Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log smitfraud oneclicksearches


  • This topic is locked This topic is locked
12 replies to this topic

#1 ferris2

ferris2

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 28 July 2005 - 02:30 AM

I have been infected with smitfraud (I think). The symptoms are that when I boot up, a window comes up that says "Windows explorer has experienced a problem and needs to close ..." I can acknowledge this and keep working, but every time a new appplication is started (or a significant action in an existing application) the computer will freeze and I will need to acknowledge the message. After a time the desktop icons all disppear and a folder opens up containing them and I no longer get the error window.

My internet browser defaults to oneclicksearches.com and when I go to certain sites (microsoft.com for one) I am redirected straight away to oneclicksearches.

I have followed the instructions in a previous thread here but when I start in safe mode, the error window "Windows explorer has experienced a problem ..." comes up. I acknowledge it, the screen is redrawn and the error opens again. I cannot run smitrem or spybot or anything in safe mode.

Hope you can help! Thanks in advance. Ferris2

I have Windows XP Home (SP 1a I think) and have tried running Spybot, Adaware, smitrem, Hijackthis, CWShredder, FixIstBar and PCCillin in various orders. Here is my log...

Logfile of HijackThis v1.99.1
Scan saved at 5:26:09 PM, on 28/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ersr\rttt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mdm.exe
C:\Documents and Settings\Michael\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp256A.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Tuom] C:\Program Files\ersr\rttt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120625731500
O20 - Winlogon Notify: style2 - C:\WINDOWS\q2038953_disk.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cepstral License Server - Cepstral, LLC - C:\Program Files\Cepstral\lib\LicenseServer.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PC-cillin Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:29 AM

Posted 28 July 2005 - 03:51 PM

Hello ferris2 and welcome to the BC malware forum. Unfortunately, we will need to get into Safe Mode to remove smitfraud. For now, let's use a different scanner and see what it turns up and if we can't get the computer to work prperly in Safe Mode.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Try running it in Safe Mode as described below and if you can't get it to run then just run it in Normal mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here so I can review it.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 ferris2

ferris2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 28 July 2005 - 11:34 PM

Thanks so much OT

It was difficult to get the program running in Safe Mode, but I did some fancy clicking and managed it. He is the log.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 28/07/2005 12:32:32 AM 14336 C:\WINDOWS\q2038953_disk.dll

Checking %System% folder...
UPX! 22/06/2000 11:20:42 PM 100864 C:\WINDOWS\SYSTEM32\acrypt32.ocx
PEC2 31/03/2003 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 28/07/2005 3:51:30 PM 6144 C:\WINDOWS\SYSTEM32\intell32.exe
Umonitor 31/03/2003 10:00:00 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 31/03/2003 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 3/03/2005 5:37:16 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS
aspack 3/03/2005 5:37:16 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS

Checking the Windows folder for system and hidden files within the last 60 days...
29/07/2005 2:07:18 PM 54156 C:\WINDOWS\QTFont.qfn
30/06/2005 1:31:48 AM 401408 C:\WINDOWS\system32\d?xplore.exe
28/07/2005 11:37:52 AM 22660 C:\WINDOWS\system32\FFASTLOG.TXT
29/07/2005 2:14:00 PM 8192 C:\WINDOWS\system32\config\default.LOG
29/07/2005 2:14:26 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
29/07/2005 2:14:08 PM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
29/07/2005 2:15:14 PM 73728 C:\WINDOWS\system32\config\software.LOG
29/07/2005 2:14:08 PM 835584 C:\WINDOWS\system32\config\system.LOG
28/07/2005 3:38:14 PM 0 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
28/07/2005 1:13:40 PM 2700 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt
26/06/2005 1:46:32 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\76210145-206b-43e2-b07a-ed7393988dd0
26/06/2005 1:46:32 AM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
29/07/2005 2:13:20 PM 6 C:\WINDOWS\Tasks\SA.DAT

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/04/2005 5:36:20 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
30/06/2004 9:06:18 AM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
2/07/2004 11:43:38 PM 0 C:\Documents and Settings\Michael\Application Data\dm.ini

Checking Selected Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ChangeIcon
{C912EFA0-0076-11d5-B04A-BD6C80DF2479} = C:\Program Files\IconChanger\IconChng.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\wodShellMenu
{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93} = C:\WINDOWS\System32\wodShellMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2003\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ChangeIcon
{C912EFA0-0076-11d5-B04A-BD6C80DF2479} = C:\Program Files\IconChanger\IconChng.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\wodShellMenu
{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93} = C:\WINDOWS\System32\wodShellMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2003\Tmdshell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{00020000-0000-1011-8004-0000C06B5161}
= C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMan SOUNDMAN.EXE
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
CARPService carpserv.exe
FLMOFFICE4DMOUSE C:\Program Files\Browser MOUSE\mouse32a.exe
WorksFUD C:\Program Files\Microsoft Works\wkfud.exe
Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
pccguide.exe "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
PCCClient.exe "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
Pop3trap.exe "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
IntelliType "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
ISUSPM Startup C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
ISUSScheduler "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
intell32.exe C:\WINDOWS\System32\intell32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
Tuom C:\Program Files\ersr\rttt.exe
Spyware Doctor "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
paint.exe shnlog.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\style2
= C:\WINDOWS\q2038953_disk.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

Scan Complete
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.


Thanks again for such a prompt response.

F2

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:29 AM

Posted 29 July 2005 - 11:27 AM

Hi ferris2. Let's dump some of these files and then see if we can't get things running a bit better. Please print these directions and then proceed with the following steps in order.

