Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Secong HJT Log After Fixing


  • This topic is locked This topic is locked
19 replies to this topic

#1 Sabre3of4

Sabre3of4

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 18 February 2005 - 05:01 PM

OK, here the tangled mess is....
my dd -says- she was on one of her doll bases sites and a new one wanted an agreement to not 'franken doll'. So she clicks yes and the problems began.
We run Wal-Mart Connect and I keep getting pop-ups in Internet Explorer for various adult sites and stripper desktops, ect....(I keep trying to get rid of IE but when I try, I get told that 'another program is using it so it can't be deleted' but that might be a problem for another forum)
I run the Win XP Firewall, Ad-Aware SE Personal, Spybot, Norton, Pop-Up Stopper Free Edition. I have added Spy Guard, Spyblaster, CWS Shredder and changed Norton to Avast.
The EGroup dialer thing loads up when the computer is started and shows up in the taskbar as Instant Access(I think). I would ppreciate any advice on this if any is poosible. My Hijack This log is below:)

TIA,
Sabrina

Logfile of HijackThis v1.99.0
Scan saved at 3:20:48 PM, on 2/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\12Ghosts\12wash.exe
C:\WINNT\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Owner\My Documents\Recent Computer Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.vroomsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vroomsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.browser-page.com/homebh/
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {F0C08B30-BA30-4FEB-924B-2E250CF0697D} - C:\WINNT\System32\siq.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1057.dll,InstantAccess
O4 - Startup: 12Ghosts Wash.lnk = C:\Program Files\12Ghosts\12wash.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.217 - http://63.102.226.240:8000/Java/cfs31217.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1057_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/17b0c186d2597c...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098418353683
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.com/orb.../winorbiter.cab
O16 - DPF: {DAB941D8-BC94-4819-AB4D-5598C65FA3FE} (iiittt Class) - http://tb.searchitquick.com/v30/siq.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINNT\System32\PackethSvc.exe
O23 - Service: PictureTaker - Unknown - c:\fixit\pt\PCTKRNT.SYS (file missing)

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:22 PM

Posted 19 February 2005 - 12:02 AM

I am reviewing your log, and will post back shortly
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:22 PM

Posted 19 February 2005 - 12:35 AM

Hello Sabrina.

You have some malware on your computer. Not to worry, we will soon have it off. :thumbsup:

****************************************************
If you have either Spybot Teatimer, SpywareGuard, or other spyware programs that prevent registry changes, you will have to disable them before using Hijackthis. After we are clean, then you can enable them.

****************************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vroomsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vroomsearch.com/
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: ohb - {F0C08B30-BA30-4FEB-924B-2E250CF0697D} - C:\WINNT\System32\siq.dll
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1057.dll,InstantAccess
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1057_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/17b0c186d2597c...ip/RdxIE601.cab
O16 - DPF: {DAB941D8-BC94-4819-AB4D-5598C65FA3FE} (iiittt Class) - http://tb.searchitquick.com/v30/siq.cab


****************************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:
C:\WINNT\System32\siq.dll <==file
EGDACCESS_1057.dll <==file You will have to search for this file. It may be in C:\WINDOWS\system32\ or C:\WINDOWS\

****************************************************
Let empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

****************************************************

Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Sabre3of4

Sabre3of4
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 19 February 2005 - 10:44 PM

OK, here is the second log.
I could not find the second file- EGDACCESS_1057.dll at all anywere.
The pop-ups are still showing up, is there something else I should do?
Thank you, I really really appreciate the help
Sabrina
Second Hijack log--
Logfile of HijackThis v1.99.0
Scan saved at 9:25:26 PM, on 2/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\12Ghosts\12wash.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Owner\My Documents\Recent Computer Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.browser-page.com/homebh/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Startup: 12Ghosts Wash.lnk = C:\Program Files\12Ghosts\12wash.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.217 - http://63.102.226.240:8000/Java/cfs31217.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098418353683
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.com/orb.../winorbiter.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINNT\System32\PackethSvc.exe
O23 - Service: PictureTaker - Unknown - c:\fixit\pt\PCTKRNT.SYS (file missing)

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:22 PM

Posted 20 February 2005 - 01:38 AM

I merged your second log with your original thread (Topic). When you post follow up logs, please stick to the same thread. Just click the reply button to the original Topic. Do not create a new topic for your reply. This will cause confusion and a delay in the help you are receiving.
If you have problems finding your original thread, check your email for a link to it or click on My Topics at the top right of any bleepingcomputer forum page. Thanks!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:22 PM

Posted 20 February 2005 - 02:17 AM

Hello Sabrina,

Those popups by be cause by ActiveX's running. We can clean some more items from your log and see if that kills the popups.

***************************************************

If you have either Spybot Teatimer, SpywareGuard, or other spyware programs that prevent registry changes, you will have to disable them before using Hijackthis.

After we are clean, then you can enable them.

***************************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB


***************************************************

Let empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

***************************************************

Please download, update and run (one at a time of course!)
Spybot 1.3 and Adaware SE

Fix whatever they suggest.

