Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NEED HELP, With new problems


  • This topic is locked This topic is locked
15 replies to this topic

#1 Wendy K. Walker

Wendy K. Walker

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:02:06 AM

Posted 07 August 2005 - 04:44 PM

Hi, I have been having lots of trouble lately. I did a HJT log a couple of months ago, and since completing the fix my system sounds have vanished, and I cannot open any pictures by double clicking on their thumbs in my picture folder.

:thumbsup: I also have some kind of malicious code in my system that is multiplying my files. Whatever it is, it is not getting picked up by my AV programs, nor any of the ad/spyware programs that I have, however in the past several months my file count has gone from 5500 to well over 200,000 files. :flowers:

Here is my latest HJT log maybe it will shed some light on my problem>>

Logfile of HijackThis v1.99.1
Scan saved at 4:25:56 PM, on 8/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:WINDOWSsystem32cisvc.exe
C:PROGRA~1VCOMFix-Itmxtask.exe
C:WINDOWSsystem32slserv.exe
C:WINDOWSSystem32snmp.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32ZoneLabsvsmon.exe
C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
C:Program FilesAlwil SoftwareAvast4ashWebSv.exe
C:WINDOWSSystem32svchost.exe
C:PROGRA~1VCOMFix-Itmxtask.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32cidaemon.exe
C:Program FilesMicrosoft AntiSpywaregcasServ.exe
C:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:PROGRA~1BILLPS~1WINPAT~1winpatrol.exe
C:Program FilesZone LabsZoneAlarmzlclient.exe
C:WINDOWSsystem32S3tray2.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesiPodiniPodService.exe
C:Program FilesCosmiSpyWare Killer ProshieldSDShield.exe
C:Program FilesMicrosoft AntiSpywaregcasDtServ.exe
C:Program FilesSpywareGuardsgmain.exe
C:Program FilesSpywareGuardsgbhp.exe
C:Program FilesCosmiSpyWare Killer Prolauncher.exe
C:PROGRA~1Yahoo!MESSEN~1YPager.exe
C:Program FilesCosmiSpyWare Killer Prolauncher.exe
C:Program FilesCosmiSpyWare Killer Prolauncher.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program Files-Click Answersanswers.exe
C:PROGRA~1COMMON~1GURUNE~1agtserv.exe
C:Program FilesHiJackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.home.bellsouth.net/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.emachines.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.home.bellsouth.net/
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://mail.yahoo.com/?.redir=ymmapi9&.cln....cldefstat=Def1
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Internet Explorer Provided by BellSouth Dial Internet Service
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = localhost:9095
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:PROGRA~1Yahoo!COMPAN~1Installscpn0ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:Program FilesSpywareGuarddlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:Program FilesYahoo!Commonyiesrvc.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:PROGRA~1CosmiSPYWAR~1popABG_PL~1.DLL
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:Program FilesYahoo!CommonYIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:PROGRA~1Yahoo!COMPAN~1Installscpn0ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar1.dll
O4 - HKLM..Run: [RCScheduleCheck] C:Program FilesVCOMRecovery CommanderRCSCHED.EXE -CHECK
O4 - HKLM..Run: [gcasServ] "C:Program FilesMicrosoft AntiSpywaregcasServ.exe"
O4 - HKLM..Run: [Fix-It AV] C:PROGRA~1VCOMFix-ItMemCheck.exe
O4 - HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 - HKLM..Run: [WinPatrol] C:PROGRA~1BILLPS~1WINPAT~1winpatrol.exe
O4 - HKLM..Run: [Zone Labs Client] C:Program FilesZone LabsZoneAlarmzlclient.exe
O4 - HKLM..Run: [S3TRAY2] S3tray2.exe
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [UserFaultCheck] %systemroot%system32dumprep 0 -u
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [SpyDefender Shield] "C:Program FilesCosmiSpyWare Killer ProshieldSDShield.exe"
O4 - HKCU..Run: [Microsoft Works Update Detection] C:Program FilesMicrosoft WorksWkDetect.exe
O4 - HKCU..Run: [Yahoo! Pager] "C:PROGRA~1Yahoo!MESSEN~1ypager.exe" -quiet
O4 - Startup: SpywareGuard.lnk = C:Program FilesSpywareGuardsgmain.exe
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O8 - Extra context menu item: &Google Search - res://C:Program FilesGoogleGoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htm
O8 - Extra context menu item: Answers... - file:C:Program Files-Click AnswersHtmlatiemenu.htm
O8 - Extra context menu item: Backward Links - res://C:Program FilesGoogleGoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:Program FilesGoogleGoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: ImTranslator - C:PROGRA~1SMARTL~1IMTRAN~1startup.html
O8 - Extra context menu item: Similar Pages - res://C:Program FilesGoogleGoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:Program FilesGoogleGoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:Program FilesYahoo!Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:Program FilesYahoo!Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:Program FilesYahoo!Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_02in
pjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_02in
pjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:Program FilesYahoo!Commonyiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSSystem32Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:Program FilesMicrosoft MoneySystemmnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:PROGRA~1SMARTL~1IMTRAN~1startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:PROGRA~1SMARTL~1IMTRAN~1startup.html (HKCU)
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121210407625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121212047968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...414/mcfscan.cab
O17 - HKLMSystemCCSServicesTcpip..{2B010700-9B04-41E2-97B9-13A0886C14A7}: NameServer = 205.152.132.23,205.152.37.23
O17 - HKLMSystemCS1ServicesTcpip..{2B010700-9B04-41E2-97B9-13A0886C14A7}: NameServer = 205.152.132.23,205.152.37.23
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:Program FilesAlwil SoftwareAvast4ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - Unknown owner - C:Program Filesewidosecurity suiteewidoctrl.exe (file missing)
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:PROGRA~1VCOMFix-Itmxtask.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:Program FilesiPodiniPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:WINDOWSSYSTEM32slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:WINDOWSsystem32ZoneLabsvsmon.exe

