Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthislog-cheekymonkeync


  • This topic is locked This topic is locked
12 replies to this topic

#1 cheekymonkeync

cheekymonkeync

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:12:27 AM

Posted 04 August 2005 - 08:32 AM

After running ad-aware and spy-bot, the following log was generated. Any help would be appreciated.


Thanks,
cheekymonkeync


Logfile of HijackThis v1.99.1
Scan saved at 9:27:49 AM, on 8/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\errr.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\dinst.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Cas\Client\casclient.exe
c:\windows\system32\noqbkag.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [r65h36T] jetfax.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [ejjjiij] c:\windows\system32\noqbkag.exe r
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe
O4 - HKCU\..\Run: [axunRWfnT] isipx7.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122165205084
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static...h/weblaunch.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb04.pogo.com/game/deluxe/insa...aploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\sftupapi.dll
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: GBPoll - Unknown owner - C:\Program Files\Roxio\GoBack\GBPoll.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by cheekymonkeync, 04 August 2005 - 08:36 AM.

I'm in motion.
I am still.
I am crying.
I am still.
I'm together.
I'm apart.
I'm forever.
At the start.

Still... I am.

<)))><

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:27 AM

Posted 04 August 2005 - 01:44 PM

Hello cheekymonkeync and welcome to the BC malware forum. Let's start with a different scan.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here so I can review it.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 cheekymonkeync

cheekymonkeync
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:12:27 AM

Posted 05 August 2005 - 12:36 AM

Hi OT, thanks for the help. Here is the scan as you requested.

cmonk


Checking Selected Standard Folders

Checking %SystemDrive% folder...
PEC2 7/24/2005 8:29:54 AM 36864 C:\command.exe
PECompact2 7/24/2005 8:29:54 AM 36864 C:\command.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 8/5/2005 1:04:34 AM 82432 C:\WINDOWS\ru.exe
UPX! 7/29/2004 11:36:08 AM 80384 C:\WINDOWS\gmbnqlfoofh.exe
buddy.exe 7/29/2004 11:36:08 AM 80384 C:\WINDOWS\gmbnqlfoofh.exe
UPX! 7/26/2005 12:03:00 PM 189859 C:\WINDOWS\dsr.exe