Step #1
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\WINDOWS\SYSTEM32\intell32.exe
      C:\WINDOWS\System32\intell32.exe
      C:\Program Files\ersr\
      C:\WINDOWS\System32\shnlog.exe
      C:\WINDOWS\q2038953_disk.dll
      C:\WINDOWS\System32\hp256A.tmp
      C:\Program Files\Media Gateway\
      C:\DOCUME~1\User\LOCALS~1\Temp\hpdj.exe
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • If not greyed out click the checkbox for Unregister .dll Before Deleting
  • If not greyed out click the checkbox for Deltree (Include SubDirectories)
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
Step #2

After your system reboots, open Notepad and copy/paste the text in the quotebox below into the new document[/list]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"paint.exe"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\style2]
[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}]


Save the document to your desktop as fix.reg and close Notepad. Locate the fix.reg file on your desktop and right-click on it
Choose Merge from the popup menu and answer Yes or Ok to any further prompts

Step #3

Important
Your copy of HijackThis needs to be in a folder of it's own. If it is run from Temporary folders the backups and HijackThis itself could be accidentally deleted if the Temporary folders are cleaned. If it is run from the desktop then the backup files and folders can clutter up the desktop and be accidentally deleted. If it is run from inside a compressed file then the backups are not created at all.
  • Please open My Computer
  • Double-click on Local Disk (C:)
  • Click on the File menu, point to New and then click on Folder. Name the folder 'HijackThis' or 'HJT'.
  • Unzip to or copy and paste HijackThis.exe to the new folder (do not run HijackThis directly out of the sfx or compressed file).
Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp256A.tmp
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKCU\..\Run: [Tuom] C:\Program Files\ersr\rttt.exe
O20 - Winlogon Notify: style2 - C:\WINDOWS\q2038953_disk.dll
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\hpdj.exe (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

Reboot and post a new HijackThis log along with a new WinPFind log.

I will review the new information when it comes in.

OT

Edited by OldTimer, 29 July 2005 - 11:29 AM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 ferris2

ferris2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 29 July 2005 - 07:35 PM

Sorry OT, fell at the first hurdle.

Dowloaded and ran Killbox OK, but when I tried to paste the listed files as described, I came apart...

C:\WINDOWS\System32\shnlog.exe would not paste, I searched and I cannot find this file in this directory.

C:\WINDOWS\System32\hp256A.tmp also would not paste.

C:\Program Files\Media Gateway\ would not paste (and appears to be a directory).

SHould I just proceed with the files that would paste from clipboard?

Thanks

F2

#6 ferris2

ferris2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 29 July 2005 - 08:13 PM

In the end I decided to go forward, even though some of the files couldn't be pasted to Killbox.

Fixed the fegistry as descibed. Ran HJT. Very few of the listed entries were there (only four in fact). I Fixed those ones.

Here are the log files as requested. (I should add that the computer shows none of the original symptoms. It seems to be normal, except that the browser shows "about:blank" as the homepage... this could be because no default homepage is set. I don't know).

Logfile of HijackThis v1.99.1
Scan saved at 11:02:25 AM, on 30/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Trend Micro\PC-cillin

2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin

2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin

2003\Pop3trap.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works

Shared\wkcalrem.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

O2 - BHO: PCTools Site Guard -

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor -

{B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN -

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program

Files\MSN Apps\MSN

Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI

Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program

Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft

Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio]

C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection]

C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program

Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program

Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program

Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program

Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program

Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ISUSPM Startup]

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

-startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program

Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE]

C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program

Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar

Reminders.lnk = ?
O8 - Extra context menu item: &Google Search -

res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links -

res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://c:\program

files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages -

res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -

res://c:\program

files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor -

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Researcher -

{9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program

Files\Common Files\Microsoft Shared\Reference

2001\EROProj.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls

/en/x86/client/wuweb_site.cab?1120625731500
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cepstral License Server - Cepstral, LLC

- C:\Program Files\Cepstral\lib\LicenseServer.exe
O23 - Service: ewido security suite control - ewido

networks - C:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple

Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown

owner - C:\Program Files\Netropa\Multimedia

Keyboard\nhksrv.exe
O23 - Service: PC-cillin Personal Firewall (PccPfw) -

Trend Micro Incorporated. - C:\Program Files\Trend

Micro\PC-cillin 2003\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) -

Trend Micro Incorporated. - C:\Program Files\Trend

Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) -

Trend Micro Incorporated. - C:\Program Files\Trend

Micro\PC-cillin 2003\tmproxy.exe

---------------------------------------------------------------------------------------

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 22/06/2000 11:20:42 PM 100864 C:\WINDOWS\SYSTEM32\acrypt32.ocx
PEC2 31/03/2003 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 31/03/2003 10:00:00 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 31/03/2003 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 3/03/2005 5:37:16 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS
aspack 3/03/2005 5:37:16 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS

Checking the Windows folder for system and hidden files within the last 60 days...
30/07/2005 11:01:40 AM 54156 C:\WINDOWS\QTFont.qfn
30/06/2005 1:31:48 AM 401408 C:\WINDOWS\system32\d?xplore.exe
28/07/2005 11:37:52 AM 22660 C:\WINDOWS\system32\FFASTLOG.TXT
30/07/2005 11:01:54 AM 1024 C:\WINDOWS\system32\config\default.LOG
30/07/2005 11:01:34 AM 1024 C:\WINDOWS\system32\config\SAM.LOG
30/07/2005 11:01:56 AM 1024 C:\WINDOWS\system32\config\SECURITY.LOG
30/07/2005 11:06:48 AM 1024 C:\WINDOWS\system32\config\software.LOG
30/07/2005 11:02:20 AM 1024 C:\WINDOWS\system32\config\system.LOG
28/07/2005 3:38:14 PM 0 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
28/07/2005 1:13:40 PM 2700 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt
26/06/2005 1:46:32 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\76210145-206b-43e2-b07a-ed7393988dd0
26/06/2005 1:46:32 AM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
30/07/2005 11:01:28 AM 6 C:\WINDOWS\Tasks\SA.DAT

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/04/2005 5:36:20 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
30/06/2004 9:06:18 AM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
2/07/2004 11:43:38 PM 0 C:\Documents and Settings\Michael\Application Data\dm.ini

Checking Selected Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ChangeIcon
{C912EFA0-0076-11d5-B04A-BD6C80DF2479} = C:\Program Files\IconChanger\IconChng.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\wodShellMenu
{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93} = C:\WINDOWS\System32\wodShellMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2003\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ChangeIcon
{C912EFA0-0076-11d5-B04A-BD6C80DF2479} = C:\Program Files\IconChanger\IconChng.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\wodShellMenu
{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93} = C:\WINDOWS\System32\wodShellMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2003\Tmdshell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{00020000-0000-1011-8004-0000C06B5161}
= C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMan SOUNDMAN.EXE
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
CARPService carpserv.exe
FLMOFFICE4DMOUSE C:\Program Files\Browser MOUSE\mouse32a.exe
WorksFUD C:\Program Files\Microsoft Works\wkfud.exe
Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
pccguide.exe "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
PCCClient.exe "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
Pop3trap.exe "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
IntelliType "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
ISUSPM Startup C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
ISUSScheduler "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
Spyware Doctor "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

Scan Complete
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.



