Tech Support banner

Status
Not open for further replies.
1 - 7 of 7 Posts

·
Registered
Joined
·
154 Posts
Discussion Starter #1
I've run so far...

ewido
adaware with vx2
spybot
housecall
panda
cwsshredder

I included panda log because there were a lot of no disinfected in it.

Also, can't connect to windows update site. I get to the point of selecting either custom or express, but when I click express I get an error message stating site could not be contacted. I tried it in safe mode so had no firewalls or anything like that running.


Incident Status Location

Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Proxy bend dvd program\ace byte.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Proxy bend dvd program\Bluemp3.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Proxy bend dvd program\eggstray.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Proxy bend dvd program\Lies hide.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Proxy bend dvd program\shim dash.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Proxy bend dvd program\surfmix.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Proxy bend dvd program\tons gpl.exe
Virus:Trj/Qsuv.A Disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ntun.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Guest\Application Data\Safephonefive\CHIC PLUS LOVE BONE.exe
Adware:adware/gator No disinfected C:\GatorPatch.log
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\CxtPls.dll
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casmf.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Virus:Trj/Downloader.DRJ Disinfected C:\Program Files\ipee\othb.exe
Adware:Adware/SurfAccuracy No disinfected C:\Program Files\SurfAccuracy\SAcc.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP552\A0173033.lnk
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP552\A0173034.lnk
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP552\A0173035.lnk
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP552\A0173056.exe
Adware:Adware/KeenValue No disinfected C:\WINDOWS\browserxtras\pn\remove.exe
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINDOWS\etb\xml\images\casino.bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINDOWS\etb\xml\images\dating.bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINDOWS\etb\xml\images\drugs.bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINDOWS\etb\xml\images\fav.bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINDOWS\etb\xml\images\virus.bmp
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:adware/look2me No disinfected C:\WINDOWS\system32\adlinstallwin32.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\system32\boxbqxo.exe
Spyware:spyware/whazit No disinfected C:\WINDOWS\system32\cards.ico
Adware:Adware/IEDriver No disinfected C:\WINDOWS\system32\cnetcfg7.exe
Adware:adware/savenow No disinfected C:\WINDOWS\system32\datastore.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\ezStub3.dll
Virus:Trj/Multidropper.AFS Disinfected C:\WINDOWS\system32\iCode.dll
Virus:Trj/Multidropper.AFS Disinfected C:\WINDOWS\system32\icode502.exe
Adware:adware/favoriteman No disinfected C:\WINDOWS\system32\im64.dll
Virus:Trj/Qsuv.A Disinfected C:\WINDOWS\system32\ldxldx.exe
Dialer:dialer.b No disinfected C:\WINDOWS\system32\mseggrpid.dll
Adware:Adware/NetPals No disinfected C:\WINDOWS\system32\n3tpa1i.dll
Adware:Adware/QoolShown No disinfected C:\WINDOWS\system32\sgfsdfg.dll
Adware:adware/powersearch No disinfected C:\WINDOWS\system32\stlb2.xml
Adware:Adware/Imibar No disinfected C:\WINDOWS\ttext.dll


Logfile of HijackThis v1.99.1
Scan saved at 12:56:36 PM, on 10/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: SDWin32 Class - {D90F882A-286B-4A78-B05D-6C9ADC603E16} - C:\WINDOWS\System32\kcebk.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [tOfHkm] C:\documents and settings\kristine gonzales\local settings\temp\tOfHkm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\app44.tmp
O4 - HKLM\..\Run: [srLTY] C:\documents and settings\kristine gonzales\local settings\temp\srLTY.exe
O4 - HKLM\..\Run: [0CtOv] C:\documents and settings\kristine gonzales\local settings\temp\0CtOv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [srLTY.exe] C:\documents and settings\kristine gonzales\local settings\temp\srLTY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BE8D7B2-329C-442A-A4AC-ABA9D7572602} (McSubMgr Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4549/mcfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\PROGRA~1\SYSTEM~1\autocomp.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S3Jpc3RpbmUgR29uemFsZXMA\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close all other opened programs before running this tool

From within the newly created folder, locate & run L2mfix.bat
Select option #2 - Run Fix - by typing 2

Press any key to reboot your computer.
After the reboot, your Desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Save the contents of that log as I shall require you to post it in your next reply after completing the fix.

DO NOT RUN ANY OTHER FILES IN THE L2MFIX FOLDER UNLESS INSTRUCTED

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

LQFix.zip

WinPfind.zip

TrackQoo.zip


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames listed below & then right-click & select Copy
  • C:\GatorPatch.log
    C:\Program Files\SurfAccuracy\SAcc.exe
    C:\WINDOWS\cfgmgr52.ini
    C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
    C:\WINDOWS\smdat32m.sys
    C:\WINDOWS\system32\adlinstallwin32.exe
    C:\WINDOWS\system32\boxbqxo.exe
    C:\WINDOWS\system32\cards.ico
    C:\WINDOWS\system32\cnetcfg7.exe
    C:\WINDOWS\system32\datastore.dll
    C:\WINDOWS\system32\ezStub3.dll
    C:\WINDOWS\system32\im64.dll
    C:\WINDOWS\system32\mseggrpid.dll
    C:\WINDOWS\system32\n3tpa1i.dll
    C:\WINDOWS\system32\sgfsdfg.dll
    C:\WINDOWS\system32\stlb2.xml
    C:\WINDOWS\ttext.dll
    C:\WINDOWS\System32\kcebk.dll
    C:\PROGRA~1\SYSTEM~1\autocomp.exe
    C:\WINDOWS\system32\msCMTSrvc.exe
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Double click on LQFix.zip & Run LQFix.bat


