Explorer\Search"  /s

Results of the run:



c:\home\sgu>reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager REG_EXPAND_SZ %SystemRoot%\system32\mobsync.exe /logon
TkBellExe REG_SZ "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
PRONoMgr.exe REG_SZ C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
OfficeScanNT Monitor REG_SZ "C:\OfficeScan NT\pccntmon.exe" -HideWindow
iTunesHelper REG_SZ C:\opt\iTunes\iTunesHelper.exe
DVDSentry REG_SZ C:\WINDOWS\System32\DSentry.exe
Dell QuickSet REG_SZ C:\Program Files\Dell\QuickSet\quickset.exe
bascstray REG_SZ BascsTray.exe
ATIPTA REG_SZ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ATIModeChange REG_SZ Ati2mdxx.exe
Apoint REG_SZ C:\Program Files\Apoint\Apoint.exe
AdaptecDirectCD REG_SZ "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
Installed REG_SZ 1

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
Installed REG_SZ 1
NoChange REG_SZ 1

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
Installed REG_SZ 1

c:\home\sgu>reg query "HKLM\Software\Searchcentrix" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\mygeekinstalled" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKCR\SomaticCAB.Setup" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKCU\software\Dynamic Toolbar" /s

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\software\Dynamic Toolbar

HKEY_CURRENT_USER\software\Dynamic Toolbar\REALBAR
ConfigCode REG_SZ 1

c:\home\sgu>reg query "HKU\.default\software\dynamic tollbar" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKCR\gssomatic.gssomatic" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\classes\gssomatic.gssomatic" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\classes\somatic.somatic" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\classes\barbho.class1" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\classes\gssomatic.gssomatic" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\classes\mygeek.com" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\classes\pqhelper.pqhelper" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\classes\s4helper.s4helper" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\classes\seantb.seantb" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\classes\somatic.somatic" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\classes\spoolsvv.class1" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\classes\webalize.webalize" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKLM\software\classes\wzhelper.wzhelper" /s

Error: The system was unable to find the specified registry key or value

c:\home\sgu>reg query "HKCU\Software\Microsoft\Internet Explorer\Main" /s

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
NoUpdateCheck REG_DWORD 0x1
NoJITSetup REG_DWORD 0x1
Disable Script Debugger REG_SZ yes
Show_ChannelBand REG_SZ No
Anchor Underline REG_SZ yes
Cache_Update_Frequency REG_SZ Once_Per_Session
Display Inline Images REG_SZ yes
Do404Search REG_BINARY 01000000
Local Page REG_SZ C:\WINDOWS\System32\blank.htm
Save_Session_History_On_Exit REG_SZ no
Show_FullURL REG_SZ no
Show_StatusBar REG_SZ yes
Show_ToolBar REG_SZ yes
Show_URLinStatusBar REG_SZ yes
Show_URLToolBar REG_SZ yes
Start Page REG_SZ http://www.yahoo.com/
Use_DlgBox_Colors REG_SZ yes
Search Page REG_SZ http://www.microsoft.com/isapi/redir...ie&ar=iesearch
Default_Page_URL REG_SZ http://www.dell.com
UseHR REG_DWORD 0x1
NotifyDownloadComplete REG_SZ no
Save Directory REG_SZ C:\opt\vim\vimfiles\colors\
FullScreen REG_SZ no
Window_Placement REG_BINARY 2C00000000000000010000000083FFFF0083FFFFFFFFFFFFFFFFFFFF230000002
EF030000
Use FormSuggest REG_SZ yes
AddToFavoritesExpanded REG_DWORD 0x1
Error Dlg Displayed On Every Error REG_SZ no
Error Dlg Details Pane Open REG_SZ no
AutoSearch REG_DWORD 0x5
Expand Alt Text REG_SZ no
Move System Caret REG_SZ no
NscSingleExpand REG_DWORD 0x0
NoWebJITSetup REG_DWORD 0x0
Page_Transitions REG_DWORD 0x1
FavIntelliMenus REG_SZ no
Enable Browser Extensions REG_SZ yes
UseThemes REG_DWORD 0x1
Force Offscreen Composition REG_DWORD 0x0
AllowWindowReuse REG_DWORD 0x0
Friendly http errors REG_SZ yes
ShowGoButton REG_SZ yes
SmoothScroll REG_DWORD 0x1
Enable AutoImageResize REG_SZ yes
Enable_MyPics_Hoverbar REG_SZ yes
Play_Animations REG_SZ yes
Play_Background_Sounds REG_SZ yes
Display Inline Videos REG_SZ yes
Show image placeholders REG_DWORD 0x0
Print_Background REG_SZ no
FormSuggest PW Ask REG_SZ no

c:\home\sgu>reg query "HKLM\Software\Microsoft\Internet Explorer\Search" /s

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search
SearchAssistant REG_SZ http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
CustomizeSearch REG_SZ http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
c:\home\sgu>

--sgu

[sUBs]

Good initiative again. But it's not as comprehensive as RegSearch.