***************************************************

If you need help running these tools, here are some helpful tutorials.
Spybot 1.3 Tutorial
Adaware SE Tutorial

***************************************************

Be sure to run Adaware SE with a Full Scan in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



The following explains how to set Ad-aware's settings to perform a "Full Scan."


In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level.

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.



***************************************************

Please download, update and run the free A2 (A squared) anti-trojan

Let it fix whatever it wants to.

***************************************************

I know you may have anti-virus software, but sometimes its definitions are corrupted due to malware. Online scans are the best resort in this case.
Run this pc through the
Trend Micro Housecall Online virus scanner
or Panda Scan Online virus scanner

***************************************************

Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Sabre3of4

Sabre3of4
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 22 February 2005 - 02:51 PM

Whew! I thought for a minute my posts had disappeared for some reason...:thumbsup:
The pops-ups are slowly disappearing, I am down to the desktop strippers, celebrity secrets ones and a games one.....My DD got a spy bot pop-up about a registry change for this rundll32.exeEGDACCESS_1057, Instant Access. She just hit the close button before I got there so was this anything?
and here is my third HJT scan...

Thank you,
I really appreciate this :flowers:
Sabrina

Logfile of HijackThis v1.99.0
Scan saved at 12:16:03 PM, on 2/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\12Ghosts\12wash.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Owner\My Documents\Recent Computer Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.browser-page.com/homebh/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: 12Ghosts Wash.lnk = C:\Program Files\12Ghosts\12wash.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.217 - http://63.102.226.240:8000/Java/cfs31217.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098418353683
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.com/orb.../winorbiter.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINNT\System32\PackethSvc.exe
O23 - Service: PictureTaker - Unknown - c:\fixit\pt\PCTKRNT.SYS (file missing)

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:22 PM

Posted 22 February 2005 - 04:18 PM

Hello Sabrina,



The pops-ups are slowly disappearing, I am down to the desktop strippers, celebrity secrets ones and a games one.....My DD got a spy bot pop-up about a registry change for this rundll32.exeEGDACCESS_1057, Instant Access. She just hit the close button before I got there so was this anything?



This log looks clean, but you say you are still getting popups. Very strange. :thumbsup:

Lets do this:
In HijackThis please click Config > Misc Tools> place a checkmark in the two boxes under Generate StartupList log then click that buton.
Please post the content of the text file it produces, in your next post.

*********************************************

Is you DD on a different login? If so, then I will need a Hijackthis log from her login (each persons login can have malware and that require a HJT log).
Make sure you tell me that it is from DD's and not yours, so I do not get mixed up.

Edited by SifuMike, 22 February 2005 - 04:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Sabre3of4

Sabre3of4
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 22 February 2005 - 06:01 PM

Hello, SifuMike:)
Here is what you asked for.....
No, no-one is on a different login tat I know of.
Sabrina

StartupList report, 2/22/2005, 4:46:30 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\My Documents\Recent Computer Downloads\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\12Ghosts\12wash.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\spider.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Documents and Settings\Owner\My Documents\Recent Computer Downloads\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
12Ghosts Wash.lnk = C:\Program Files\12Ghosts\12wash.exe
Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
PowerReg Scheduler.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
PowerReg Scheduler.exe
Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINNT\System32\igfxtray.exe
HotKeysCmds = C:\WINNT\System32\hkcmd.exe
Hot Key Kbd 9910 Daemon = SK9910DM.EXE
GWMDMMSG = GWMDMMSG.exe
Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
GWMDMpi = C:\WINNT\GWMDMpi.exe
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
MoneyStartUp10.0 = "C:\Program Files\Microsoft Money\System\Activation.exe"
WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe
CapFax = C:\Program Files\PhoneTools\CapFax.EXE
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
PopUpStopperFreeEdition = "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
spc_w = "C:\Program Files\NZSearch\hcm.exe" -w
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{8CC2FDC0-0C5D-11D7-AD8E-0050DA87D0EB}S25425] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mswmp.inf,PerUserStub

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINNT\System32\Rundll32.exe C:\WINNT\System32\mscories.dll,Install

[{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] *
StubPath = rundll32 iesetup.dll,IEAccessUserInst

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[ChatSpace Full Java Client 3.1.0.217]
CODEBASE = http://63.102.226.240:8000/Java/cfs31217.cab
OSD = C:\WINNT\Downloaded Program Files\ChatSpace Full Java Client 3.1.0.217.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/8/B...42/wmsp9dmo.cab

[{02BCC737-B171-4746-94C9-0D8A0B2C0089}]
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{0E5F0222-96B9-11D3-8997-00104BD12D94}]
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINNT\System32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5co...b?1098418353683

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

[Communities.com Passport]
InProcServer32 = c:\Program Files\Communities.com\CartoonOrbit\QU2LMT59HBCAYVJABNCYUN6DT7XKQLE3.dll
CODEBASE = http://cartoonorbit.cartoonnetwork.com/orb.../winorbiter.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

[{DF6A0F17-0B1E-11D4-829D-00C04F6843FE}]
CODEBASE = http://officeupdate.microsoft.com/Template...nloads/outc.cab