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - AutoComplete Service (Autocomplete)
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button
Answer NO, If prompted to reboot

Repeat steps 1-4 for the following services :-
  • Command Service (cmdService)
    Content Monitoring Tool (msCMTSrvc)



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


With HiJackThis & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/r...&c=1c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: SDWin32 Class - {D90F882A-286B-4A78-B05D-6C9ADC603E16} - C:\WINDOWS\System32\kcebk.dll
O4 - HKLM\..\Run: [tOfHkm] C:\documents and settings\kristine gonzales\local settings\temp\tOfHkm.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\KRISTI~1\LOCALS~1\Temp\app44.tmp
O4 - HKLM\..\Run: [srLTY] C:\documents and settings\kristine gonzales\local settings\temp\srLTY.exe
O4 - HKLM\..\Run: [0CtOv] C:\documents and settings\kristine gonzales\local settings\temp\0CtOv.exe
O4 - HKLM\..\Run: [srLTY.exe] C:\documents and settings\kristine gonzales\local settings\temp\srLTY.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c9.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\PROGRA~1\SYSTEM~1\autocomp.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S3Jpc3RpbmUgR29uemFsZXMA\command.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\Documents and Settings\All Users\Application Data\Proxy bend dvd program\
    C:\Documents and Settings\Guest\Application Data\Safephonefive\
    C:\Program Files\Aprps\
    C:\Program Files\Cas\Client\
    C:\Program Files\ipee\
    C:\WINDOWS\S3Jpc3RpbmUgR29uemFsZXMA\
    C:\Program Files\Common Files\updater\
    C:\WINDOWS\browserxtras\

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Double-click WinPFind.zip & extract the contents to a new folder at Drive C.

1. From within that folder, double click WinPFind.exe
2. Click Start Scan
3. Once the Scan is complete, it will create a report in a text file
4. Go to the WinPFind folder & locate WinPFind.txt
5. Post the results in your next reply!

** This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT TO NORMAL MODE


Perform another online scan with Internet Explorer with Panda ActiveScan
Post the contents of the report in your next reply


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Extract the contents of TrackQoo.zip & double-click on TrackQoo1.vbs. Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next reply.
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Download fl.zip.
Extract the contents to a new folder on Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply


In your next post, please include fresh logs from:
  • HiJackThis log
    [*] Online Scan
    [*] L2MFix
    [*] FindLop.txt
    [*] WinPfind
    [*] TrackQoo1.vbs
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 

·
Registered
Joined
·
154 Posts
Discussion Starter #3
wow! I was on the computer we're talking about earlier this morning and I couldn't get to the internet. It kept giving me a message that it couldn't find the site. I tried in regular mode and safe mode. It would make life a lot easier if I could download all the stuff you want from that system.

any suggestions?

thanx
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Download & save these on removable media whiich you can transport to the infected machine.

DelO15Domains.inf - Right click on this & choose "Save As..." DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

L2MFix.exe - Run it using the instructions I prescribed in my previous post

You can fit all 3 into 1 floppy.
 

·
Registered
Joined
·
154 Posts
Discussion Starter #5
whew! All done. Only problem I ran in to was that I couldn't do the clip board thing with killbox. I had to do the files individually.

It's working MUCH better, but I just got a pop up for a registry cleaner thing.

Here are the logs....

Panda


Incident Status Location

Spyware:spyware/whazit Reported C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/wupd Reported C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaGatewayX.dll
Adware:adware/upspiralbar Reported C:\WINDOWS\unist2.exe
Adware:adware/consumeralertsystemReported C:\PROGRAM FILES\CasStub
Adware:adware/downloadware Reported C:\PROGRAM FILES\MLH
Adware:adware/xupiter Reported C:\PROGRAM FILES\Sqwire
Adware:adware/surfaccuracy Reported C:\PROGRAM FILES\SurfAccuracy
Adware:adware/sidesearch Reported C:\Documents and Settings\Kristine Gonzales\Application Data\Lycos
Spyware:spyware/cydoor Reported C:\WINDOWS\cdmxtras
Adware:adware/mediatickets Reported Windows Registry
Spyware:Cookie/Ask Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][2].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][2].txt
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Adware:Adware/Imibar Reported C:\Documents and Settings\Administrator\Desktop\backups\backup-20051016-114749-921.dll
Spyware:Cookie/Ask Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][2].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][2].txt
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Adware:Adware/WUpd Reported C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
Dialer:dialer.b Reported C:\WINDOWS\tmlpcert2005

L2MFix
C:\
C:\
C:\
C:\
C:\
C:\
C:\
C:\
C:\
C:\
C:\
Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1796 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1856 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (104 bytes security) (deflated 2%)
adding: aol.ini (104 bytes security) (deflated 50%)
adding: COMLOG.txt (104 bytes security) (stored 0%)
adding: debuglog.txt (104 bytes security) (deflated 2%)
adding: lo2.txt (104 bytes security) (deflated 58%)
adding: log.txt (104 bytes security) (deflated 91%)
adding: test.txt (104 bytes security) (stored 0%)
adding: test2.txt (104 bytes security) (stored 0%)
adding: test3.txt (104 bytes security) (stored 0%)
adding: test5.txt (104 bytes security) (stored 0%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************