Thanks for any help!

:trumpet: Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:06 PM

Posted 08 August 2005 - 12:47 PM

Hello Wendy K. Walker and welcome to the BC malware forum. Other than all of the formatting missing from the HijackThis log I do not see any problems. Not being able to open files by double-clicking on them is usually a file-association problem. If you use a special program for viewing graphics you might want to re-install it.

As for the file count, it depends on what the files are and where they are located. It could be that the IE cache is filling up with files from web browsing. Try cleaning it out by doing the following:

Download CleanUp! and install it.

Start CleanUp! and do the following:
  • Click the Options button.
  • Make sure only the following are checked:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files (XP only)
    • Scan local drives for temporary files
    • Cleanup! All Users
  • Click the Ok button to close the Opetions dialog.
  • Click the CleanUp! button to run the cleanup. It may take a while depending on the size of the hard drive so be patient.
  • When it has finished, close CleanUp!.
Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:02:06 AM

Posted 10 August 2005 - 02:32 AM

Hi OldTimer, Thanks for the fast reply. What kind of formatting is missing? Did I set something wrong in HJT? What do I have to do to show all of the formatting stuff too?

I do believe that most of my picture problem has been solved, with lots of input from Bobbi and a couple of others who just happened along at the right time. :thumbsup:

I had failed to mention the sudden loss of all Microsoft systems sounds along with the picture problem. I had lost all sound for awhile also.

Today my guardian angle got tired of hearing me grump, and caused Yahoo's IM thing to tell me that if I wanted to play their audibles I needed to update some flash thing, so I did :flowers: and now I have sound for Yahoo Launchcast, and for the pronunciation feature of an online dictionary again, but still no system sounds.

Something has wiped out my sound drivers, I think, and I don't know how to get them reloaded without killing something else.

OK, so much for all of that, now on to the "CleanUp" thing, that thing scares the begeebies out of me!

I have used it twice before, and "WHOOSH!!" it flushed away a whole ton of files. Then the next time that I restarted my PC I couldn't get back onto the internet.

That has happened twice already, and both times I wound up having to do a system restore to get things back so that I could get connected again.

Shoot I ran it Monday night after I read your reply, and "WHOOSH!!" that thing got rid of over 65MB of stuff.

I spent most of the day Tuesday trying to figure out how to get back online without having to do a system restore, but my DSL modem wouldn't respond at all. Anyway I finally gave up, did a system restore, and now I am back on line.