Thanks again for all your help OT.

F2

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:29 AM

Posted 30 July 2005 - 09:39 AM

Hi ferris2. The HijackThis log looks clean. Good job! How are things running? Any more problems?

That's Ok that some of the files did not past into Killbox. It means that they were done already.

The WinPFind log looks good except for 1 file. Look for this file and if you find it delete it:C:\WINDOWS\system32\d?xplore.exe
The 2nd character ccan be anything but the date will be 30/06/2005 1:31:48 AM and the size will be 401408 bytes.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • CHECK Turn off System Restore.
    • Click Apply, and then click OK.
  • Restart your computer.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check Turn off System Restore.
    • Click Apply, and then click OK.
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You already have a good firewall and a good antivirus application intalled and running. It is important to have both to protect your system, and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly. Microsoft puts out new updates on the 2nd Tuesday of every month so be sure to check regularly.

And to keep your system clean be aware of what emails you open, what websites you visit, and update and run these free malware scanners once a week:To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 ferris2

ferris2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 30 July 2005 - 07:57 PM

Thanks Oldtimer.

Couldn't find that file in the Windows\System32 directory. Did everything else. The computer is running perfectly. The only problem (and there are no symptoms yet) is that Spybot S&D still finds 43 instances of smitfraud.c when it scans, also after the prompted reboot. I have tried the smitrem prog (recommended in another forum I read somewhere).

Thanks again for your wisdom,

F2

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:29 AM

Posted 31 July 2005 - 12:43 AM

Hi ferris2. Can you post the Spybot log back here so I can take a look at it?

Thanks.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 ferris2

ferris2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 31 July 2005 - 03:40 AM

OK, It's pretty big.

Tks

F2

--- Search result list ---
Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\20x2p.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\adulthell.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bin.wordsx.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cc20foreva.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\crl.thawte.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\datingforlove.org\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dl.ad-ware.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\e-finder.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ewizard.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fast-look.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\free-spy-cam.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bleep-bleep.org\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ga31.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greg-tut.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\letgohome.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\love-catalog.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\makechoice.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\meetyourfriend.biz\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msnprotection.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\new.8ad.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s13.remove.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s13.tempx.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s2.kav.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\t34rulit.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\terra.hcworld.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\toprefsys.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trackhits.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tracking.allposters.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tracktraff.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\u45.cx\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\u46.cx\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\u47.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\u48.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\v-224.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\veryeasysearch.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\visitfriend.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vparivalka.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vv7.al.57e.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webpidor.biz\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\win-eto.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\www.6o9.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-1935655697-1177238915-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\www.niger.ru\*!=W=4


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-07-28 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-04-26 Includes\Cookies.sbi (*)
2005-07-29 Includes\Dialer.sbi (*)
2005-07-29 Includes\Hijackers.sbi (*)
2005-06-23 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-07-29 Includes\Malware.sbi (*)
2005-07-22 Includes\PUPS.sbi (*)
2005-04-27 Includes\Revision.sbi (*)
2005-07-29 Includes\Security.sbi (*)
2005-07-29 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-07-29 Includes\Trojans.sbi (*)



--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP1: Windows XP Service Pack 1a
/ Windows XP / SP2: Windows XP Hotfix - KB821557
/ Windows XP / SP2: Windows XP Hotfix - KB823182
/ Windows XP / SP2: Windows XP Hotfix - KB823980
/ Windows XP / SP2: Windows XP Hotfix - KB824105
/ Windows XP / SP2: Windows XP Hotfix - KB824141
/ Windows XP / SP2: Windows XP Hotfix - KB824146
/ Windows XP / SP2: Windows XP Hotfix - KB825119
/ Windows XP / SP2: Windows XP Hotfix - KB826939
/ Windows XP / SP2: Windows XP Hotfix - KB828035
/ Windows XP / SP2: Windows XP Hotfix - KB828741
/ Windows XP / SP2: Windows XP Hotfix - KB833407
/ Windows XP / SP2: Windows XP Hotfix - KB835732
/ Windows XP / SP2: Windows XP Hotfix - KB837001
/ Windows XP / SP2: Windows XP Hotfix - KB840374
/ Windows XP / SP2: Windows XP Hotfix - KB842773
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q328310
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329048 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329170
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329390 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329441
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329834 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q331953
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810565
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810577
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810833
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811493
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811630
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q814033
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q815021
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q819696
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB898461)


--- Startup entries list ---
Located: HK_LM:Run, ATIPTA
command: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 335872
MD5: 1a354e0e24dfb2eae12133869c6345d2

Located: HK_LM:Run, CARPService
command: carpserv.exe
file: C:\WINDOWS\system32\carpserv.exe
size: 4608
MD5: 045acf1ef20ef4b62697104d97606e04

Located: HK_LM:Run, FLMOFFICE4DMOUSE
command: C:\Program Files\Browser MOUSE\mouse32a.exe
file: C:\Program Files\Browser MOUSE\mouse32a.exe
size: 360448
MD5: cedfd232c48ada2dd0af629c9f4ed4d4

Located: HK_LM:Run, IntelliType
command: "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
file: C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
size: 94208
MD5: b5eca5948d7f8eaa00333231f33ea31a

Located: HK_LM:Run, ISUSPM Startup
command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
file: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
size: 221184
MD5: b491d97e6c8d2fbc38aae0fe39b87cd8

Located: HK_LM:Run, ISUSScheduler
command: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
file: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: d2aeadfd998706b4216315b2bd3fa79e

Located: HK_LM:Run, iTunesHelper
command: C:\Program Files\iTunes\iTunesHelper.exe
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 286720
MD5: 82558e875613be9e94458f32a03d0ab3