FindLop

Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\Administrator\Application Data

08/09/2005 03:17 PM <DIR> Adobe
08/01/2005 09:20 PM <DIR> Aim
10/12/2005 09:15 PM <DIR> Help
09/17/2001 04:14 PM <DIR> Identities
08/04/2005 08:56 PM <DIR> Lavasoft
04/23/2005 11:24 AM <DIR> Macromedia
06/01/2002 05:48 PM <DIR> Real
0 File(s) 0 bytes
7 Dir(s) 48,031,866,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\All Users\Application Data

01/22/2005 08:13 PM <DIR> Apple Computer
07/19/2003 09:46 PM 17 DirectCDUserNameE.txt
04/07/2005 08:14 PM <DIR> McAfee
04/07/2005 09:52 PM <DIR> McAfee.com
05/09/2005 12:59 PM <DIR> McAfee.com Personal Firewall
11/24/2002 07:38 PM <DIR> MSN Messenger 5.0.0527
06/26/2002 09:15 PM <DIR> MSN6
11/04/2004 04:04 PM <DIR> Napster
10/16/2004 02:39 AM <DIR> nView_Profiles
04/13/2005 06:48 PM <DIR> QuickTime
04/23/2005 11:33 AM <DIR> Spybot - Search & Destroy
04/07/2005 08:06 PM <DIR> Symantec
04/23/2005 02:57 PM <DIR> Viewpoint
08/04/2005 08:59 PM <DIR> Windows Genuine Advantage
1 File(s) 17 bytes
13 Dir(s) 48,031,862,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\Guest\Application Data

09/17/2001 04:14 PM <DIR> Identities
02/27/2003 09:52 PM <DIR> MSN6
06/01/2002 05:48 PM <DIR> Real
02/27/2003 05:29 PM <DIR> Share-to-Web Upload Folder
0 File(s) 0 bytes
4 Dir(s) 48,031,862,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\Kristine Gonzales\Application Data

03/18/2003 10:26 PM <DIR> Adobe
02/19/2005 01:04 PM <DIR> Aim
01/22/2005 08:14 PM <DIR> Apple Computer
03/18/2003 10:26 PM 0 dm.ini
04/07/2003 06:49 PM 27,976 GDIPFONTCACHEV1.DAT
07/08/2002 07:47 PM <DIR> Help
12/10/2002 06:20 PM <DIR> ICAClient
09/17/2001 04:14 PM <DIR> Identities
03/18/2003 10:26 PM <DIR> InterTrust
06/26/2002 07:56 PM <DIR> InterVideo
08/01/2005 09:09 PM <DIR> Lavasoft
09/25/2003 08:16 PM <DIR> Lycos
06/24/2003 12:20 PM <DIR> Macromedia
04/07/2005 08:14 PM <DIR> McAfee
04/07/2005 08:24 PM <DIR> McAfee.com Personal Firewall
08/30/2005 12:11 AM <DIR> Mozilla
01/12/2003 03:27 PM <DIR> MSN6
04/23/2005 11:04 AM <DIR> Owns drv
06/11/2003 10:47 PM <DIR> Real
11/04/2004 04:01 PM <DIR> Roxio
01/19/2003 11:55 PM <DIR> Share-to-Web Upload Folder
07/08/2002 07:06 PM <DIR> Symantec
08/30/2005 12:11 AM <DIR> Talkback
11/07/2002 09:52 PM <DIR> Template
08/11/2005 08:02 PM <DIR> Trend Micro
03/31/2005 10:37 PM <DIR> uoau
03/17/2005 11:12 PM <DIR> WeatherBug
04/23/2005 10:50 AM <DIR> Webshots
08/30/2005 12:19 AM <DIR> Yahoo!
06/30/2005 05:36 PM <DIR> Yahoo! Messenger
2 File(s) 27,976 bytes
28 Dir(s) 48,031,862,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\Owner\Application Data

09/17/2001 04:14 PM <DIR> Identities
06/01/2002 05:48 PM <DIR> Real
0 File(s) 0 bytes
2 Dir(s) 48,031,862,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\Default User\Application Data

09/17/2001 04:14 PM <DIR> .
09/17/2001 04:14 PM <DIR> ..
09/17/2001 12:47 AM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 48,031,858,688 bytes free
Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'B5BFDB3694804CE6.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\progra~1\safeph~1\okay peak eq.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Kristine Gonzales'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/23/2004 9:00:00
NextRun: 10/21/2005 21:00:00
StartError: 0x80070003
ExitCode: 0xc000013a
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/10/1998
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'McAfee.com Update Check (CPQ11262219752-Kristine Gonzal
es).job'
[TRACE] Printing all job properties