Checking %System% folder...
Umonitor 6/28/2005 7:36:56 PM 417792 C:\WINDOWS\SYSTEM32\guard.tmp
WinShutDown 6/28/2005 7:36:56 PM 417792 C:\WINDOWS\SYSTEM32\guard.tmp
Umonitor 7/20/2005 9:32:28 PM 417792 C:\WINDOWS\SYSTEM32\dhound3d.dll
WinShutDown 7/20/2005 9:32:28 PM 417792 C:\WINDOWS\SYSTEM32\dhound3d.dll
UPX! 1/20/2003 6:07:38 AM 83456 C:\WINDOWS\SYSTEM32\xpljpd.exe
Umonitor 7/30/2005 8:15:34 PM 417792 C:\WINDOWS\SYSTEM32\nvtevent.dll
WinShutDown 7/30/2005 8:15:34 PM 417792 C:\WINDOWS\SYSTEM32\nvtevent.dll
Umonitor 6/27/2005 8:42:44 PM 417792 C:\WINDOWS\SYSTEM32\sSfrcdlg.dll
WinShutDown 6/27/2005 8:42:44 PM 417792 C:\WINDOWS\SYSTEM32\sSfrcdlg.dll
Umonitor 7/23/2005 12:34:02 AM 417792 C:\WINDOWS\SYSTEM32\MIAWT.DLL
WinShutDown 7/23/2005 12:34:02 AM 417792 C:\WINDOWS\SYSTEM32\MIAWT.DLL
Umonitor 7/23/2005 12:01:34 AM 417792 C:\WINDOWS\SYSTEM32\mmtvca.dll
WinShutDown 7/23/2005 12:01:34 AM 417792 C:\WINDOWS\SYSTEM32\mmtvca.dll
Umonitor 7/23/2005 12:10:46 AM 417792 C:\WINDOWS\SYSTEM32\CDDEVCON.DLL
WinShutDown 7/23/2005 12:10:46 AM 417792 C:\WINDOWS\SYSTEM32\CDDEVCON.DLL
Umonitor 7/21/2005 7:40:02 AM 417792 C:\WINDOWS\SYSTEM32\wjpsrcwp.dll
WinShutDown 7/21/2005 7:40:02 AM 417792 C:\WINDOWS\SYSTEM32\wjpsrcwp.dll
Umonitor 7/21/2005 7:40:30 AM 417792 C:\WINDOWS\SYSTEM32\RXPILIB.DLL
WinShutDown 7/21/2005 7:40:30 AM 417792 C:\WINDOWS\SYSTEM32\RXPILIB.DLL
UPX! 1/22/2001 1:47:06 AM 83456 C:\WINDOWS\SYSTEM32\vnaarfn.exe
Umonitor 7/23/2005 7:20:38 PM 417792 C:\WINDOWS\SYSTEM32\kwdhu.dll
WinShutDown 7/23/2005 7:20:38 PM 417792 C:\WINDOWS\SYSTEM32\kwdhu.dll
Umonitor 7/23/2005 7:41:02 PM 417792 C:\WINDOWS\SYSTEM32\sklsrv32.dll
WinShutDown 7/23/2005 7:41:02 PM 417792 C:\WINDOWS\SYSTEM32\sklsrv32.dll
Umonitor 7/30/2005 9:30:40 PM 417792 C:\WINDOWS\SYSTEM32\CMDPROXY.DLL
WinShutDown 7/30/2005 9:30:40 PM 417792 C:\WINDOWS\SYSTEM32\CMDPROXY.DLL
Umonitor 7/23/2005 1:18:24 AM 417792 C:\WINDOWS\SYSTEM32\murddm.dll
WinShutDown 7/23/2005 1:18:24 AM 417792 C:\WINDOWS\SYSTEM32\murddm.dll
Umonitor 7/23/2005 7:47:52 PM 417792 C:\WINDOWS\SYSTEM32\swbiop.dll
WinShutDown 7/23/2005 7:47:52 PM 417792 C:\WINDOWS\SYSTEM32\swbiop.dll
Umonitor 7/23/2005 1:02:56 AM 417792 C:\WINDOWS\SYSTEM32\bXtmeter.dll
WinShutDown 7/23/2005 1:02:56 AM 417792 C:\WINDOWS\SYSTEM32\bXtmeter.dll
Umonitor 7/30/2005 9:03:12 PM 417792 C:\WINDOWS\SYSTEM32\mavidctl.dll
WinShutDown 7/30/2005 9:03:12 PM 417792 C:\WINDOWS\SYSTEM32\mavidctl.dll
UPX! 8/5/2005 1:04:34 AM 82432 C:\WINDOWS\SYSTEM32\errr.exe
Umonitor 8/4/2005 12:43:54 AM 417792 C:\WINDOWS\SYSTEM32\adlui.dll
WinShutDown 8/4/2005 12:43:54 AM 417792 C:\WINDOWS\SYSTEM32\adlui.dll
Umonitor 8/4/2005 1:05:44 AM 417792 C:\WINDOWS\SYSTEM32\dmrgui.dll
WinShutDown 8/4/2005 1:05:44 AM 417792 C:\WINDOWS\SYSTEM32\dmrgui.dll
Umonitor 7/30/2005 10:44:24 PM 417792 C:\WINDOWS\SYSTEM32\muupgrd.dll
WinShutDown 7/30/2005 10:44:24 PM 417792 C:\WINDOWS\SYSTEM32\muupgrd.dll
Umonitor 8/1/2005 1:50:42 PM 417792 C:\WINDOWS\SYSTEM32\tgddd.dll
WinShutDown 8/1/2005 1:50:42 PM 417792 C:\WINDOWS\SYSTEM32\tgddd.dll
Umonitor 8/4/2005 10:22:12 PM 417792 C:\WINDOWS\SYSTEM32\ngmssvc.dll
WinShutDown 8/4/2005 10:22:12 PM 417792 C:\WINDOWS\SYSTEM32\ngmssvc.dll
Umonitor 8/4/2005 1:02:56 AM 417792 C:\WINDOWS\SYSTEM32\dtband.dll
WinShutDown 8/4/2005 1:02:56 AM 417792 C:\WINDOWS\SYSTEM32\dtband.dll
PEC2 8/23/2001 5:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 7/23/2005 4:49:30 PM 417792 C:\WINDOWS\SYSTEM32\DLngerous Creatures.dll
WinShutDown 7/23/2005 4:49:30 PM 417792 C:\WINDOWS\SYSTEM32\DLngerous Creatures.dll
PECompact2 7/6/2005 7:26:32 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 7:26:32 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/23/2001 5:00:00 PM 630784 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 5:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor 8/5/2005 1:04:30 AM 417792 C:\WINDOWS\SYSTEM32\sbEp2Usb.dll
WinShutDown 8/5/2005 1:04:30 AM 417792 C:\WINDOWS\SYSTEM32\sbEp2Usb.dll
PTech 9/8/1999 1:45:22 PM 11113 C:\WINDOWS\SYSTEM32\SNWValid.hlp