Located: HK_LM:Run, Microsoft Works Portfolio
command: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
file:

Located: HK_LM:Run, Microsoft Works Update Detection
command: C:\Program Files\Microsoft Works\WkDetect.exe
file: C:\Program Files\Microsoft Works\WkDetect.exe
size: 28739
MD5: 3141750fad211c6dadf7c2dc2ec74da8

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, PCCClient.exe
command: "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
file: C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
size: 725064
MD5: 63200165f5b4f7d6974ae34f2219addc

Located: HK_LM:Run, pccguide.exe
command: "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
file: C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
size: 647238
MD5: 458e3337f9db26f4e100b8c6ce301f1b

Located: HK_LM:Run, Pop3trap.exe
command: "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
file: C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
size: 565318
MD5: 85ada69950a8772e98522fb47dd8a4d8

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 77824
MD5: 5d22b4258489575412f6d18affc847a2

Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 64512
MD5: 4fabf174e6c17ddbd5c111f232a4ca41

Located: HK_LM:Run, WorksFUD
command: C:\Program Files\Microsoft Works\wkfud.exe
file: C:\Program Files\Microsoft Works\wkfud.exe
size: 24576
MD5: 9d05d00e8631b7874d164d6dedd6d801

Located: HK_LM:RunOnce, SpybotSnD
command: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
file: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09ca174a605b480318731e691dc98539

Located: HK_CU:Run, CTFMON.EXE
command: C:\WINDOWS\System32\ctfmon.exe
file: C:\WINDOWS\System32\ctfmon.exe
size: 13312
MD5: 414de7cf9d3f19c3ea902f1bb38ec116

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: deb88aef013dd1eefb462d7cad642166

Located: Startup (common), Microsoft Works Calendar Reminders.lnk
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
size: 24633
MD5: 7084b58a098d2f83b304832251a8c6a8

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll



--- Browser helper object list ---
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} ()
BHO name:
CLSID name:



--- ActiveX list ---
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://download.macromedia.com/pub/shockwa...director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 30/06/2004 9:08:18 AM
Date (last access): 5/07/2005 12:55:06 AM
Date (last write): 9/09/2004 2:45:18 PM
Filesize: 54488
Attributes: archive
MD5: 12EF836DCCCDD0211F3E09D72812B9C6
CRC32: 8038F1E1
Version: 10.1.0.11

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf
Codebase: http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/windowsupdate/...b?1120625731500
Path: C:\WINDOWS\System32\
Long name: wuweb.dll
Short name:
Date (created): 26/05/2005 4:19:32 AM
Date (last access): 30/07/2005 8:09:22 PM
Date (last write): 26/05/2005 4:19:32 AM
Filesize: 173536
Attributes: archive
MD5: C459F2D5E64C942F3F66E1CD7F1C4C00
CRC32: EEF66B50
Version: 5.8.0.2469



--- Process list ---
PID: 0 ( 0) [System]
PID: 552 ( 4) \SystemRoot\System32\smss.exe
PID: 608 ( 552) \??\C:\WINDOWS\system32\csrss.exe
PID: 632 ( 552) \??\C:\WINDOWS\system32\winlogon.exe
PID: 676 ( 632) C:\WINDOWS\system32\services.exe
size: 101376
MD5: E3DF4A0252D287C44606EE55355E1623
PID: 688 ( 632) C:\WINDOWS\system32\lsass.exe
size: 11776
MD5: B2B6BA905D0E3F8A32A0EB3B4051807B
PID: 880 ( 676) C:\WINDOWS\System32\Ati2evxx.exe
size: 376832
MD5: C8A62F6C8040A06423844464EDBB9703
PID: 908 ( 676) C:\WINDOWS\system32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1012 ( 676) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1200 ( 676) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1232 ( 676) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1408 ( 676) C:\WINDOWS\system32\spoolsv.exe
size: 51200
MD5: 9B4155BA58192D4073082B8FC5D42612
PID: 1528 ( 676) C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
size: 28672
MD5: 522215532916836B9CA19EE30658F3C1
PID: 1652 ( 676) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1736 ( 676) C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
size: 208896
MD5: 71511A6E44D15345A17D96756A65ED03
PID: 1880 ( 676) C:\WINDOWS\System32\wdfmgr.exe
size: 38912
MD5: C81B8635DEE0D3EF5F64B3DD643023A5
PID: 1976 ( 676) C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
size: 278598
MD5: E0E797AAF30FF0828428F11DB6FFC15A
PID: 304 ( 676) C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
size: 647234
MD5: 9346FD3512C08EED062B8C3FF9049D61
PID: 1176 ( 632) C:\WINDOWS\system32\Ati2evxx.exe
size: 376832
MD5: C8A62F6C8040A06423844464EDBB9703
PID: 1300 (1272) C:\WINDOWS\Explorer.EXE
size: 1004032
MD5: A82B28BFC2E4455FE43022A498C0EF0A
PID: 232 (1300) C:\WINDOWS\SOUNDMAN.EXE
size: 64512
MD5: 4FABF174E6C17DDBD5C111F232A4CA41
PID: 252 (1300) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 335872
MD5: 1A354E0E24DFB2EAE12133869C6345D2
PID: 348 (1300) C:\WINDOWS\System32\carpserv.exe
size: 4608
MD5: 045ACF1EF20EF4B62697104D97606E04
PID: 1548 (1300) C:\Program Files\Browser MOUSE\mouse32a.exe
size: 360448
MD5: CEDFD232C48ADA2DD0AF629C9F4ED4D4
PID: 1044 (1300) C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
size: 647238
MD5: 458E3337F9DB26F4E100B8C6CE301F1B
PID: 1164 (1300) C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
size: 725064
MD5: 63200165F5B4F7D6974AE34F2219ADDC
PID: 1316 (1300) C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
size: 565318
MD5: 85ADA69950A8772E98522FB47DD8A4D8
PID: 1184 (1300) C:\Program Files\iTunes\iTunesHelper.exe
size: 286720
MD5: 82558E875613BE9E94458F32A03D0AB3
PID: 1156 (1300) C:\Program Files\QuickTime\qttask.exe
size: 77824
MD5: 5D22B4258489575412F6D18AFFC847A2
PID: 1248 (1300) C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
size: 94208
MD5: B5ECA5948D7F8EAA00333231F33EA31A
PID: 1952 (1300) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: D2AEADFD998706B4216315B2BD3FA79E
PID: 2052 ( 676) C:\Program Files\iPod\bin\iPodService.exe
size: 401408
MD5: 5098D9C342CBA50CE16006086E919040
PID: 2056 (1300) C:\WINDOWS\System32\ctfmon.exe
size: 13312
MD5: 414DE7CF9D3F19C3EA902F1BB38EC116
PID: 2132 (1300) C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
size: 24633
MD5: 7084B58A098D2F83B304832251A8C6A8
PID: 3724 (1300) C:\Program Files\Outlook Express\msimn.exe
size: 56832
MD5: 99AB67FE6ACB8EAF529636890709341A
PID: 2680 (1300) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 31/07/2005 6:36:37 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://search.msn.com/spbasic.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://en.wikipedia.org/wiki/Main_Page
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---