ApplicationName: 'C:\PROGRA~1\mcafee.com\agent\mcupdate.exe'
Parameters: '/Schedule'
WorkingDirectory: 'C:\PROGRA~1\mcafee.com\agent'
Comment: 'McAfee SecurityCenter periodically checks for updates for your McAfee Services.'
Creator: 'Kristine Gonzales'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 10/22/2005 0:06:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/22/2005
EndDate: 00/00/0000
StartTime: 00:06
MinutesDuration: 1440
MinutesInterval: 5
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Registration reminder 2.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\System32\OOBE\oobebaln.exe'
Parameters: '/sys /r /n:2'
WorkingDirectory: ''
Comment: ''
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 00/00/0000 0:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Once
StartDate: 07/06/2002
EndDate: 00/00/0000
StartTime: 00:05
MinutesDuration: 1440
MinutesInterval: 15
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Kristine Gonzales'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/19/2005 22:29:00
NextRun: 10/21/2005 22:29:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/20/2005
EndDate: 00/00/0000
StartTime: 02:29
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job '{6FE9A54B-DDC4-47DE-82CF-68FB0049F596}_CPQ11262219752_K
ristine Gonzales.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\system32\mobsync.exe'
Parameters: ' /Schedule="{6FE9A54B-DDC4-47DE-82CF-68FB0049F596}_CPQ11262219752_Kristine Gonzales"'
WorkingDirectory: ''
Comment: ''
Creator: 'SyncMgrInternalCreatorName'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/06/2005 16:00:00
NextRun: 10/24/2005 16:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .MTWRF.
StartDate: 01/01/1970
EndDate: 00/00/0000
StartTime: 16:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job '{70B78B6A-3412-4B51-AF7A-D239F1658605}_CPQ11262219752_K
ristine Gonzales.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\system32\mobsync.exe'
Parameters: ' /Schedule="{70B78B6A-3412-4B51-AF7A-D239F1658605}_CPQ11262219752_Kristine Gonzales"'
WorkingDirectory: ''
Comment: ''
Creator: 'SyncMgrInternalCreatorName'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/22/2005 9:00:00
NextRun: 10/24/2005 9:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .MTWRF.
StartDate: 01/01/1970
EndDate: 00/00/0000
StartTime: 09:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job '{7449E5D5-DFED-4AFE-8F95-6FEC3D26D32A}_CPQ11262219752_K
ristine Gonzales.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\system32\mobsync.exe'
Parameters: ' /Schedule="{7449E5D5-DFED-4AFE-8F95-6FEC3D26D32A}_CPQ11262219752_Kristine Gonzales"'
WorkingDirectory: ''
Comment: ''
Creator: 'SyncMgrInternalCreatorName'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/16/2005 16:00:00
NextRun: 10/28/2005 16:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 01/01/1970
EndDate: 00/00/0000
StartTime: 16:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0



WinPfind

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 10/15/2005 12:52:20 PM 16050847 C:\WINDOWS\LPT$VPN.893
qoologic 10/15/2005 12:52:20 PM 16050847 C:\WINDOWS\LPT$VPN.893
SAHAgent 10/15/2005 12:52:20 PM 16050847 C:\WINDOWS\LPT$VPN.893
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 10/15/2005 12:52:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/15/2005 12:52:20 PM 16050847 C:\WINDOWS\VPTNFILE.893
qoologic 10/15/2005 12:52:20 PM 16050847 C:\WINDOWS\VPTNFILE.893
SAHAgent 10/15/2005 12:52:20 PM 16050847 C:\WINDOWS\VPTNFILE.893
UPX! 10/15/2005 12:52:22 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 10/15/2005 12:52:22 PM 1044560 C:\WINDOWS\vsapi32.dll
Umonitor 8/22/2005 2:41:34 PM 316416 C:\WINDOWS\vx2cleaner.dlx
ZepMon 8/22/2005 2:41:34 PM 316416 C:\WINDOWS\vx2cleaner.dlx
ad-w-a-r-e.com 8/22/2005 2:41:34 PM 316416 C:\WINDOWS\vx2cleaner.dlx

Checking %System% folder...
PEC2 8/18/2001 10:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
abetterinternet.com 6/28/2003 4:19:16 PM H 30106 C:\WINDOWS\SYSTEM32\fiz2
abetterinternet.com 7/29/2003 9:34:24 PM H 30057 C:\WINDOWS\SYSTEM32\fiz9
PTech 3/26/2004 8:50:38 PM H 2756287 C:\WINDOWS\SYSTEM32\kyf.dat
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 10/2/2005 7:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/2/2005 7:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/29/2002 6:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/18/2001 10:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/20/2005 9:24:20 PM S 2048 C:\WINDOWS\bootstat.dat
8/27/2005 2:58:02 PM HS 13312 C:\WINDOWS\Thumbs.db
10/4/2005 1:16:36 PM S 20086 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688-IE6SP1-20051004.130236.cat
9/28/2005 11:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 7:15:08 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
8/30/2005 11:10:00 AM S 7711 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB904706.cat
8/22/2005 2:48:28 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905414.cat
8/24/2005 10:03:20 PM S 9798 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905495.cat
8/22/2005 9:03:36 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905749.cat
10/20/2005 9:24:14 PM H 8192 C:\WINDOWS\system32\config\default.LOG
10/20/2005 9:45:36 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/20/2005 9:24:22 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
10/20/2005 9:46:26 PM H 184320 C:\WINDOWS\system32\config\software.LOG
10/20/2005 9:45:02 PM H 290816 C:\WINDOWS\system32\config\system.LOG
10/17/2005 8:07:18 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
10/20/2005 9:00:02 PM H 254 C:\WINDOWS\Tasks\B5BFDB3694804CE6.job
10/20/2005 9:22:16 PM H 6 C:\WINDOWS\Tasks\SA.DAT
10/6/2005 4:00:02 PM H 430 C:\WINDOWS\Tasks\{6FE9A54B-DDC4-47DE-82CF-68FB0049F596}_CPQ11262219752_Kristine Gonzales.job
9/22/2005 9:00:02 AM H 430 C:\WINDOWS\Tasks\{70B78B6A-3412-4B51-AF7A-D239F1658605}_CPQ11262219752_Kristine Gonzales.job
9/16/2005 4:00:02 PM H 430 C:\WINDOWS\Tasks\{7449E5D5-DFED-4AFE-8F95-6FEC3D26D32A}_CPQ11262219752_Kristine Gonzales.job