I know that CleanUp isn't supposed to cause any problems like that, and I did have it setup just like you had said, so what do you think, should I try running it again or not?

I ran Ad-Aware se in safe mode. It scanned 126,015 files. I also ran Avast, and it scanned 403,989 files in 7,454 folders. Neither found any problems.

I ran "Fix-It Utility 5" and it showed up over 5,000 files with matching names and sizes. The smallest is 3Kb and the largest is over 73MB.

I can do a screen capture of what that program is showing me if you would like to see where those files are located. I'm not too sure of just how to get them on here though.

Let me know what you think, and I'll go from there.

:trumpet: Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:06 PM

Posted 10 August 2005 - 08:57 AM

Hi Wendy K. Walker. Let's try a different scanner and see what it shows us.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:02:06 AM

Posted 26 August 2005 - 02:58 AM

Hi OldTimer, Sorry about taking so long to get back to you on this. I have tried to follow you're instructions but have hit am impasse.

When I click on that link I get file download thing asking what I want to do, open or save the download.

When I click on "Open" a power desk window pops up, along with the little sad message that tells you that power desk ran into a problem and has to close.

So I tried to work around that and do the save thing instead. I clicked save, and when the menu popped up I made it it's very own little folder at C:\WinPFind and clicked save.

Next comes the download complete thing, and I have been clicking on open, however as that has not worked five times in a row I will now try the "open folder" option.

OK folder is open. Double clicking on zipper thing and power desk pops open. So far everything is still looking just as it has on all of the past tries when I had gotten to this point.

So double clicking on WinPFind.exe. Same results as before, the program pops open and that evil little sound goes off as an error message pops up saying saying "File not found".

Click OK on that and then click on start scan button anyway, and error message pops up saying > Access violation at address 0044C31F in module 'WinPFind.exe'. Read of address 00000004. That's cool, click OK.

Meanwhile the cursor is blinking away up there by you're warning note, and the hour glass is there anytime that the mouse pointer hits the body of the program, indicating that it is running.

Task manager has had too much to drink and is trying to back up it's Buddy's claim that it is running, however it is using 00% of the CPU, so someone is lying here.

If I look directly into the little hole where the HD indicator light is I can see a flicker from time to time, but that thing ought to be bright yellow, and I shouldn't have to strain to see it.

Q: How long should it take that program to complete a run?

I had followed you're instructions at the start, and did all of this same stuff in safe mode. I had the same results there, so I am at a loss.

It has been running for about fifteen minutes now and nothing has happened. I will leave it alone for awhile longer just in case I am being too antsy here.

Nothing has changed on the face of that program since it popped open and I clicked start scan. I am still reading you're warning, and message about the not responding thing, however so far that hasn't poped up.

Let me know what to do. Thanks.

:thumbsup: Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:06 PM

Posted 26 August 2005 - 12:03 PM

Hi Wendy K. Walker. It sounds like the executable is being run firectly from the zip file. It will not be able to work properly if the files are not extracted to their own folder.

WinXP allows you to double-click on a zip file and attempt to run the contents directly. This will not work for any program that requires multiple files because the additional files are not available from within the zip.

To extract the files properly, right-click on the winpfind.zip file and choose Extract (or Extract All) and then follow the prompts. If you choose the default options it will create a folder named WinPFind in the current folder and extract all of the files in the zip file to that folder. Therefore, if you have the winpfind.zip file in the c:\winPFind folder when you extract the files from the zip the executable files will be in the c:\winpfind\winpfind folder. Go to that folder and run the winpfind.exe file (thus the full path to the proper executable will be c:\winpfind\winpfind\winpfind.exe). When the program is finished running there will be a winpfind.txt file in the same folder. Open that file in Notepad and post the contents back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:02:06 AM

Posted 26 August 2005 - 04:54 PM

:thumbsup: Hi OldTimer *feeling kind of blond at the moment* Yes you were correct.
I had forgotten about the "extracting" thing there.