--- Uninstall list ---
ABBYY FineReader 4.0 Sprint (ABBYY FineReader 4.0 Sprint)
uninstall cmd: C:\WINDOWS\bitdeins.exe C:\PROGRA~1\ABBYYF~1.0SP\bitdeins.ini

Ad-Aware SE Personal 1.06 (Ad-Aware SE Personal)
uninstall cmd: C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.com

(AddressBook)

Adobe Download Manager 1.2 (Remove Only) (AdobeESD)
uninstall cmd: "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"

ATI - Software Uninstall Utility 6.14.10.1005 (All ATI Software)
uninstall cmd: C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe

Applet Effects Factory (Applet Effects Factory)
uninstall cmd: C:\PROGRA~1\APPLET~1\UNWISE.EXE C:\PROGRA~1\APPLET~1\INSTALL.LOG

Applet Navigation Factory (Applet Navigation Factory)
uninstall cmd: C:\PROGRA~1\APPLET~1.0\UNWISE.EXE C:\PROGRA~1\APPLET~1.0\INSTALL.LOG

ATI Display Driver 7.94-030917m-011435C-ATI (ATI Display Driver)
uninstall cmd: rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean

(Branding)

Browser MOUSE (Browser MOUSE)
uninstall cmd: C:\Program Files\Browser MOUSE\uninst00.exe

Camtasia 3.0 (Camtasia)
version (major): 3
install location: C:\Program Files\TechSmith\Camtasia
install source: D:\camtasia
uninstall cmd: C:\Program Files\TechSmith\Camtasia\CTuninst.EXE
publisher: TechSmith Corporation
comments: Thank you for using Camtasia!
contact: Camtasia@techsmith.com
help link: http://www.techsmith.com/techsupp

Camtasia Screen Recorder SDK 1.0 1.0 (Camtasia Screen Recorder SDK 1.0)
version (major): 1
install location: C:\Program Files\TechSmith\Camtasia Screen Recorder SDK 1.0
install source: C:\Documents and Settings\Michael\Desktop
uninstall cmd: C:\PROGRA~1\TECHSM~1\CAMTAS~1.0\UNWISE.EXE /U C:\PROGRA~1\TECHSM~1\CAMTAS~1.0\INSTALL.LOG
publisher: TechSmith Corporation
contact: support@techsmith.com
help link: http://www.techsmith.com/techsupp

Camtasia Studio 1.0 (Camtasia Studio)
version (major): 1
install location: C:\Program Files\TechSmith\Camtasia Studio
install source: C:\Documents and Settings\Michael\Desktop
uninstall cmd: C:\Program Files\TechSmith\Camtasia Studio\CSuninst.EXE
publisher: TechSmith Corporation
comments: Thank you for using Camtasia Studio!
contact: CamtasiaStudio@techsmith.com
help link: http://www.techsmith.com/techsupp

Camtasia Studio 2 2.1 (Camtasia Studio 2)
version (major): 2
version (minor): 1
install location: C:\Program Files\TechSmith\Camtasia Studio 2
install source: C:\DOCUME~1\Michael\Desktop
uninstall cmd: C:\Program Files\TechSmith\Camtasia Studio 2\CSuninst.EXE
publisher: TechSmith Corporation
contact: CamtasiaStudio@techsmith.com
help link: http://www.techsmith.com/techsupp

CleanUp! (CleanUp!)
uninstall cmd: C:\Program Files\CleanUp!\uninstall.exe

D-Link DFM-562IS HSFi PCI Modem (CNXT_MODEM_PCI_VEN_14F1&DEV_2F00)
uninstall cmd: C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F00\HXFSETUP.EXE -U -IUCRCST5.inf

CoffeeCup Image Mapper++ (CoffeeCup)
uninstall cmd: C:\WINDOWS\iun3405.exe C:\Program Files\CoffeeCup Software\Image Mapper

CoffeeCup Direct FTP 5.2 5.2.0.0 (CoffeeCup Direct FTP 5.2)
uninstall cmd: C:\PROGRA~1\COFFEE~1\DIRECT~1.2\UNWISE.EXE C:\PROGRA~1\COFFEE~1\DIRECT~1.2\INSTALL.LOG
publisher: CoffeeCup Software
comments: Registered
contact: CoffeeCup Software Support Team
help link: http://www.coffeecup.com
help telephone: 361-887-7778

CoffeeCup Firestarter (CoffeeCup Firestarter)
uninstall cmd: C:\PROGRA~1\COFFEE~1\FIREST~1\UNWISE.EXE C:\PROGRA~1\COFFEE~1\FIREST~1\INSTALL.LOG

CoffeeCup HTML Editor (CoffeeCup HTML Editor)
uninstall cmd: C:\PROGRA~1\COFFEE~1\UNWISE.EXE C:\PROGRA~1\COFFEE~1\INSTALL.LOG

CoffeeCup StyleSheet Maker (CoffeeCup StyleSheet Maker)
uninstall cmd: C:\PROGRA~1\COFFEE~1\STYLES~1\UNWISE.EXE C:\PROGRA~1\COFFEE~1\STYLES~1\INSTALL.LOG