Checking for CPL files...
Microsoft Corporation 8/18/2001 10:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 5/30/2003 4:17:20 PM 579584 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
AvantGo, Inc. 6/4/2001 1:40:20 PM 69632 C:\WINDOWS\SYSTEM32\mbllnk.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 10/6/2003 2:16:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/6/2001 2:14:22 PM 24665 C:\WINDOWS\SYSTEM32\plugincpl131.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 9/2/2005 11:09:24 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 9/23/2004 7:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/17/2001 12:56:56 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
7/13/2002 10:15:34 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
6/1/2002 5:49:42 PM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/17/2001 12:47:10 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
7/19/2003 9:46:28 PM 17 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt

Checking files in %USERPROFILE%\Startup folder...
9/17/2001 12:56:56 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/17/2001 12:47:10 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqsfksqy
{c474eb00-15af-4795-9bd7-9259766bd050} = C:\WINDOWS\System32\jbrjk.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
ButtonText = Spyware Doctor :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
ButtonText = Create Mobile Favorite :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
CARPService carpserv.exe
AdaptecDirectCD "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
srmclean C:\Cpqs\Scom\srmclean.exe
Smapp C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
nwiz nwiz.exe /install
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
VirusScan Online "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
MPSExe c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
MSKAGENTEXE C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
MSKDetectorExe C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
MPFExe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
fmt c:\docume~1\kristi~1\locals~1\temp\pmt.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
adspps
CleanUp! C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key !�Òûâ¾ÐÛ[T’Ö¥Òo
Hint pig
FileName0 C:\WINDOWS\System32\RSACi.rat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
Allow_Unknowns 0
PleaseMom 1
Enabled 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
l 0
n 0
s 0
v 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
NumSys 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
adspps C:\WINDOWS\System32\adspps.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/20/2005 9:53:42 PM



TrackQoo

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"CARPService"="carpserv.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskDetct.exe /startup"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Compaq]
"SetRefresh"="C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- fqsfksqy
{c474eb00-15af-4795-9bd7-9259766bd050}
C:\WINDOWS\System32\jbrjk.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {CFC7205E-2792-4378-9591-3879CC6C9022}

c:\progra~1\mcafee.com\vso\mcvsshl.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
==============================
C:\Documents and Settings\Kristine Gonzales\Start Menu\Programs\Startup

desktop.ini
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mbllnk.cpl AvantGo, Inc.
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
odbccp32.cpl Microsoft Corporation
plugincpl131.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation




HiHJack

Logfile of HijackThis v1.99.1
Scan saved at 8:39:23 PM, on 10/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\n?svc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\ipee\othb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesearch.cgi?uid=11785445&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesearch.cgi?uid=11785445&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aaou] "C:\Program Files\ipee\othb.exe" -vt ndrv
O4 - HKCU\..\Run: [Zvqtsi] C:\WINDOWS\System32\n?svc32.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BE8D7B2-329C-442A-A4AC-ABA9D7572602} (McSubMgr Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4549/mcfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

·
Registered
Joined
·
154 Posts
Discussion Starter #6
whew! All done. Only problem I ran in to was that I couldn't do the clip board thing with killbox. I had to do the files individually.

It's working MUCH better, but I just got a pop up for a registry cleaner thing.

Here are the logs....

Panda


Incident Status Location

Spyware:spyware/whazit Reported C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/wupd Reported C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaGatewayX.dll
Adware:adware/upspiralbar Reported C:\WINDOWS\unist2.exe
Adware:adware/consumeralertsystemReported C:\PROGRAM FILES\CasStub
Adware:adware/downloadware Reported C:\PROGRAM FILES\MLH
Adware:adware/xupiter Reported C:\PROGRAM FILES\Sqwire
Adware:adware/surfaccuracy Reported C:\PROGRAM FILES\SurfAccuracy
Adware:adware/sidesearch Reported C:\Documents and Settings\Kristine Gonzales\Application Data\Lycos
Spyware:spyware/cydoor Reported C:\WINDOWS\cdmxtras
Adware:adware/mediatickets Reported Windows Registry
Spyware:Cookie/Ask Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][2].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][2].txt
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Adware:Adware/Imibar Reported C:\Documents and Settings\Administrator\Desktop\backups\backup-20051016-114749-921.dll
Spyware:Cookie/Ask Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][2].txt
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][2].txt
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Kristine Gonzales\Cookies\kristine [email protected][1].txt
Adware:Adware/WUpd Reported C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
Dialer:dialer.b Reported C:\WINDOWS\tmlpcert2005

L2MFix
C:\
C:\
C:\
C:\
C:\
C:\
C:\
C:\
C:\
C:\
C:\
Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1796 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 1856 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (104 bytes security) (deflated 2%)
adding: aol.ini (104 bytes security) (deflated 50%)
adding: COMLOG.txt (104 bytes security) (stored 0%)
adding: debuglog.txt (104 bytes security) (deflated 2%)
adding: lo2.txt (104 bytes security) (deflated 58%)
adding: log.txt (104 bytes security) (deflated 91%)
adding: test.txt (104 bytes security) (stored 0%)
adding: test2.txt (104 bytes security) (stored 0%)
adding: test3.txt (104 bytes security) (stored 0%)
adding: test5.txt (104 bytes security) (stored 0%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************