[{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
CODEBASE = http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\mswsock.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
NameSpace #3: C:\WINNT\System32\mswsock.dll
Protocol #1: C:\WINNT\system32\mswsock.dll
Protocol #2: C:\WINNT\system32\mswsock.dll
Protocol #3: C:\WINNT\system32\mswsock.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\mswsock.dll
Protocol #7: C:\WINNT\system32\mswsock.dll
Protocol #8: C:\WINNT\system32\mswsock.dll
Protocol #9: C:\WINNT\system32\mswsock.dll
Protocol #10: C:\WINNT\system32\mswsock.dll
Protocol #11: C:\WINNT\system32\mswsock.dll
Protocol #12: C:\WINNT\system32\mswsock.dll
Protocol #13: C:\WINNT\system32\mswsock.dll
Protocol #14: C:\WINNT\system32\mswsock.dll
Protocol #15: C:\WINNT\system32\mswsock.dll
Protocol #16: C:\WINNT\system32\mswsock.dll
Protocol #17: C:\WINNT\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Intel® 82801 Audio Driver Install Service (WDM): system32\drivers\ac97intc.sys (manual start)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: System32\DRIVERS\adpu160m.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
aswRdr: \??\C:\WINNT\System32\drivers\aswRdr.sys (manual start)
avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
Belarc SMBios Access: \SystemRoot\System32\Drivers\BANTExt.sys (system)
BCM V.90 56K Modem: System32\DRIVERS\BCMDM.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINNT\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
GTW V.92 Voice Modem: System32\DRIVERS\GWMDM.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimFP5: System32\DRIVERS\wADV07nt.sys (manual start)
iAimFP6: System32\DRIVERS\wADV08nt.sys (manual start)
iAimFP7: System32\DRIVERS\wADV09nt.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
iAimTV5: System32\DRIVERS\wATV10nt.sys (manual start)
iAimTV6: System32\DRIVERS\wATV06nt.sys (manual start)
Imapi: system32\drivers\ImapiRox.sys (system)
IMAPI CD-Burning COM Service: C:\WINNT\System32\ImapiRox.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LexBce Server: C:\WINNT\system32\LEXBCES.EXE (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Virtual NIC Service: C:\WINNT\System32\PackethSvc.exe (autostart)
PalmUSBD: system32\drivers\PalmUSBD.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
Pcdr Helper Driver: \??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys (manual start)
PcdrNt: \SystemRoot\System32\drivers\PcdrNt.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
PictureTaker: c:\fixit\pt\PCTKRNT.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINNT\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PS/2 Keyboard Filter Driver for Win2000: System32\DRIVERS\Sk99202k.sys (manual start)
PS/2 Keyboard Filter Driver for NT 4.0: System32\DRIVERS\Sk9920nt.sys (system)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINNT\System32\dllhost.exe /Processid:{1CC14034-ABF5-4E23-BDE4-0728F516DD93} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: System32\DRIVERS\ultra.sys (system)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Network Driver: System32\DRIVERS\wandrv.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WMI Performance Adapter: C:\WINNT\System32\wbem\wmiapsrv.exe (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 34,370 bytes
Report generated in 1.469 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:22 PM

Posted 22 February 2005 - 06:54 PM

Hello Sabrina,

I am down to the desktop strippers, celebrity secrets ones and a games one.....


It might be VX2 malware causing the popups, as I see nothing in your log.

Please post the log from your Adaware SE last scan.

The fastest way to get the Adaware SE log is to navigate to your Ad-aware SE folder: C:\Documents and Settings\USER NAME\Application Data\Lavasoft\Ad-Aware\Logs. TheUSER NAME will be your name.

Open this folder and find the correct log.
The logs are named "Ad-Aware-log ##-##-##.txt (the #'s will be the date of the scan). Highlight all of the text in the logfile with your mouse.
On your keyboard, press Ctrl + C, which will copy the text to your clipboard.
Now be online, logged in and ready to post your logfile.
Press Ctl and V and that will copy your logfile to the post!

********************************************

My DD got a spy bot pop-up about a registry change for this rundll32.exeEGDACCESS_1057, Instant Access




You lost me. :thumbsup: What is DD?
Do you mean that Spybot's Teatimer popuped to notifed you of a change in the registry? If so, that is normal to notify you of a change and allow you to block it. rundll32.exe EGDACCESS_1057.dll,InstantAccess is a porn dialer.

Edited by SifuMike, 22 February 2005 - 07:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:22 PM

Posted 22 February 2005 - 07:20 PM

Hello Sabrina,

Did you run A2 trojan scan, TrendMicro and Panda Scan as I asked you? I do not see those in your log.

Sounds like you still have a couple of malware files on your computer. You said previously that you could not find these files, so that is the problem.

Disable Spybot Teatimer, SpywareGuard and any other tool that prevents registry changes. Here is how to turn off Teatimer: http://russelltexas.com/malware/teatimer.htm


Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\EGDACCESS_1057.dll

Check the box to delete on reboot and click the red X to the right.
Click OK, then NO to reboot now.

Copy the next filepath (below) and paste it in the box, and repeat the above steps. When all of the below filepaths are done, allow it to reboot.

C:\WINDOWS\System32\EGDACCESS_1057.inf

Tell me how your computer is running.