(Connection Manager)

Copier 2.0 (Copier 2.0)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Copier 2.0\Uninst.isu"

DeleD 3D Editor 1.0 LITE (DeleD 3D Editor_is1)
install location: C:\Program Files\DeleD\
uninstall cmd: "C:\Program Files\DeleD\unins000.exe"
publisher: The Delgine Team
help link: http://www.delgine.com/forum

(DirectAnimation)

(DirectDrawEx)

DubIt 2.0 (DubIt)
version (major): 2
install location: C:\Program Files\TechSmith\DubIt
install source: D:\Dubit
uninstall cmd: C:\Program Files\TechSmith\DubIt\DIuninst.EXE
publisher: TechSmith Corporation
comments: Thank you for using DubIt!
contact: DubIt@techsmith.com
help link: http://www.techsmith.com/techsupp

(DXM_Runtime)

Easy Graphics File Converter 4.16 (Easy Graphics File Converter 4.16_is1)
uninstall cmd: "C:\Program Files\Hermetic Systems\egfc416\unins000.exe"
publisher: Hermetic Systems

Enable S3 for USB Device (Enable S3 for USB Device)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"

FoneSync (FoneSync)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\FoneSync\Uninst.isu" -c"C:\Program Files\FoneSync\UninstSupport.dll"

(Fontcore)

HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\Documents and Settings\Michael\Desktop\hijackthis\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.

hp deskjet 5100 series (hp deskjet 5100 series_Driver)
uninstall cmd: rundll32 hpzcon08.dll,VendorJettison hp deskjet 5100 series

IconXP (IconXP)
uninstall cmd: C:\Program Files\IconXP\uninstall.exe

(ICW)

(IE40)

(IE4Data)

(IE5BAKEX)

(IEData)

Internet Explorer Q832894 (ieupdate)
uninstall cmd: C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q832894.inf

(InstallShield Uninstall Information)

iTunes 4.6.0.15 (InstallShield_{00FC6799-866E-44A1-A60C-DCF394CF56FD})
version: 67502080
version (major): 4
version (minor): 6
estimated size: 12470
install date: 20040812
install location: C:\Program Files\iTunes\
install source: C:\WINDOWS\Downloaded Installations\{DD65880B-0030-4FED-90EF-4420BB7AF96C}\
uninstall cmd: C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{00FC6799-866E-44A1-A60C-DCF394CF56FD}
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

Doom 3 1.00.0000 (InstallShield_{EEFB15EB-FE8B-47DF-A496-1C4D1420294A})
version: 16777216
version (major): 1
estimated size: 1524884
install date: 20040925
install location: C:\Program Files\Doom 3\
install source: D:\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}
publisher: Activision
help link: http://activision.custhelp.com

Windows XP Hotfix - KB823182 20030724.164017 (KB823182)
uninstall cmd: C:\WINDOWS\$NtUninstallKB823182$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=823182

Windows XP Hotfix - KB824105 20030724.164839 (KB824105)
uninstall cmd: C:\WINDOWS\$NtUninstallKB824105$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824105

Windows XP Hotfix - KB824141 20030925.103600 (KB824141)
uninstall cmd: C:\WINDOWS\$NtUninstallKB824141$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824141

Windows XP Hotfix - KB825119 20030828.113916 (KB825119)
uninstall cmd: C:\WINDOWS\$NtUninstallKB825119$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=825119

Windows XP Hotfix - KB826939 20030902.222348 (KB826939)
uninstall cmd: C:\WINDOWS\$NtUninstallKB826939$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=826939

Windows XP Hotfix - KB828035 20031021.165228 (KB828035)
uninstall cmd: C:\WINDOWS\$NtUninstallKB828035$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828035

Windows XP Hotfix - KB828741 20040305.182309 (KB828741)
uninstall cmd: C:\WINDOWS\$NtUninstallKB828741$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828741

Windows XP Hotfix - KB833407 20040119.115651 (KB833407)
uninstall cmd: C:\WINDOWS\$NtUninstallKB833407$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=833407

Windows XP Hotfix - KB835732 20040329.175541 (KB835732)
uninstall cmd: C:\WINDOWS\$NtUninstallKB835732$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=835732

Windows XP Hotfix - KB837001 20040317.230926 (KB837001)
uninstall cmd: C:\WINDOWS\$NtUninstallKB837001$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=837001

Windows XP Hotfix - KB840374 20040416.100205 (KB840374)
uninstall cmd: C:\WINDOWS\$NtUninstallKB840374$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=840374

Windows XP Hotfix - KB842773 20040805.140010 (KB842773)
uninstall cmd: C:\WINDOWS\$NtUninstallKB842773$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=842773

(KB884016)

(KB893803)

Windows Installer 3.1 (KB893803) 3.1 (KB893803v2)
uninstall cmd: "C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://go.microsoft.com/fwlink/?LinkId=42467

Update for Windows XP (KB898461) 1 (KB898461)
uninstall cmd: "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=898461

Macromedia Shockwave Player (Macromedia Shockwave Player)
uninstall cmd: C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log

Bennet-Tec MetaDraw 3 ActiveX Control (MetaDraw 3)
uninstall cmd: "C:\Program Files\Bennet-Tec\MetaDraw 3\UNWISE32.EXE" C:\PROGRA~1\BENNET~1\METADR~1\INSTALL.LOG

MFader ActiveX Control Demo 1.1 (MFader ActiveX Control Demo_is1)
uninstall cmd: "C:\Program Files\MFader ActiveX Control Demo\unins000.exe"
publisher: AncientSoft Co.
help link: http://www.ancientsoft.com

(Microsoft NetShow Player 2.0)

mIRC (mIRC)
uninstall cmd: "C:\Program Files\mIRC\mirc.exe" -uninstall

(MobileOptionPack)

(MPlayer2)

(MSI30-Beta1)

(MSI30-Beta2)

(MSI30-KB884016)

(MSI30-RC1)

(MSI30-RC2)

(MSI30a-KB884016)

(MSI31-Beta)

(MSI31-RC1)

(MsJavaVM)

MSN Toolbar (MSN Toolbar)
uninstall cmd: C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\mtbs.exe c