FindLop

Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\Administrator\Application Data

08/09/2005 03:17 PM <DIR> Adobe
08/01/2005 09:20 PM <DIR> Aim
10/12/2005 09:15 PM <DIR> Help
09/17/2001 04:14 PM <DIR> Identities
08/04/2005 08:56 PM <DIR> Lavasoft
04/23/2005 11:24 AM <DIR> Macromedia
06/01/2002 05:48 PM <DIR> Real
0 File(s) 0 bytes
7 Dir(s) 48,031,866,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\All Users\Application Data

01/22/2005 08:13 PM <DIR> Apple Computer
07/19/2003 09:46 PM 17 DirectCDUserNameE.txt
04/07/2005 08:14 PM <DIR> McAfee
04/07/2005 09:52 PM <DIR> McAfee.com
05/09/2005 12:59 PM <DIR> McAfee.com Personal Firewall
11/24/2002 07:38 PM <DIR> MSN Messenger 5.0.0527
06/26/2002 09:15 PM <DIR> MSN6
11/04/2004 04:04 PM <DIR> Napster
10/16/2004 02:39 AM <DIR> nView_Profiles
04/13/2005 06:48 PM <DIR> QuickTime
04/23/2005 11:33 AM <DIR> Spybot - Search & Destroy
04/07/2005 08:06 PM <DIR> Symantec
04/23/2005 02:57 PM <DIR> Viewpoint
08/04/2005 08:59 PM <DIR> Windows Genuine Advantage
1 File(s) 17 bytes
13 Dir(s) 48,031,862,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\Guest\Application Data

09/17/2001 04:14 PM <DIR> Identities
02/27/2003 09:52 PM <DIR> MSN6
06/01/2002 05:48 PM <DIR> Real
02/27/2003 05:29 PM <DIR> Share-to-Web Upload Folder
0 File(s) 0 bytes
4 Dir(s) 48,031,862,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\Kristine Gonzales\Application Data

03/18/2003 10:26 PM <DIR> Adobe
02/19/2005 01:04 PM <DIR> Aim
01/22/2005 08:14 PM <DIR> Apple Computer
03/18/2003 10:26 PM 0 dm.ini
04/07/2003 06:49 PM 27,976 GDIPFONTCACHEV1.DAT
07/08/2002 07:47 PM <DIR> Help
12/10/2002 06:20 PM <DIR> ICAClient
09/17/2001 04:14 PM <DIR> Identities
03/18/2003 10:26 PM <DIR> InterTrust
06/26/2002 07:56 PM <DIR> InterVideo
08/01/2005 09:09 PM <DIR> Lavasoft
09/25/2003 08:16 PM <DIR> Lycos
06/24/2003 12:20 PM <DIR> Macromedia
04/07/2005 08:14 PM <DIR> McAfee
04/07/2005 08:24 PM <DIR> McAfee.com Personal Firewall
08/30/2005 12:11 AM <DIR> Mozilla
01/12/2003 03:27 PM <DIR> MSN6
04/23/2005 11:04 AM <DIR> Owns drv
06/11/2003 10:47 PM <DIR> Real
11/04/2004 04:01 PM <DIR> Roxio
01/19/2003 11:55 PM <DIR> Share-to-Web Upload Folder
07/08/2002 07:06 PM <DIR> Symantec
08/30/2005 12:11 AM <DIR> Talkback
11/07/2002 09:52 PM <DIR> Template
08/11/2005 08:02 PM <DIR> Trend Micro
03/31/2005 10:37 PM <DIR> uoau
03/17/2005 11:12 PM <DIR> WeatherBug
04/23/2005 10:50 AM <DIR> Webshots
08/30/2005 12:19 AM <DIR> Yahoo!
06/30/2005 05:36 PM <DIR> Yahoo! Messenger
2 File(s) 27,976 bytes
28 Dir(s) 48,031,862,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\Owner\Application Data

09/17/2001 04:14 PM <DIR> Identities
06/01/2002 05:48 PM <DIR> Real
0 File(s) 0 bytes
2 Dir(s) 48,031,862,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\Default User\Application Data

09/17/2001 04:14 PM <DIR> .
09/17/2001 04:14 PM <DIR> ..
09/17/2001 12:47 AM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 48,031,858,688 bytes free
Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 58EC-7F32

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'B5BFDB3694804CE6.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\progra~1\safeph~1\okay peak eq.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Kristine Gonzales'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/23/2004 9:00:00
NextRun: 10/21/2005 21:00:00
StartError: 0x80070003
ExitCode: 0xc000013a
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/10/1998
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'McAfee.com Update Check (CPQ11262219752-Kristine Gonzal
es).job'
[TRACE] Printing all job properties