Edited by SifuMike, 22 February 2005 - 07:36 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Sabre3of4

Sabre3of4
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 23 February 2005 - 10:19 PM

LOL, DD is cutesy shorthand from needlework board I frequent. It means 'dear', 'darling', or less comlimentary terms and 'daughter'--DD=Dear Daughter(usually)
OK, I did the A2 and it found nothing, I tried Trend Micro and it shuts down on me because it takes so long( I am told by those in the know that it is because of the bad phone lines here). I ran Panda and it found nothing. I ran Avast before that and it found something called Kuang32. It's in the chest until you tell me to delete it.:thumbsup:
On the Teatimer I clicked off the spyware catchers but I also clicked off these two entrys:
HK_LM:Run Hot Key 9910 Daemon SK9910DM:exe
HK_LM:Run Quick Time Task C:\Program Files\Quicktime qttask.exe-at boot time
I just did the unclick, I didn't erase them. Are they good or bad? The info box said the Quicktime one was a parasite/virus. The other one has just lloked wrong for a long time.
and I ran the Pocket Killbox for the two entries you gave me.


Thank you:)
Sabrina


Ad-Aware SE Build 1.05
Logfile Created on:Wednesday, February 23, 2005 10:25:11 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R28 16.02.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
EGroup Dialer(TAC index:5):13 total references
MRU List(TAC index:0):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R28 16.02.2005
Internal build : 33
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 411893 Bytes
Total size : 1300934 Bytes
Signature data size : 1271214 Bytes
Reference data size : 29208 Bytes
Signatures total : 36156
Fingerprints total : 620
Fingerprints size : 23479 Bytes
Target categories : 15
Target families : 632


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:21 %
Total physical memory:129328 kb
Available physical memory:26880 kb
Total page file size:312168 kb
Available on page file:150248 kb
Total virtual memory:2097024 kb
Available virtual memory:2042752 kb
OS:Microsoft Windows XP Home Edition (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2-23-2005 10:25:11 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 360
ThreadCreationTime : 2-24-2005 4:13:34 AM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINNT\system32\csrss.exe
Command Line : C:\WINNT\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThre
ProcessID : 416
ThreadCreationTime : 2-24-2005 4:13:36 AM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINNT\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 440
ThreadCreationTime : 2-24-2005 4:13:36 AM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINNT\system32\services.exe
Command Line : C:\WINNT\system32\services.exe
ProcessID : 484
ThreadCreationTime : 2-24-2005 4:13:36 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINNT\system32\lsass.exe
Command Line : C:\WINNT\system32\lsass.exe
ProcessID : 496
ThreadCreationTime : 2-24-2005 4:13:36 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINNT\system32\svchost.exe
Command Line : C:\WINNT\system32\svchost -k rpcss
ProcessID : 656
ThreadCreationTime : 2-24-2005 4:13:37 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : C:\WINNT\System32\svchost.exe -k netsvcs
ProcessID : 680
ThreadCreationTime : 2-24-2005 4:13:37 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : C:\WINNT\System32\svchost.exe -k NetworkService
ProcessID : 844
ThreadCreationTime : 2-24-2005 4:13:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : C:\WINNT\System32\svchost.exe -k LocalService
ProcessID : 856
ThreadCreationTime : 2-24-2005 4:13:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
ModuleName : C:\WINNT\Explorer.EXE
Command Line : C:\WINNT\Explorer.EXE
ProcessID : 1020
ThreadCreationTime : 2-24-2005 4:13:40 AM
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:11 [lexbces.exe]
ModuleName : C:\WINNT\system32\LEXBCES.EXE
Command Line : C:\WINNT\system32\LEXBCES.EXE
ProcessID : 1052
ThreadCreationTime : 2-24-2005 4:13:40 AM
BasePriority : Normal
FileVersion : 7.4
ProductVersion : 7.4
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2002 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:12 [spoolsv.exe]
ModuleName : C:\WINNT\system32\spoolsv.exe
Command Line : C:\WINNT\system32\spoolsv.exe
ProcessID : 1116
ThreadCreationTime : 2-24-2005 4:13:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [lexpps.exe]
ModuleName : C:\WINNT\system32\LEXPPS.EXE
Command Line : LEXPPS.EXE
ProcessID : 1124
ThreadCreationTime : 2-24-2005 4:13:41 AM
BasePriority : Normal


#:14 [packethsvc.exe]
ModuleName : C:\WINNT\System32\PackethSvc.exe
Command Line : C:\WINNT\System32\PackethSvc.exe
ProcessID : 1244
ThreadCreationTime : 2-24-2005 4:13:42 AM
BasePriority : Normal
FileVersion : 6, 0, 0, 6
ProductVersion : 6, 0, 0, 6
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Virtual Adapter Service
InternalName : Virtual Adapter Service
LegalCopyright : Copyright © America Online, Inc. 1999 - 2001
OriginalFilename : PackethSvc.exe

#:15 [aswupdsv.exe]
ModuleName : C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
Command Line : "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
ProcessID : 1292
ThreadCreationTime : 2-24-2005 4:13:43 AM
BasePriority : Normal