Try it out & share the results with me.

[sgu]

Hello,

I did regedit and saved to a text file. Opened the text file in an editor and searched for the various words. What I found is listed below. I leave RegSearch for the weekend.

Thanks.

--sgu


Here's what I found.

The following words did not exist:

searchcentrix
mygeek
somatic
dynamic tollbar
gssomatic
pqhelper
s4helper
seantb
webalize
wzhelper
eek4free
searchomatic
visicom
barbho
gsim
spoolsvv
2020search

"dynamic toolbar" was found as follows:



Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\Components\toolbar:1.1\Reg0
Class Name: <NO CLASS>
Last Write Time: 12/7/2004 - 2:31 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: -2147483647|Software\Dynamic Toolbar\REALBAR|ConfigCode

Key Name: HKEY_USERS\S-1-5-21-1006902558-2108515077-1544898942-22824\Software\Dynamic Toolbar
Class Name: <NO CLASS>
Last Write Time: 12/7/2004 - 2:31 PM

Key Name: HKEY_USERS\S-1-5-21-1006902558-2108515077-1544898942-22824\Software\Dynamic Toolbar\REALBAR
Class Name: <NO CLASS>
Last Write Time: 12/7/2004 - 2:31 PM
Value 0
Name: ConfigCode
Type: REG_SZ
Data: 1



"searchassistant" was found as follows:




Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47C6C527-6204-4F91-849D-66E234DEE015}\ProgID
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: SrchUI.SearchAssistant.1

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47C6C527-6204-4F91-849D-66E234DEE015}\VersionIndependentProgID
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: SrchUI.SearchAssistant

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B45FF030-4447-11D2-85DE-00C04FA35C89}
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: SearchAssistantOC

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B45FF030-4447-11D2-85DE-00C04FA35C89}\ProgID
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: SearchAssistantOC.SearchAssistantOC.1

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B45FF030-4447-11D2-85DE-00C04FA35C89}\VersionIndependentProgID
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: SearchAssistantOC.SearchAssistantOC

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0C061EC1-EB5C-45CF-AD26-E94B40BB2DE9}
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: _ISearchAssistantEvents

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1611FDDA-445B-11D2-85DE-00C04FA35C89}
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: _SearchAssistantEvents

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA1}
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: ISearchAssistantOC

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA2}
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: ISearchAssistantOC2

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA3}
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: ISearchAssistantOC3

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F74F2E3B-CEF7-4856-A170-8258A35CE375}
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: ISearchAssistant

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: SearchAssistantOC

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC\CLSID
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: {B45FF030-4447-11D2-85DE-00C04FA35C89}

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC\CurVer
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: SearchAssistantOC.SearchAssistantOC.1

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC.1
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: SearchAssistantOC

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC.1\CLSID
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: {B45FF030-4447-11D2-85DE-00C04FA35C89}

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: Search Assistant Control

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant\CLSID
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: {47C6C527-6204-4F91-849D-66E234DEE015}

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant.1
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: Search Assistant Control

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant.1\CLSID
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: {47C6C527-6204-4F91-849D-66E234DEE015}

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant.1\CurVer
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: SrchUI.SearchAssistant.1

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
Class Name: <NO CLASS>
Last Write Time: 3/20/2004 - 5:57 PM
Value 0
Name: SearchAssistant
Type: REG_SZ
Data: http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[sgu]

Hello,

RegSearch was much easier than I expected -- here are the results. (For displaying text logs, it would help if the html <pre> </pre> tags were supported.)

Please advice.