ApplicationName: 'C:\PROGRA~1\mcafee.com\agent\mcupdate.exe'
Parameters: '/Schedule'
WorkingDirectory: 'C:\PROGRA~1\mcafee.com\agent'
Comment: 'McAfee SecurityCenter periodically checks for updates for your McAfee Services.'
Creator: 'Kristine Gonzales'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 10/22/2005 0:06:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/22/2005
EndDate: 00/00/0000
StartTime: 00:06
MinutesDuration: 1440
MinutesInterval: 5
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Registration reminder 2.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\System32\OOBE\oobebaln.exe'
Parameters: '/sys /r /n:2'
WorkingDirectory: ''
Comment: ''
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 00/00/0000 0:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Once
StartDate: 07/06/2002
EndDate: 00/00/0000
StartTime: 00:05
MinutesDuration: 1440
MinutesInterval: 15
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Kristine Gonzales'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/19/2005 22:29:00
NextRun: 10/21/2005 22:29:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/20/2005
EndDate: 00/00/0000
StartTime: 02:29
MinutesDuration: 1440
MinutesInterval: 240
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job '{6FE9A54B-DDC4-47DE-82CF-68FB0049F596}_CPQ11262219752_K
ristine Gonzales.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\system32\mobsync.exe'
Parameters: ' /Schedule="{6FE9A54B-DDC4-47DE-82CF-68FB0049F596}_CPQ11262219752_Kristine Gonzales"'
WorkingDirectory: ''
Comment: ''
Creator: 'SyncMgrInternalCreatorName'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/06/2005 16:00:00
NextRun: 10/24/2005 16:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .MTWRF.
StartDate: 01/01/1970
EndDate: 00/00/0000
StartTime: 16:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job '{70B78B6A-3412-4B51-AF7A-D239F1658605}_CPQ11262219752_K
ristine Gonzales.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\system32\mobsync.exe'
Parameters: ' /Schedule="{70B78B6A-3412-4B51-AF7A-D239F1658605}_CPQ11262219752_Kristine Gonzales"'
WorkingDirectory: ''
Comment: ''
Creator: 'SyncMgrInternalCreatorName'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/22/2005 9:00:00
NextRun: 10/24/2005 9:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .MTWRF.
StartDate: 01/01/1970
EndDate: 00/00/0000
StartTime: 09:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job '{7449E5D5-DFED-4AFE-8F95-6FEC3D26D32A}_CPQ11262219752_K
ristine Gonzales.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\system32\mobsync.exe'
Parameters: ' /Schedule="{7449E5D5-DFED-4AFE-8F95-6FEC3D26D32A}_CPQ11262219752_Kristine Gonzales"'
WorkingDirectory: ''
Comment: ''
Creator: 'SyncMgrInternalCreatorName'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 09/16/2005 16:00:00
NextRun: 10/28/2005 16:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 01/01/1970
EndDate: 00/00/0000
StartTime: 16:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0



WinPfind

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 10/15/2005 12:52:20 PM 16050847 C:\WINDOWS\LPT$VPN.893
qoologic 10/15/2005 12:52:20 PM 16050847 C:\WINDOWS\LPT$VPN.893
SAHAgent 10/15/2005 12:52:20 PM 16050847 C:\WINDOWS\LPT$VPN.893
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 10/15/2005 12:52:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/15/2005 12:52:20 PM 16050847 C:\WINDOWS\VPTNFILE.893
qoologic 10/15/2005 12:52:20 PM 16050847 C:\WINDOWS\VPTNFILE.893
SAHAgent 10/15/2005 12:52:20 PM 16050847 C:\WINDOWS\VPTNFILE.893
UPX! 10/15/2005 12:52:22 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 10/15/2005 12:52:22 PM 1044560 C:\WINDOWS\vsapi32.dll
Umonitor 8/22/2005 2:41:34 PM 316416 C:\WINDOWS\vx2cleaner.dlx
ZepMon 8/22/2005 2:41:34 PM 316416 C:\WINDOWS\vx2cleaner.dlx
ad-w-a-r-e.com 8/22/2005 2:41:34 PM 316416 C:\WINDOWS\vx2cleaner.dlx

Checking %System% folder...
PEC2 8/18/2001 10:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
abetterinternet.com 6/28/2003 4:19:16 PM H 30106 C:\WINDOWS\SYSTEM32\fiz2
abetterinternet.com 7/29/2003 9:34:24 PM H 30057 C:\WINDOWS\SYSTEM32\fiz9
PTech 3/26/2004 8:50:38 PM H 2756287 C:\WINDOWS\SYSTEM32\kyf.dat
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 10/2/2005 7:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/2/2005 7:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/29/2002 6:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/18/2001 10:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/20/2005 9:24:20 PM S 2048 C:\WINDOWS\bootstat.dat
8/27/2005 2:58:02 PM HS 13312 C:\WINDOWS\Thumbs.db
10/4/2005 1:16:36 PM S 20086 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688-IE6SP1-20051004.130236.cat
9/28/2005 11:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 7:15:08 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
8/30/2005 11:10:00 AM S 7711 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB904706.cat
8/22/2005 2:48:28 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905414.cat
8/24/2005 10:03:20 PM S 9798 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905495.cat
8/22/2005 9:03:36 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905749.cat
10/20/2005 9:24:14 PM H 8192 C:\WINDOWS\system32\config\default.LOG
10/20/2005 9:45:36 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/20/2005 9:24:22 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
10/20/2005 9:46:26 PM H 184320 C:\WINDOWS\system32\config\software.LOG
10/20/2005 9:45:02 PM H 290816 C:\WINDOWS\system32\config\system.LOG
10/17/2005 8:07:18 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
10/20/2005 9:00:02 PM H 254 C:\WINDOWS\Tasks\B5BFDB3694804CE6.job
10/20/2005 9:22:16 PM H 6 C:\WINDOWS\Tasks\SA.DAT
10/6/2005 4:00:02 PM H 430 C:\WINDOWS\Tasks\{6FE9A54B-DDC4-47DE-82CF-68FB0049F596}_CPQ11262219752_Kristine Gonzales.job
9/22/2005 9:00:02 AM H 430 C:\WINDOWS\Tasks\{70B78B6A-3412-4B51-AF7A-D239F1658605}_CPQ11262219752_Kristine Gonzales.job
9/16/2005 4:00:02 PM H 430 C:\WINDOWS\Tasks\{7449E5D5-DFED-4AFE-8F95-6FEC3D26D32A}_CPQ11262219752_Kristine Gonzales.job