#:16 [ashserv.exe]
ModuleName : C:\Program Files\Alwil Software\Avast4\ashServ.exe
Command Line : "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
ProcessID : 1364
ThreadCreationTime : 2-24-2005 4:13:44 AM
BasePriority : High
FileVersion : 4, 6, 602, 0
ProductVersion : 4, 6, 0, 0
ProductName : avast! Antivirus
FileDescription : avast! antivirus service
InternalName : aswServ
LegalCopyright : Copyright © 2005 ALWIL Software
OriginalFilename : aswServ.exe

#:17 [hkcmd.exe]
ModuleName : C:\WINNT\System32\hkcmd.exe
Command Line : "C:\WINNT\System32\hkcmd.exe"
ProcessID : 1404
ThreadCreationTime : 2-24-2005 4:13:45 AM
BasePriority : Normal
FileVersion : 3,0,0,1241
ProductVersion : 7,0,0,1241
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2001, Intel Corporation
OriginalFilename : HKCMD.EXE

#:18 [gwmdmmsg.exe]
ModuleName : C:\WINNT\GWMDMMSG.exe
Command Line : "C:\WINNT\GWMDMMSG.exe"
ProcessID : 1412
ThreadCreationTime : 2-24-2005 4:13:45 AM
BasePriority : Normal
FileVersion : 3.3.17 10/31/2001 20:10:32
ProductVersion : 3.3.17 10/31/2001 20:10:32
ProductName : GTW Modem Messaging Applet
CompanyName : GTW
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © GTW 1998-2000
OriginalFilename : smdmstat.exe

#:19 [directcd.exe]
ModuleName : C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
Command Line : "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
ProcessID : 1432
ThreadCreationTime : 2-24-2005 4:13:46 AM
BasePriority : Normal
FileVersion : 5.10 (121)
ProductVersion : 5.10 (121)
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright © 2001, Roxio, Inc.
OriginalFilename : Directcd.exe

#:20 [capfax.exe]
ModuleName : C:\Program Files\PhoneTools\CapFax.EXE
Command Line : "C:\Program Files\PhoneTools\CapFax.EXE"
ProcessID : 1492
ThreadCreationTime : 2-24-2005 4:13:47 AM
BasePriority : Normal


#:21 [realsched.exe]
ModuleName : C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Command Line : "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ProcessID : 1500
ThreadCreationTime : 2-24-2005 4:13:47 AM
BasePriority : Normal
FileVersion : 0.1.0.2879
ProductVersion : 0.1.0.2879
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2003
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:22 [ashdisp.exe]
ModuleName : C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Command Line : "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe"
ProcessID : 1520
ThreadCreationTime : 2-24-2005 4:13:48 AM
BasePriority : Normal
FileVersion : 4, 6, 585, 0
ProductVersion : 4, 6, 0, 0
ProductName : avast! Antivirus
FileDescription : avast! service GUI component
InternalName : aswDisp
LegalCopyright : Copyright © 2005 ALWIL Software
OriginalFilename : aswDisp.exe

#:23 [psfree.exe]
ModuleName : C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
Command Line : "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
ProcessID : 1560
ThreadCreationTime : 2-24-2005 4:13:50 AM
BasePriority : Normal
FileVersion : 3, 1, 0, 1012
ProductVersion : 1, 0, 0, 1
ProductName : Pop-Up Stopper Free Edition
CompanyName : Panicware, Inc.
FileDescription : Pop-Up Stopper Free Edition
InternalName : Pop-Up Stopper Free Edition
LegalCopyright : Copyright © 2002-2003
OriginalFilename : PSFree.exe

#:24 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : C:\WINNT\System32\svchost.exe -k imgsvc
ProcessID : 1664
ThreadCreationTime : 2-24-2005 4:13:54 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:25 [minimavis.exe]
ModuleName : C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
Command Line : "C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe" Main
ProcessID : 1672
ThreadCreationTime : 2-24-2005 4:13:54 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 2, 0, 0, 1
ProductName : Mavis Beacon Personal Coach v 2.0
CompanyName : TLC Education Properties LLC
FileDescription : Mavis Beacon Personal Coach v 2.0
InternalName : MINIMAVIS
LegalCopyright : Copyright © 2001 TLC Education Properties LLC
OriginalFilename : MiniMavis.exe

#:26 [12wash.exe]
ModuleName : C:\Program Files\12Ghosts\12wash.exe
Command Line : "c:\program files\12ghosts\12wash.exe" /s
ProcessID : 2032
ThreadCreationTime : 2-24-2005 4:14:06 AM
BasePriority : Normal


#:27 [ashwebsv.exe]
ModuleName : C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
Command Line : "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
ProcessID : 908
ThreadCreationTime : 2-24-2005 4:14:50 AM
BasePriority : Normal


#:28 [ashmaisv.exe]
ModuleName : C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
Command Line : "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
ProcessID : 1152
ThreadCreationTime : 2-24-2005 4:14:56 AM
BasePriority : Normal


#:29 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 2368
ThreadCreationTime : 2-24-2005 4:16:35 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

EGroup Dialer Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : version

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : ParentalLock

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : Cert

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : Wbm_dtc

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : update_script

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : upd_com_time

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : upd_com_time_between

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : Destr

EGroup Dialer Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\instant access

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\instant access
Value : DisplayName

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\instant access
Value : UninstallString

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 12
Objects found so far: 12


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12

MRU List Object Recognized!
Location: : S-1-5-21-1482789601-2801439982-1300003180-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : C:\Documents and Settings\Owner\recent
Description : list of recently opened documents



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
25 entries scanned.
New critical objects:0
Objects found so far: 15




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

EGroup Dialer Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\Program Files\Instant Access

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 16

10:35:21 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:10.375
Objects scanned:115813
Objects identified:13
Objects ignored:0
New critical objects:13

Edited by Sabre3of4, 23 February 2005 - 11:50 PM.