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/30/2005 8:17:04 PM 54156 C:\WINDOWS\QTFont.qfn
8/5/2005 1:04:34 AM 82432 C:\WINDOWS\ru.exe
8/5/2005 1:04:34 AM 82432 C:\WINDOWS\SYSTEM32\errr.exe
7/21/2005 9:54:24 AM 401408 C:\WINDOWS\SYSTEM32\n?pdb.exe
8/5/2005 1:05:44 AM 942080 C:\WINDOWS\SYSTEM32\config\system.LOG
8/5/2005 1:05:44 AM 200704 C:\WINDOWS\SYSTEM32\config\software.LOG
8/5/2005 1:05:44 AM 20480 C:\WINDOWS\SYSTEM32\config\default.LOG
8/5/2005 1:06:44 AM 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
8/5/2005 1:06:40 AM 12288 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
7/23/2005 8:51:32 PM 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG
8/2/2005 10:06:16 PM 184 C:\WINDOWS\SYSTEM32\config\systemprofile\My Documents\My Pictures\Desktop.ini
6/24/2005 1:46:22 AM 0 C:\WINDOWS\LastGood.Tmp\INF\oem4.inf
6/24/2005 1:46:22 AM 0 C:\WINDOWS\LastGood.Tmp\INF\oem4.PNF
6/24/2005 1:55:38 AM 0 C:\WINDOWS\LastGood\INF\oem6.inf
6/24/2005 1:55:38 AM 0 C:\WINDOWS\LastGood\INF\oem6.PNF
6/27/2005 7:07:00 PM 0 C:\WINDOWS\LastGood\INF\oem7.inf
6/27/2005 7:07:00 PM 0 C:\WINDOWS\LastGood\INF\oem7.PNF
6/27/2005 8:00:24 PM 0 C:\WINDOWS\LastGood\INF\wmad.inf
6/27/2005 8:00:24 PM 0 C:\WINDOWS\LastGood\INF\wmad.PNF
6/30/2005 5:30:58 PM 0 C:\WINDOWS\LastGood\INF\Erma.inf
6/30/2005 5:30:58 PM 0 C:\WINDOWS\LastGood\INF\Erma.PNF
7/23/2005 8:36:40 PM 0 C:\WINDOWS\LastGood\INF\oem8.inf
7/23/2005 8:36:40 PM 0 C:\WINDOWS\LastGood\INF\oem8.PNF
7/23/2005 8:43:14 PM 0 C:\WINDOWS\LastGood\INF\java.inf
7/23/2005 8:43:14 PM 0 C:\WINDOWS\LastGood\INF\java.PNF
8/5/2005 1:05:24 AM 6 C:\WINDOWS\TASKS\SA.DAT
8/5/2005 1:04:36 AM 192 C:\WINDOWS\TASKS\RUTASK.job
6/10/2005 6:04:16 AM 102400 C:\WINDOWS\DRM\drmstore.hds
7/23/2005 8:33:56 PM 0 C:\WINDOWS\inf\oem7.inf

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/30/2005 11:14:42 PM 1638 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
5/6/2005 11:09:14 AM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
5/2/2005 8:38:52 PM 1398 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HotSync Manager.lnk
7/17/2005 2:34:12 AM 584 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk

Checking files in %USERPROFILE%\Application Data folder...
7/19/2005 6:21:42 PM 36352 C:\Documents and Settings\Administrator\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
6/10/2005 6:29:38 AM 98928 C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} = %SystemRoot%\System32\zipfldr.dll
{BD472F60-27FA-11cf-B8B4-444553540000} = %SystemRoot%\System32\zipfldr.dll
{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} = %SystemRoot%\System32\zipfldr.dll
{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = %SystemRoot%\system32\SHELL32.dll
{53C74826-AB99-4d33-ACA4-3117F51D3788} = %SystemRoot%\system32\SHELL32.dll
{3D17EDB8-7970-427E-9EBA-285BC87485F7} = C:\WINDOWS\system32\DLngerous Creatures.dll
{11945BB1-BBD2-4019-90D7-4E1745AB0ED6} = C:\WINDOWS\system32\tykwks.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\YAHOO!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}
= C:\WINDOWS\SYSTEM32\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\SYSTEM32\DOCPROP2.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00F1D395-4744-40f0-A611-980F61AE2C59}
Band Class = C:\WINDOWS\dsr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM32\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2FDEF853-0759-11D4-A92E-006097DBED37}
ButtonText = Encarta Encyclopedia :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5DA9DE80-097A-11D4-A92E-006097DBED37}
ButtonText = Define :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{F4430FE8-2638-42e5-B849-800749B94EED}
ButtonText = PartyPoker.net : C:\Program Files\PartyPoker.net\partypokernet.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SystemTray SysTray.Exe
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE
Jet Detection "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NAV Agent C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
WorksFUD C:\Program Files\Microsoft Works\wkfud.exe
Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
cfgmgr52 RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
AUNPS2 RUNDLL32 AUNPS2.DLL,_Run@16
A70F6A1D-0195-42a2-934C-D8AC0F7C08EB rundll32.exe E6F1873B.DLL,D9EBC318C
Dinst C:\WINDOWS\dinst.exe
r65h36T jetfax.exe
iamapp C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
System service62 C:\WINDOWS\etb\pokapoka62.exe
mbksocm c:\windows\system32\ftcicts.exe r
gesphvv c:\windows\system32\xpljpd.exe r

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WeatherWatcher C:\Program Files\Weather Watcher\ww.exe
Microsoft Works Update Detection \WkDetect.exe
axunRWfnT isipx7.exe
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
CAS Client "C:\Program Files\Cas\Client\casclient.exe"
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
{1CDB2949-8F65-4355-8456-263E7C208A5D} = C:\WINDOWS\System32\nvshell.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
NoRealMode 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{1CDB2949-8F65-4355-8456-263E7C208A5D} = C:\WINDOWS\System32\nvshell.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\System32\upnpui.dll
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager
= C:\WINDOWS\system32\sftupapi.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.2.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/5/2005 1:16:32 AM
I'm in motion.
I am still.
I am crying.
I am still.
I'm together.
I'm apart.
I'm forever.
At the start.

Still... I am.

<)))><

#4 cheekymonkeync

cheekymonkeync
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:12:27 AM

Posted 05 August 2005 - 12:38 AM

sorry, edit of double post..........stupid computer.

Edited by cheekymonkeync, 05 August 2005 - 12:39 AM.

I'm in motion.
I am still.
I am crying.
I am still.
I'm together.
I'm apart.
I'm forever.
At the start.

Still... I am.

<)))><

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:27 AM

Posted 05 August 2005 - 12:56 AM

Hi cheekymonkeync. Looks like an L2M infection. Let's clean that out.

Print these directions or copy/paste them into a Notepad document and save it to your desktop. Close any programs you have open since this step requires a reboot.
  • Download l2mfix.exe and save it to your desktop.
  • Double click l2mfix.exe to start the installation.
  • Click the Install button to extract the files and follow the prompts.
  • Open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing the Enter key.
  • Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, Notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Post the new L2m logs back here along with a new HijackThis log and a new WinPFind log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 cheekymonkeync

cheekymonkeync
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:12:27 AM

Posted 05 August 2005 - 01:44 AM

Hi OT,

I downloaded l2m and doubleclicked the l2mfix ms-dos batch file, and did not get an option 2. This the text it generated:

A subdirectory or file backregs already exists. You must have an internet connection active to download strings from systernals. If one is active than press any key to continue. File Downloader-version 1.01 <build 7.74> Downloads a file from HTTP or a FTP server. Server: www.sysinternals.com prt:80 protocol:HTTP
strings.zip:


I deleted the generated backregs folder, in case I did something wrong and tried again. The bat file then made a new backregs folder and said the same thing.