Checking for CPL files...
Microsoft Corporation 8/18/2001 10:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 5/30/2003 4:17:20 PM 579584 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
AvantGo, Inc. 6/4/2001 1:40:20 PM 69632 C:\WINDOWS\SYSTEM32\mbllnk.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 10/6/2003 2:16:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/6/2001 2:14:22 PM 24665 C:\WINDOWS\SYSTEM32\plugincpl131.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 9/2/2005 11:09:24 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 9/23/2004 7:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 10:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/17/2001 12:56:56 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
7/13/2002 10:15:34 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
6/1/2002 5:49:42 PM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/17/2001 12:47:10 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
7/19/2003 9:46:28 PM 17 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt

Checking files in %USERPROFILE%\Startup folder...
9/17/2001 12:56:56 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/17/2001 12:47:10 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqsfksqy
{c474eb00-15af-4795-9bd7-9259766bd050} = C:\WINDOWS\System32\jbrjk.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
ButtonText = Spyware Doctor :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
ButtonText = Create Mobile Favorite :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
CARPService carpserv.exe
AdaptecDirectCD "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
srmclean C:\Cpqs\Scom\srmclean.exe
Smapp C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
nwiz nwiz.exe /install
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
VirusScan Online "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
MPSExe c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
MSKAGENTEXE C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
MSKDetectorExe C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
MPFExe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
fmt c:\docume~1\kristi~1\locals~1\temp\pmt.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
adspps
CleanUp! C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key !�Òûâ¾ÐÛ[T’Ö¥Òo
Hint pig
FileName0 C:\WINDOWS\System32\RSACi.rat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
Allow_Unknowns 0
PleaseMom 1
Enabled 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
l 0
n 0
s 0
v 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
NumSys 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
adspps C:\WINDOWS\System32\adspps.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/20/2005 9:53:42 PM



TrackQoo

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"CARPService"="carpserv.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskDetct.exe /startup"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Compaq]
"SetRefresh"="C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- fqsfksqy
{c474eb00-15af-4795-9bd7-9259766bd050}
C:\WINDOWS\System32\jbrjk.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {CFC7205E-2792-4378-9591-3879CC6C9022}

c:\progra~1\mcafee.com\vso\mcvsshl.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
==============================
C:\Documents and Settings\Kristine Gonzales\Start Menu\Programs\Startup

desktop.ini
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mbllnk.cpl AvantGo, Inc.
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
odbccp32.cpl Microsoft Corporation
plugincpl131.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation




HiHJack

Logfile of HijackThis v1.99.1
Scan saved at 8:39:23 PM, on 10/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\n?svc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\ipee\othb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesearch.cgi?uid=11785445&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesearch.cgi?uid=11785445&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aaou] "C:\Program Files\ipee\othb.exe" -vt ndrv
O4 - HKCU\..\Run: [Zvqtsi] C:\WINDOWS\System32\n?svc32.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c9.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BE8D7B2-329C-442A-A4AC-ABA9D7572602} (McSubMgr Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4549/mcfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Download the file I've attached to this post - regdel.zip

From within it, double click on regdel.reg & allow to merge into Registry


* * * * * * * * * * * * * * * *


Check the add/remove section for these programs. If available, please uninstal them:

CasStub
MLH
Sqwire
SurfAccuracy
System Soap



* * * * * * * * * * * * * * * *


Use HijackThis to fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...d=11785445&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidese...d=11785445&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [Aaou] "C:\Program Files\ipee\othb.exe" -vt ndrv
O4 - HKCU\..\Run: [Zvqtsi] C:\WINDOWS\System32\n?svc32.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c9.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx



* * * * * * * * * * * * * * * *


Please unhide hidden/system files & delete these files/folders: (let me know if any isnt deleted)

C:\Documents and Settings\Kristine Gonzales\Application Data\Lycos
C:\Documents and Settings\Kristine Gonzales\Application Data\Owns drv
C:\PROGRAM FILES\CasStub
C:\PROGRAM FILES\MLH
C:\PROGRAM FILES\Sqwire
C:\PROGRAM FILES\SurfAccuracy
C:\WINDOWS\cdmxtras
C:\WINDOWS\tmlpcert2005
C:\Program Files\ipee\
C:\PROGRAM FILES\System Soap\


C:\WINDOWS\Tasks\B5BFDB3694804CE6.job
C:\WINDOWS\SYSTEM32\fiz2
C:\WINDOWS\SYSTEM32\fiz9
C:\WINDOWS\SYSTEM32\kyf.dat
C:\WINDOWS\SYSTEM32\fiz1
C:\WINDOWS\unist2.exe
C:\WINDOWS\System32\n?svc32.exe

C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
>> may need Killbox

C:\WINDOWS\System32\jbrjk.dll >> may not be present
C:\WINDOWS\System32\adspps.exe >> may not be present


* * * * * * * * * * * * * * * *


Run CleanUp! & then perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        • Standard
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Reboot & post a new HJT log
 
1 - 7 of 7 Posts
Status
Not open for further replies.
Top