#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:22 PM

Posted 23 February 2005 - 11:49 PM

Hello Sabrina,

ran Avast before that and it found something called Kuang32. It's in the chest until you tell me to delete it.


By "in the chest", I assume you mean it is quarentined. I would leave it quarentined for several weeks, and if everything is running OK, then delete it.

When you delete it, You need to disable your System Restore, reboot Windows, then restart the System Restore. To disable system restore right click on the My Computer icon and choose Properties.  Click on the System Restore tab and put a check mark in the "Turn off System Restore" option.
All deleted files (even viruses) get put in the System regstore folder and Anti virus programs will detected them. After you have deleted it, run the Avast program again and see if it picks it up. Be sure to turn on System Restore.  

On the Teatimer I clicked off the spyware catchers but I also clicked off these two entrys:
HK_LM:Run Hot Key 9910 Daemon SK9910DM:exe
HK_LM:Run Quick Time Task C:\Program Files\Quicktime qttask.exe-at boot time
I just did the unclick, I didn't erase them. Are they good or bad? The info box said the Quicktime one was a parasite/virus. The other one has just lloked wrong for a long time.


They are good, that is, not malware. :thumbsup:
SK9910DM.exe is installed on mostly Gateway PCs, and allows configurations for the one-touch programmable keys on a gateway keyboard. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

qttask.exe (Quick Time) installs a tray bar icon which links to the Apple QuickTime video streaming tool. This program is a non-essential system process, and is installed for ease of use.

Next time the "celebrity secrets" popup occurs, do a rt click on it and tell me what it says. It may give me a clue as to the cause.
Are you surfing the internet when you are getting these popups?

While we are looking for the source of the popup, try a free utility from AnalogX called POW! that prevents popups. http://www.analogx.com/contents/download/network/pow.htm




It may be that it is coming thru Windows Messenger Service. Let's make sure it's disabled.. you don't need it and shouldn't have it running...

I'm assuming XP Home here


# Click Start-> Control Panel
# Click Performance and Maintenance
# Click Administrative Tools
# Double click Services
# Scroll down and highlight "Messenger"
# Right-click the highlighted line and choose Properties.
# Click the STOP button.
# Select Disable in the Startup Type scroll bar
# Click OK

Reboot and run another test drive to see if you get that pop up again

Your Adaware log file looks clean.

VX2 malware can cause unexplained popups, so download and run this tool :
VX2.BetterInternet Finder SP/2K http://www.subratam.org/?page=removal

Press 'Click to Find VX2.BetterInternet'.

If any files are found, please post a copy to this thread.

Edited by SifuMike, 24 February 2005 - 12:05 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Sabre3of4

Sabre3of4
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 24 February 2005 - 12:47 AM

Hello, SifuMike:)
OK, When I went to stop Messenger it was already turned off. I had turned it off a couple months ago because of the pop-up type you mentioned.
I did another Ad-Aware scan, this time from right after the computer finished cycling up and a bunch of EGDACCESS malware was found. That scan is below...
I ran the VX2 scanner and I don't think it found anything. That log is below the Ad-Aware one. I fixed the 9910 daemon and Quicktime things in Teatimer.
All of the pop-ups are back. They can come on at anytime. but it seems they only show up once each session when the computer is turned on or rebooted. Once someone clicks the upper right X, they are gone for that session.Mostly they show up when someone's online but my husband has had them show up while he's playing a game, no internet invlolved.
This is what came up when I right clicked properties for the last one that showed up:
C2.GIF
Protocol--Hypertext Transfer Protcol
Type--gif image
Http://media rapid-pass.net/fullpages/10kgames-gamesandfun/fullpage
size--1873 bytes
dimensions--97x72 pixels
created: 2/23/2005
modified:2/23/2005

I am sorry this is dragging on, thank you for helping:)
Sabrina



Ad-Aware SE Build 1.05
Logfile Created on:Wednesday, February 23, 2005 10:25:11 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R28 16.02.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
EGroup Dialer(TAC index:5):13 total references
MRU List(TAC index:0):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R28 16.02.2005
Internal build : 33
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 411893 Bytes
Total size : 1300934 Bytes
Signature data size : 1271214 Bytes
Reference data size : 29208 Bytes
Signatures total : 36156
Fingerprints total : 620
Fingerprints size : 23479 Bytes
Target categories : 15
Target families : 632