MSN Add-in for Windows Messenger (MSNEXT)
uninstall cmd: rundll32.exe "C:\Program Files\Messenger\MSGSC.dll",UnregisterMSNExt

Nero OEM (Nero - Burning Rom!UninstallKey)
uninstall cmd: C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

NeroVision Express 2 (NeroVision!UninstallKey)
uninstall cmd: C:\WINDOWS\UNNeroVision.exe /UNINSTALL

(NetMeeting)

Nero Media Player (NMPUninstallKey)
uninstall cmd: C:\WINDOWS\UNNMP.exe /UNINSTALL

Outlook Express Q837009 (oeupdate)
uninstall cmd: C:\WINDOWS\oeuninst.exe C:\WINDOWS\INF\Q837009.inf

Microsoft Office 97, Professional Edition (Office8.0)
uninstall cmd: C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF

OIN 1.0 (OIN)
install location: C:\WINDOWS\Downloaded Program Files
uninstall cmd: C:\WINDOWS\System32\shex.exe open http://www.outerinfo.com/questionnaire.php
publisher: OuterInfo Network

(OutlookExpress)

(PCHealth)
uninstall cmd: rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Windows XP Hotfix (SP2) Q819696 20030513.102848 (Q819696)
uninstall cmd: C:\WINDOWS\$NtUninstallQ819696$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=819696

QuickTime (QuickTime)
uninstall cmd: C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log

ScanButton 2.1 (ScanButton 2.1)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ScanButton 2.1\Uninst.isu"

(SchedulingAgent)

Shockwave (Shockwave)
uninstall cmd: C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\INSTALL.LOG

(ShockwaveFlash)

Sibelius 2 (Sibelius 2)
uninstall cmd: C:\PROGRA~1\SIBELI~1\SIBELI~1\UNWISE.EXE C:\PROGRA~1\SIBELI~1\SIBELI~1\INSTALL.LOG

Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Program Files\Spybot - Search & Destroy\
uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited

SWiSHmax (SWiSHmax)
uninstall cmd: C:\WINDOWS\unvise32.exe C:\Program Files\SWiSHmax\uninstal.log

Microsoft Visual Basic 6.0 Learning Edition (Visual Basic 6.0 Learning Edition)
uninstall cmd: "C:\Program Files\Microsoft Visual Studio\VB98\Setup\1033\Setup.exe"

Microsoft Visual Studio Installer (Visual Studio Installer)
uninstall cmd: "C:\Program Files\Microsoft Visual Studio\Common\Tools\VSInst\Setup\1033\Setup.exe"

Microsoft Web Publishing Wizard 1.53 (WebPost)
uninstall cmd: RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall

Windows Media Format Runtime (Windows Media Format Runtime)
uninstall cmd: "C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll

Windows Media Player 10 (Windows Media Player)
uninstall cmd: "C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall

Windows XP Service Pack 1a (Windows XP Service Pack)
uninstall cmd: C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe

Microsoft Works 2001 Setup Launcher (Works2001Setup)
uninstall cmd: C:\Program Files\Microsoft Works Suite 2001\Setup\Launcher.exe D:\
help link: http://support.microsoft.com/support/works

WIBU-KEY Setup (WIBU-KEY Remove) Version 4.10 of 2004-May-18 (Setup) ({00060000-0000-1004-8002-0000C06B5161})
version (major): 4
version (minor): 10
install date: 24.07.2005
install location: C:\Program Files\WIBUKEY
install source: C:\WIBU\RunTime\FULL\US
uninstall cmd: C:\Program Files\WIBUKEY\Setup\Setup32.exe /R:{00060000-0000-1004-8002-0000C06B5161}
publisher: WIBU-SYSTEMS AG
help link: http://www.wibu.com

Microsoft Word 2000 SR-1 9.00.3821 ({00170409-78E1-11D2-B60F-006097C998E7})
version: 150998765
version (major): 9
estimated size: 73920
install date: 20040630
install source: D:\MSWord\
uninstall cmd: MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Program Files\Microsoft Office\Office\ofread9.txt

iTunes 4.6.0.15 ({00FC6799-866E-44A1-A60C-DCF394CF56FD})
version: 67502080
version (major): 4
version (minor): 6
estimated size: 12470
install date: 20040812
install location: C:\Program Files\iTunes\
install source: C:\WINDOWS\Downloaded Installations\{DD65880B-0030-4FED-90EF-4420BB7AF96C}\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

Diamond View V4.08 ({01000A03-E058-11D3-9C13-0000E220DC33})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{01000A03-E058-11D3-9C13-0000E220DC33}\Setup.exe" -uninst

Microsoft Encarta World Atlas 2001 - WE 2001 ({02400202-5D65-445A-B3B4-3DCE72BA0C6C})
version (major): 2001
version (minor): 2001
estimated size: 42911
install date: 20040630
install source: D:\
uninstall cmd: MsiExec.exe /I{02400202-5D65-445A-B3B4-3DCE72BA0C6C}
publisher: Microsoft Encarta

ATI Control Panel 6.14.10.5046 ({0BEDBD4E-2D34-47B5-9973-57E62B29307C})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"

WIBU-KEY DevKit 4.10 4.10.5.0 ({0CE565E4-2398-43D5-8929-C872DE5A49C3})
version: 67764229
version (major): 4
version (minor): 10
estimated size: 17188
install date: 20050106
install source: D:\DevKit\
uninstall cmd: MsiExec.exe /I{0CE565E4-2398-43D5-8929-C872DE5A49C3}
publisher: WIBU-SYSTEMS AG
contact: mailto:support@wibu.com
help telephone: +49-721-93172-0

Adobe Photoshop Album 2.0 Starter Edition 2.00.000 ({11B569C2-4BF6-4ED0-9D17-A4273943CB24})
version: 33554432
version (major): 2
estimated size: 15907
install date: 20041003
install source: C:\WINDOWS\Downloaded Installations\{30F65707-62BC-4443-BB21-86DA6E7F8A55}\
uninstall cmd: MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
publisher: Adobe Systems, Inc.
readme: C:\Program Files\Adobe\Photoshop Album Starter Edition\2.0\readme.txt