OK so I got everything working and here is the log >>


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...
PECompact2 6/9/2005 2:14:12 PM 1263448 C:\WebCleaner.dll
aspack 6/9/2005 2:14:12 PM 1263448 C:\WebCleaner.dll

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12/21/1999 7:58:02 AM 21312 C:\WINDOWS\choice.exe
PEC2 8/14/2005 7:23:04 PM 1502720 C:\WINDOWS\goInstaller.exe
PECompact2 8/14/2005 7:23:04 PM 1502720 C:\WINDOWS\goInstaller.exe
PECompact2 7/10/2005 9:46:40 PM 15329059 C:\WINDOWS\LPT$VPN.719
qoologic 7/10/2005 9:46:40 PM 15329059 C:\WINDOWS\LPT$VPN.719
SAHAgent 7/10/2005 9:46:40 PM 15329059 C:\WINDOWS\LPT$VPN.719
UPX! 7/10/2005 9:46:42 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 7/10/2005 9:46:40 PM 15329059 C:\WINDOWS\VPTNFILE.719
qoologic 7/10/2005 9:46:40 PM 15329059 C:\WINDOWS\VPTNFILE.719
SAHAgent 7/10/2005 9:46:40 PM 15329059 C:\WINDOWS\VPTNFILE.719
UPX! 7/10/2005 9:46:42 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 7/10/2005 9:46:42 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 7/9/2005 4:03:06 AM 433152 C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 8/4/2005 8:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 8:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
PEC2 2/28/2002 2:42:54 PM 13107200 C:\WINDOWS\SYSTEM32\oembios.bin
qoologic 1/28/2005 1:00:02 PM 8228406 C:\WINDOWS\SYSTEM32\pav.sig
aspack 1/28/2005 1:00:02 PM 8228406 C:\WINDOWS\SYSTEM32\pav.sig
SAHAgent 1/28/2005 1:00:02 PM 8228406 C:\WINDOWS\SYSTEM32\pav.sig
winsync 1/28/2005 1:00:02 PM 8228406 C:\WINDOWS\SYSTEM32\pav.sig
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 7/2/2002 6:06:30 PM 1807568 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/26/2005 2:07:04 PM S 2048 C:\WINDOWS\bootstat.dat
8/10/2005 9:13:34 PM HS 5120 C:\WINDOWS\$NtServicePackUninstall$\Thumbs.db
8/10/2005 9:13:34 PM HS 5632 C:\WINDOWS\8mile dir\Thumbs.db
7/18/2005 1:38:52 AM H 10820 C:\WINDOWS\Help\update.GID
7/12/2005 6:23:00 PM H 0 C:\WINDOWS\inf\oem14.inf
7/24/2005 9:22:30 PM H 1061 C:\WINDOWS\system32\vsconfig.xml
7/18/2005 3:19:42 AM H 4212 C:\WINDOWS\system32\zllictbl.dat
7/8/2005 4:23:18 PM S 12143 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
6/30/2005 9:06:34 AM S 11437 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896423.cat
7/19/2005 7:18:10 PM S 18913 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
6/30/2005 1:42:18 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899587.cat
6/30/2005 2:21:10 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899588.cat
6/30/2005 8:46:18 AM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899591.cat
6/28/2005 7:12:56 PM S 11845 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901214.cat
7/2/2005 3:18:16 AM S 9445 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB903235.cat
8/26/2005 2:06:50 PM H 8192 C:\WINDOWS\system32\config\default.LOG
8/26/2005 2:07:32 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
8/26/2005 2:07:06 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
8/26/2005 2:07:32 PM H 65536 C:\WINDOWS\system32\config\software.LOG
8/26/2005 2:07:34 PM H 6266880 C:\WINDOWS\system32\config\system.LOG
8/12/2005 9:28:00 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
8/22/2005 12:53:08 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\8497236d-bc9a-45ac-91cc-37fc6d4b74ae
8/22/2005 12:53:08 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/26/2005 2:05:42 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 3/4/2005 3:36:44 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 3/4/2002 6:38:02 PM 45148 C:\WINDOWS\SYSTEM32\plugincpl131_02.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 8/14/2005 12:00:50 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SmartLink 7/2/2002 6:40:00 PM 339968 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Avance Logic, Inc. 9/15/2002 8:52:06 PM 1256448 C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\ALSNDMGR.CPL