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:21 %
Total physical memory:129328 kb
Available physical memory:26880 kb
Total page file size:312168 kb
Available on page file:150248 kb
Total virtual memory:2097024 kb
Available virtual memory:2042752 kb
OS:Microsoft Windows XP Home Edition (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2-23-2005 10:25:11 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 360
ThreadCreationTime : 2-24-2005 4:13:34 AM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINNT\system32\csrss.exe
Command Line : C:\WINNT\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThre
ProcessID : 416
ThreadCreationTime : 2-24-2005 4:13:36 AM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINNT\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 440
ThreadCreationTime : 2-24-2005 4:13:36 AM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINNT\system32\services.exe
Command Line : C:\WINNT\system32\services.exe
ProcessID : 484
ThreadCreationTime : 2-24-2005 4:13:36 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINNT\system32\lsass.exe
Command Line : C:\WINNT\system32\lsass.exe
ProcessID : 496
ThreadCreationTime : 2-24-2005 4:13:36 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINNT\system32\svchost.exe
Command Line : C:\WINNT\system32\svchost -k rpcss
ProcessID : 656
ThreadCreationTime : 2-24-2005 4:13:37 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : C:\WINNT\System32\svchost.exe -k netsvcs
ProcessID : 680
ThreadCreationTime : 2-24-2005 4:13:37 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : C:\WINNT\System32\svchost.exe -k NetworkService
ProcessID : 844
ThreadCreationTime : 2-24-2005 4:13:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : C:\WINNT\System32\svchost.exe -k LocalService
ProcessID : 856
ThreadCreationTime : 2-24-2005 4:13:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
ModuleName : C:\WINNT\Explorer.EXE
Command Line : C:\WINNT\Explorer.EXE
ProcessID : 1020
ThreadCreationTime : 2-24-2005 4:13:40 AM
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:11 [lexbces.exe]
ModuleName : C:\WINNT\system32\LEXBCES.EXE
Command Line : C:\WINNT\system32\LEXBCES.EXE
ProcessID : 1052
ThreadCreationTime : 2-24-2005 4:13:40 AM
BasePriority : Normal
FileVersion : 7.4
ProductVersion : 7.4
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2002 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:12 [spoolsv.exe]
ModuleName : C:\WINNT\system32\spoolsv.exe
Command Line : C:\WINNT\system32\spoolsv.exe
ProcessID : 1116
ThreadCreationTime : 2-24-2005 4:13:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [lexpps.exe]
ModuleName : C:\WINNT\system32\LEXPPS.EXE
Command Line : LEXPPS.EXE
ProcessID : 1124
ThreadCreationTime : 2-24-2005 4:13:41 AM
BasePriority : Normal


#:14 [packethsvc.exe]
ModuleName : C:\WINNT\System32\PackethSvc.exe
Command Line : C:\WINNT\System32\PackethSvc.exe
ProcessID : 1244
ThreadCreationTime : 2-24-2005 4:13:42 AM
BasePriority : Normal
FileVersion : 6, 0, 0, 6
ProductVersion : 6, 0, 0, 6
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Virtual Adapter Service
InternalName : Virtual Adapter Service
LegalCopyright : Copyright © America Online, Inc. 1999 - 2001
OriginalFilename : PackethSvc.exe

#:15 [aswupdsv.exe]
ModuleName : C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
Command Line : "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
ProcessID : 1292
ThreadCreationTime : 2-24-2005 4:13:43 AM
BasePriority : Normal


#:16 [ashserv.exe]
ModuleName : C:\Program Files\Alwil Software\Avast4\ashServ.exe
Command Line : "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
ProcessID : 1364
ThreadCreationTime : 2-24-2005 4:13:44 AM
BasePriority : High
FileVersion : 4, 6, 602, 0
ProductVersion : 4, 6, 0, 0
ProductName : avast! Antivirus
FileDescription : avast! antivirus service
InternalName : aswServ
LegalCopyright : Copyright © 2005 ALWIL Software
OriginalFilename : aswServ.exe

#:17 [hkcmd.exe]
ModuleName : C:\WINNT\System32\hkcmd.exe
Command Line : "C:\WINNT\System32\hkcmd.exe"
ProcessID : 1404
ThreadCreationTime : 2-24-2005 4:13:45 AM
BasePriority : Normal
FileVersion : 3,0,0,1241
ProductVersion : 7,0,0,1241
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2001, Intel Corporation
OriginalFilename : HKCMD.EXE

#:18 [gwmdmmsg.exe]
ModuleName : C:\WINNT\GWMDMMSG.exe
Command Line : "C:\WINNT\GWMDMMSG.exe"
ProcessID : 1412
ThreadCreationTime : 2-24-2005 4:13:45 AM
BasePriority : Normal
FileVersion : 3.3.17 10/31/2001 20:10:32
ProductVersion : 3.3.17 10/31/2001 20:10:32
ProductName : GTW Modem Messaging Applet
CompanyName : GTW
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © GTW 1998-2000
OriginalFilename : smdmstat.exe

#:19 [directcd.exe]
ModuleName : C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
Command Line : "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
ProcessID : 1432
ThreadCreationTime : 2-24-2005 4:13:46 AM
BasePriority : Normal
FileVersion : 5.10 (121)
ProductVersion : 5.10 (121)
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright © 2001, Roxio, Inc.
OriginalFilename : Directcd.exe