The following files were unzipped in the l2mfix folder, which one should I use?


Folders

backregs
regfixes

Applications

download
Ntrights
process
reboot
regDACL
unzip
zip

MS-DOS application

locate

MS-DOS batch files

l2mfix
second

Internet shortcut

fixautont.html

compressed folder

strings

text documents

direct
readme

I know that the text docs, etc won't be used, just wanted to give you all the contents.

Thanks for the help!

C Monk
I'm in motion.
I am still.
I am crying.
I am still.
I'm together.
I'm apart.
I'm forever.
At the start.

Still... I am.

<)))><

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:27 AM

Posted 05 August 2005 - 08:39 AM

Hi cheekymonkeync. Go ahead and download that file. It has been used by many of the malware search tools in the past but SysInternals suddenly did not want it included in a package and requested that each user download it from the SysInternal site. I guess they want to increase their traffic or something.

The message about the folders is ok also. The program will recreate them each time it is run.

Actually, this is a new verison. I had heard it was coming soon but have not seen it yet. I think I'll go download it myself and play with it :thumbsup:

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 cheekymonkeync

cheekymonkeync
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:12:27 AM

Posted 05 August 2005 - 09:35 AM

sorry for my ignorance, but how do I download and proceed?

C Monk
I'm in motion.
I am still.
I am crying.
I am still.
I'm together.
I'm apart.
I'm forever.
At the start.

Still... I am.

<)))><

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:27 AM

Posted 05 August 2005 - 10:27 AM

Hi cheekymonkeync. Just double-click on the l2mfix.bat file and you should get a notice that it needs to download a file. You will need to be connected to the web and then just press any key and the program will be downloaded and placed in the l2mfix folder.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 cheekymonkeync

cheekymonkeync
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:12:27 AM

Posted 05 August 2005 - 09:07 PM

All I get with the bat file is the following:

A subdirectory or file backregs already exists. You must have an internet connection active to download strings from systernals. If one is active than press any key to continue. File Downloader-version 1.01 <build 7.74> Downloads a file from HTTP or a FTP server. Server: www.sysinternals.com prt:80 protocol:HTTP
strings.zip:

And I can't use any key to do anything from that point. I have a cable modem and an active internet connection, so I am stumped.

Also the strings.zip file has no files to extract if that was what supposed to download. Let me know how I should proceed when you can, and thank you again for your help.

CMonkeync
I'm in motion.
I am still.
I am crying.
I am still.
I'm together.
I'm apart.
I'm forever.
At the start.

Still... I am.

<)))><

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:27 AM

Posted 05 August 2005 - 09:37 PM

Hi cheekymonkeync. Below is a link to the file that it is trying to download. Try going to the site and downloading it yourself. Unzip the contents into the folder where the rest of the l2mfix files are.

http://www.sysinternals.com/Utilities/Strings.html

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 cheekymonkeync

cheekymonkeync
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:NC
  • Local time:12:27 AM

Posted 07 August 2005 - 01:25 AM

Hi OT,

After running that scan for over two hours without seeing any result, I gave up (I must have done something wrong)! I had someone from the family that was visiting Friday/Saturday and we just did a complete hard drive wipe. His experience tells him that when windows has a "wreck" sometimes, like a car it will not ever drive the right way again. So starting fresh! :thumbsup: I thought I would inform you since you have been helping with this. I do appreciate your help, and hope that you will be available in the future if I need you.

Thanks again for your assistance.

Cheekymonkeync

Edited by cheekymonkeync, 07 August 2005 - 01:26 AM.

I'm in motion.
I am still.
I am crying.
I am still.
I'm together.
I'm apart.
I'm forever.
At the start.

Still... I am.

<)))><

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:27 AM

Posted 07 August 2005 - 07:49 PM

Hi cheekymonkeync. Well that is certainly one way to start clean :thumbsup: . We do this everyday and and have never had to reformat yet, but sometimes tht is the shortest route.

Now that your malware issues have been resolved I will close this topic.If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :flowers:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users