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/26/2002 3:35:50 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/26/2002 7:27:02 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
11/26/2002 3:35:50 PM HS 84 C:\Documents and Settings\**REMOVED MY NAME**\Start Menu\Programs\Startup\desktop.ini
6/16/2005 3:01:50 AM 653 C:\Documents and Settings\**REMOVED MY NAME**\Start Menu\Programs\Startup\SpywareGuard.lnk

Checking files in %USERPROFILE%\Application Data folder...
11/26/2002 7:27:02 AM HS 62 C:\Documents and Settings\**REMOVED MY NAME**\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\VCOM\Fix-It\mxctxmnu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerDesk Menu
{26E7F081-EB97-11d3-9239-006008D2D00F} = C:\Program Files\VCOM\PowerDesk\pdshext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\VCOM\Fix-It\mxctxmnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerDesk Menu
{26E7F081-EB97-11d3-9239-006008D2D00F} = C:\Program Files\VCOM\PowerDesk\pdshext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3}
= C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
ButtonText = Yahoo! Services :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}
MoneySide = C:\Program Files\Microsoft Money\System\mnyviewer.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
WinPatrol C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
S3TRAY2 S3tray2.exe
RCScheduleCheck C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Fix-It AV C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
UserFaultCheck %systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
SpyDefender Shield "C:\Program Files\Cosmi\SpyWare Killer Pro\shield\SDShield.exe"
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
PRIVANAL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
FileName0 C:\WINDOWS\System32\RSACi.rat
Key @o'
Hint REMEMBER MY NUMBER

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
Allow_Unknowns 1
PleaseMom 0
Enabled 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
l 4
n 4
s 4
v 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
NumSys 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/26/2005 2:16:23 PM


So, Does this tell you anything?

:flowers: Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:06 PM

Posted 27 August 2005 - 01:55 PM

Hi Wendy K. Walker. Everything looks clean. I do not see any signs of ifections or malware at this time.

In regards to the sound issue. If sounds are working in some of the programs then the drivers are installed and working properly. If the system sounds do not work then it is probably because they are not set. If you are using a theme try changing the theme and see if they work. If not, they can be set manually through the Control Panel's Sounds and MultiMedia applet.

I was reading through the other post regarding the picture issue. If the files are jpg files, MSPaint cannot edit them. MSPaint can only edit bmp files. If these are pictures from a digital camera then usually the camera comes with software for doing photo editing and that should be reinstalled or if another program was being used for picure editing then reinstall that software. If you do not have a photo editing program then a good commercial applicaiton is PaintShop Pro (they were giving it away free for a while but i'm not sure they are still doing so). A couple of good free programs for photo editing are IrfranView and Gimp. I use both and they are very good.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:02:06 AM

Posted 29 August 2005 - 03:48 AM

Hi OldTimer Thanks for the heads up on my system. I can't understand the sound or picture thing either one.

I have no idea how all of that is supposed to work. I know that I would click on a thumbnail, it would open, and if I clicked on the edit button it would jump to somewhere else for the editing.
Now that does not work. Not to worry I found that IfranView thing and downloaded it.

As for as the system sounds, are any sounds goes, they still come and go when I reboot or restart. I have no idea why there either.

Now I would like to ask a new question > I have just found something very odd in an email that I had sent to one of my contacts.

They had replied to that email by using the reply feature so I got back my original email. I just happened to notice that it had a commercial hyper link in it.

Here is what I found >>


> Subject: Re: Just Saying Hi
>
> *grabs tori by the throat and chokes her just a little bit* Damn Boo,
acting as a <a style='text-decoration: none; border-bottom: 3px
double;' href="http://www.serverlogic3.com/lm/rtl3.asp?si=22&k=big%20sister"
onmouseover="window.status='big sister'; return true;"
onmouseout="window.status=''; return true;">big sister</a> I had to do that to you for
having sex again, I think after I recommended that you don't do it. <<


I had not sent a link in that email so I am wondering what is going on? How did a comercial link get worked into my letter like that?

Has my machine gotten zombified or something?

:thumbsup: Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:06 PM

Posted 29 August 2005 - 11:37 AM

Hi Wendy K. Walker. Maybe and maybe not. Some of the free email accounts will put advertising in the emails when it streams through their servers.