Thanks,

--sgu



REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.0.1

; Results at 4/25/2006 7:14:43 PM for strings:
; 'searchcentrix'
; 'mygeek'
; 'somatic'
; 'dynamic toolbar'
; 'dynamic tollbar'
; 'gssomatic'
; 'pqhelper'
; 's4helper'
; 'seantb'
; 'webalize'
; 'wzhelper'
; 'eek4free'
; 'searchomatic'
; 'visicom'
; 'barbho'
; 'gsim'
; 'spoolsvv'
; '2020search'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Components\EE43B9C66A3E8A84099660EDCC381C56]
; Contents of value:
; ']gAVn-}f(ZXfeAR6.jiXDocsSolutionIssueTrackingSimple>H)?+WFZ'9@{6dKY7$Cpourn:schemas-microsoft-com:office:infopath:oob:IssueTrackingSimple:1033|1.0.0.1|0|template.xml|Issue Tracking (Simple)
;
"1033\\isstrks.xsn"=hex(7):27,5d,67,41,56,6e,2d,7d,66,28,5a,58,66,65,41,52,36,\
2e,6a,69,58,44,6f,63,73,53,6f,6c,75,74,69,6f,6e,49,73,73,75,65,54,72,61,63,\
6b,69,6e,67,53,69,6d,70,6c,65,3e,48,29,3f,2b,57,46,5a,27,39,40,7b,36,64,4b,\
59,37,24,43,70,6f,75,72,6e,3a,73,63,68,65,6d,61,73,2d,6d,69,63,72,6f,73,6f,\
66,74,2d,63,6f,6d,3a,6f,66,66,69,63,65,3a,69,6e,66,6f,70,61,74,68,3a,6f,6f,\
62,3a,49,73,73,75,65,54,72,61,63,6b,69,6e,67,53,69,6d,70,6c,65,3a,31,30,33,\
33,7c,31,2e,30,2e,30,2e,31,7c,30,7c,74,65,6d,70,6c,61,74,65,2e,78,6d,6c,7c,\
49,73,73,75,65,20,54,72,61,63,6b,69,6e,67,20,28,53,69,6d,70,6c,65,29,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\9040110900063D11C8EF10054038389C]
"XDocsSolutionIssueTrackingSimple"="XDocsSolutionsFiles"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\RealNetworks\Update\6.0\Preferences\Components\toolbar:1.1\Reg0]
@="-2147483647|Software\\Dynamic Toolbar\\REALBAR|ConfigCode"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\InfoPath\SolutionsCatalog\urn:schemas-microsoft-com:office:infopath:oob:IssueTrackingSimple:1033]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C\Features]
"XDocsSolutionIssueTrackingSimple"="H)?+WFZ'9@{6dKY7$CpoXDocsSolutionsFiles"

[HKEY_USERS\S-1-5-21-1006902558-2108515077-1544898942-22824\Software\Dynamic Toolbar]

[HKEY_USERS\S-1-5-21-1006902558-2108515077-1544898942-22824\Software\Dynamic Toolbar\REALBAR]

; End Of The Log...

[sgu]

Previous post gives results of RegSearch.

Just a note to say that in my method of doing regedit, saving to a text file and searching, I missed searching for "gsim". Here's the result of search for "gsim":



Value 11
Name: 1033\isstrks.xsn
Type: REG_MULTI_SZ
Data: ']gAVn-}f(ZXfeAR6.jiXDocsSolutionIssueTrackingSimple>H)?+WFZ'9@{6dKY7$Cpourn:schemas-microsoft-com:office:infopath:oob:IssueTrackingSimple:1033|1.0.0.1|0|template.xml|Issue Tracking (Simple)

Value 241
Name: XDocsSolutionIssueTrackingSimple
Type: REG_SZ
Data: XDocsSolutionsFiles

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\InfoPath\SolutionsCatalog\urn:schemas-microsoft-com:office:infopath:oob:IssueTrackingSimple:1033
Class Name: <NO CLASS>
Last Write Time: 6/14/2004 - 1:11 PM
Value 0
Name: Version
Type: REG_SZ
Data: 1.0.0.1

Value 163
Name: XDocsSolutionIssueTrackingSimple
Type: REG_SZ
Data: H)?+WFZ'9@{6dKY7$CpoXDocsSolutionsFiles

[sUBs]

Please do this..

reg delete "HKU\S-1-5-21-1006902558-2108515077-1544898942-22824\Software\Dynamic Toolbar" /f

[sgu]

Did that, rebooted, re-ran PandaSoftware's Activescan -- no issues with registery!

DONE!

Thanks,

--sgu

[sUBs]

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
   Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
6. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[sgu]

OK -- thanks. OK to mark this thread as resolved.

--sgu