#:20 [capfax.exe]
ModuleName : C:\Program Files\PhoneTools\CapFax.EXE
Command Line : "C:\Program Files\PhoneTools\CapFax.EXE"
ProcessID : 1492
ThreadCreationTime : 2-24-2005 4:13:47 AM
BasePriority : Normal


#:21 [realsched.exe]
ModuleName : C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Command Line : "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ProcessID : 1500
ThreadCreationTime : 2-24-2005 4:13:47 AM
BasePriority : Normal
FileVersion : 0.1.0.2879
ProductVersion : 0.1.0.2879
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2003
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:22 [ashdisp.exe]
ModuleName : C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Command Line : "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe"
ProcessID : 1520
ThreadCreationTime : 2-24-2005 4:13:48 AM
BasePriority : Normal
FileVersion : 4, 6, 585, 0
ProductVersion : 4, 6, 0, 0
ProductName : avast! Antivirus
FileDescription : avast! service GUI component
InternalName : aswDisp
LegalCopyright : Copyright © 2005 ALWIL Software
OriginalFilename : aswDisp.exe

#:23 [psfree.exe]
ModuleName : C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
Command Line : "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
ProcessID : 1560
ThreadCreationTime : 2-24-2005 4:13:50 AM
BasePriority : Normal
FileVersion : 3, 1, 0, 1012
ProductVersion : 1, 0, 0, 1
ProductName : Pop-Up Stopper Free Edition
CompanyName : Panicware, Inc.
FileDescription : Pop-Up Stopper Free Edition
InternalName : Pop-Up Stopper Free Edition
LegalCopyright : Copyright © 2002-2003
OriginalFilename : PSFree.exe

#:24 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : C:\WINNT\System32\svchost.exe -k imgsvc
ProcessID : 1664
ThreadCreationTime : 2-24-2005 4:13:54 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:25 [minimavis.exe]
ModuleName : C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
Command Line : "C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe" Main
ProcessID : 1672
ThreadCreationTime : 2-24-2005 4:13:54 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 2, 0, 0, 1
ProductName : Mavis Beacon Personal Coach v 2.0
CompanyName : TLC Education Properties LLC
FileDescription : Mavis Beacon Personal Coach v 2.0
InternalName : MINIMAVIS
LegalCopyright : Copyright © 2001 TLC Education Properties LLC
OriginalFilename : MiniMavis.exe

#:26 [12wash.exe]
ModuleName : C:\Program Files\12Ghosts\12wash.exe
Command Line : "c:\program files\12ghosts\12wash.exe" /s
ProcessID : 2032
ThreadCreationTime : 2-24-2005 4:14:06 AM
BasePriority : Normal


#:27 [ashwebsv.exe]
ModuleName : C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
Command Line : "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
ProcessID : 908
ThreadCreationTime : 2-24-2005 4:14:50 AM
BasePriority : Normal


#:28 [ashmaisv.exe]
ModuleName : C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
Command Line : "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
ProcessID : 1152
ThreadCreationTime : 2-24-2005 4:14:56 AM
BasePriority : Normal


#:29 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 2368
ThreadCreationTime : 2-24-2005 4:16:35 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

EGroup Dialer Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : version

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : ParentalLock

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : Cert

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : Wbm_dtc

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : update_script

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : upd_com_time

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : upd_com_time_between

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482789601-2801439982-1300003180-1003\software\egdhtml
Value : Destr

EGroup Dialer Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\instant access

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\instant access
Value : DisplayName

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\instant access
Value : UninstallString

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 12
Objects found so far: 12


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12

MRU List Object Recognized!
Location: : S-1-5-21-1482789601-2801439982-1300003180-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : C:\Documents and Settings\Owner\recent
Description : list of recently opened documents



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
25 entries scanned.
New critical objects:0
Objects found so far: 15




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

EGroup Dialer Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\Program Files\Instant Access

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 16

10:35:21 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:10.375
Objects scanned:115813
Objects identified:13
Objects ignored:0
New critical objects:13

VX2 Log:
Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:22 PM

Posted 24 February 2005 - 01:35 PM

Hello Sabrina,

Empty your Recycle Bin, as it may have some malware lurking.


One of you problems is that your IE needs updating. The older IE versions are full of holes that allow malware to enter.
Please go to
Microsoft's windows update site
and do all Critical Updates.

Also, a newer version of Service Pack (SP2) is available. Service Packs (SP2) increase the safety of your system. Visit Microsoft's windows update site
to download the newest version of the Service Pack (SP2). I do not recommend you install the firewall that comes with the Service Pack 2, as it is inferior to other free firewalls (like Sygate or ZoneAlarm).

You are using an old version of HijackThis. The newer version will show more information, and that may help me.
Please download the latest version of Hijackthis

Be sure to put HijackThis into its own folder, but not a temp folder. It won't save the backups if it is run from a temporary folder.

Here is how to make a Hijackthis folder:

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT". Now you have C:\HJT\ folder. Put your hijackthis.exe there.

Resubmit a new Hijackthis log.

I find no firewall on your system. I recommend you downoload the free Sygate Personal firewall http://smb.sygate.com/products/spf_standard.htm

Have you installed POW! as I asked you?

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Edited by SifuMike, 24 February 2005 - 01:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users