What email service do you use and what email client (Outlook, Outlook Express, Netscape, web-based etc).

If the client is an application we can look at some of the settings and see what is set there.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:02:06 AM

Posted 29 August 2005 - 12:55 PM

Hi OldTimer, Thanks for the reply. Shoot, all I know is that I use Yahoo Mail. I just sign on to windows on my PC and click on the Yahoo Mail icon and WA-la yahoo mail opens up and I do my mail.

Hum, let me bug you some more here; I have been working to track down something evil in my PC that seems to take fits of conflicting with my DSL modem's ability to connect to the internet.

I think that I have finally pinned it down to something that is in my start-up thing in msconfig. It is listed as > wkdetect PRIVANAL < Is that something evil?

I just happened to spy it in the task manager where it was hogging up 100 % of my CPU stuff, so I disabled it and the conflict with my modem seems to have disappeared.

When that thing is enabled it also seems to have the ability to turn off my Zone Alarm Firewall in msconfig. I had had to reset Zone Alarm in msconfig several times earlier today while that thing was enabled.

Now that I have it disabled I no longer seem to have the conflict with my modem and Zone Alarm has not been disabled when I restarted my system like it had been doing.

Thanks for your help.


:thumbsup: Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:06 PM

Posted 29 August 2005 - 04:06 PM

Hi Wendy K. Walker. If you are using IE to access the Yahoo mail and not a web client then only Yahoo could put anything additional in the email. Are you sure that Yahoo did that. If the user is using a POP3 email client and their machine is infected the additional tagging could be coming from that machine and not Yahoo.

As for the wkDetect line, that is an updater for Microsoft Works that goes out and checks for updates. If it was blocked in the firewall then it will continually poll to check for updates. It's better not to run it than to run it and try to block it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:02:06 AM

Posted 30 August 2005 - 10:47 PM

Hi OldTimer, Thanks for the reply. As for the email thing, like I said I just log on to my account on my PC, then click on yahoo mail and log in there.

Then I do my mail and sign off before I close the mail. The only reason that I am even aware of this is because a contact had used the reply feature in mail to reply to that email and it sent me back a complete copy of my original email.

That coupled with the fact that I recognized the <a href=" thing as being something that I use to make links. So how do I keep that from happening again?

About that wkDetect line, it is not blocked in the firewall that I know of, but I now have it disabled in msconfig because the whole line reads "wkDetect PRIVANAL", and I associate that PRIVANAL thing with an evil anonymizer program that I have deleted because it was conflicting with lots of stuff.

That line "wkDetect PRIVANAL" is something that has appeared in my msconfig startup file since I deleted that evil anonymizer program. How do I get rid of things that just pop up in the startup section of msconfig?



:thumbsup: Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:06 PM

Posted 31 August 2005 - 12:01 PM

Hi Wendy K. Walker. the PRIVANAL flag is a part of a program form Anonymizer called SpywareKiller. It is a valid program and some use it for anonymous surfing. If the program is no longer installed then that flag can be removed from the wkDetect line or simply leave it turned off.

MsConfig simply reports what is set to run from the registry entries (just like HijackThis). In MsConfig you can disable items but not remove them from the registry. That would require a program like HijackThis or any of the various startup tools available or editing the registry directly. If you want to remove it then you can enable it in MsConfig and run HijackThis. Select the item and have HijackThis remove it. That will remove the entry from the registry.

As for the email, the point is that you do not know if that information came from your email or if it was inserted at the recipient when they received it (probably due to an infection on their end). You can test this by typing out the exact same email and sending it to yourself. See if the additional information has been inserted into the email when you receive it from yourself. If not, then it was placed their by the recipient. If so, then Yahoo is putting it in there and you have no control over it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:02:06 AM

Posted 10 September 2005 - 03:02 AM

Hi OldTimer, sorry about the delay in answering your replying. Thanks for the information. I think that I have finally gotten rid of that PRIVANAL thing.

I will try your suggestion about emailing myself just out of curiosity. I can put up with it if it is just the cost of doing business with my free yahoo mail account.

Thanks again.

Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users