Microsoft Picture It! Publishing 2001 5.0.0.0000 ({15D9EB74-998E-4A04-B468-51C2E7B32182})
version: 83886080
version (major): 5
estimated size: 328246
install date: 20040630
install source: D:\pip\
uninstall cmd: MsiExec.exe /I{15D9EB74-998E-4A04-B468-51C2E7B32182}
publisher: Microsoft
comments: Microsoft Picture It! Publishing 2001
help link: http://www.microsoft.com/uk/default.asp
readme: Readme.txt

Office Keyboard ({22264E8C-A5BF-4BEE-BB09-EFBC8AB1231C})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22264E8C-A5BF-4BEE-BB09-EFBC8AB1231C}\Setup.exe" -l0x9

D-Link DSL-302G Ethernet Diagnostics and USB Driver ({22C0B7CF-4BAD-4FD6-9085-FC2E1A6D5861})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22C0B7CF-4BAD-4FD6-9085-FC2E1A6D5861}\Setup.exe"

Google Toolbar for Internet Explorer ({2318C2B1-4965-11d4-9B18-009027A5CD4F})
uninstall cmd: regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"

InstallShield X Express Edition 10.00.0142 ({2B4F800C-FA4E-42D9-93D3-C3DC4A4FCAB7})
version: 167772302
version (major): 10
estimated size: 303759
install date: 20050731
install source: C:\WINDOWS\Downloaded Installations\{E96420B1-74C5-48A8-8F98-5A9569694B01}\
uninstall cmd: MsiExec.exe /I{2B4F800C-FA4E-42D9-93D3-C3DC4A4FCAB7}
publisher: InstallShield Software Corp.
comments: InstallShield Software Corp.
contact: Customer Support Department
help link: http://support.installshield.com/contact/req_sup.asp
help telephone: 1-847-619-2269
readme: http://www.installshield.com/isx/

Avery DesignPro ({2CC982C0-7EAE-11D4-ACC3-0050568AD318})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2CC982C0-7EAE-11D4-ACC3-0050568AD318}\setup.exe" -uninst

WebFldrs XP 9.50.6513 ({350C97B0-3D7C-4EE8-BAA9-00BCB3D54227})
version: 154278257
version (major): 9
version (minor): 50
estimated size: 2508
install date: 20040629
install source: C:\WINDOWS\System32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows

Cepstral Diane ({360C3DB1-6E6E-4B23-A809-BBCAE90794AB})
estimated size: 120542
install date: 20050427
install source: C:\Documents and Settings\Michael\Desktop\
uninstall cmd: MsiExec.exe /X{360C3DB1-6E6E-4B23-A809-BBCAE90794AB}
publisher: Cepstral, LLC
contact: support@cepstral.com
help link: http://www.cepstral.com
help telephone: 1-412-432-0400
readme: C:\Program Files\Cepstral\

Google Earth 3.0.0395 ({3DE5E7D4-7B88-403C-A3FD-2017A8240C5B})
version: 50332043
install date: 20050726
install location: C:\Program Files\Google\Google Earth
install source: C:\DOCUME~1\Michael\LOCALS~1\Temp\bye991C.tmp\Disk1\
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
publisher: Google

Cepstral Amy ({4FAE3EB6-32D7-4AB4-B078-4372F67E5B19})
estimated size: 74494
install date: 20050308
install source: C:\DOCUME~1\Michael\LOCALS~1\Temp\_is386C\
uninstall cmd: MsiExec.exe /X{4FAE3EB6-32D7-4AB4-B078-4372F67E5B19}
publisher: Cepstral, LLC
contact: support@cepstral.com
help link: http://www.cepstral.com
help telephone: 1-412-432-0400
readme: C:\Program Files\Cepstral\

Microsoft Works Suite Add-in for Microsoft Word 2.0.0.0000 ({5F629FE8-5B4C-4863-937A-AFC2961F7DD3})
version: 33554432
version (major): 2
estimated size: 14515
install date: 20040630
install source: D:\WordAdd\
uninstall cmd: MsiExec.exe /I{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}
publisher: Microsoft Corporation
help link: http://support.microsoft.com/support/works
help telephone:

Windows Genuine Advantage v1.3.0254.0 1.3.0254.0 ({63569CE9-FA00-469C-AF5C-E5D4D93ACF91})
version: 16974078
version (major): 1
version (minor): 3
estimated size: 519
install date: 20050730
install source: C:\DOCUME~1\Michael\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
publisher: Microsoft
comments: Your Comments
contact: Customer Support Department
help link: http://www.microsoft.com/genuine/downloads...idate.aspx/help
help telephone: 1-425.882.8080

PowerDVD ({6811CAA0-BF12-11D4-9EA1-0050BAE317E1})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall

Cepstral SwiftTalker with Frank 3.00.0000 ({6CDB4C02-517C-4D89-8A08-B614F5C19657})
version: 50331648
version (major): 3
estimated size: 30205
install date: 20040827
install source: C:\DOCUME~1\Michael\LOCALS~1\Temp\_is26

Edited by ferris2, 31 July 2005 - 03:55 AM.


#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:29 AM

Posted 31 July 2005 - 09:59 AM

Hi ferris2. Alright, let's reset your domains.

Open Notepad and copy/paste the text in the quotebox below into the new document:

[version]
signature="$CHICAGO$"

[DefaultInstall]
DelReg=DelTemps
AddReg=AddTemps

[DelTemps]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

; Recreate the keys to avoid a restart

[AddTemps]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"


Save the document to your desktop as deldomains.inf and close Notepad. Locate the deldomains.inf file on your desktop and right-click on it. Choose Install from the popup menu and Yes or Ok to any further prompts.

Re-run your Spybot scan and see if any of the registry warnings are left.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 ferris2

ferris2
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 31 July 2005 - 06:18 PM

"Congratulations.. No immediate threats were found". Sweet words.

Thanks so much Oldtimer for your patience and promptness.

F2

Edited by ferris2, 31 July 2005 - 06:19 PM.


#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:29 AM

Posted 31 July 2005 - 09:50 PM

You're very welcome ferris2. I'm glad that we could help.

Now that your malware issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users