Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help diagnose.


  • Please log in to reply
34 replies to this topic

#1 kerinbey

kerinbey

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 04 October 2005 - 01:04 PM

Logfile of HijackThis v1.99.1
Scan saved at 18:58:33, on 04/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Documents and Settings\Raymond\My Documents\Docs\HijackThis\HijackThis2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mirago.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\axrzu.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com
O16 - DPF: symsupportutil - https://www-secure.symantec.com/region/reg_...supportutil.CAB
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

Help would be very much appreciated.

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 October 2005 - 05:43 AM

Hi kerinbey and Welcome to the Bleeping Computer!


Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Download CleanUp
Install the program, dont run it yet, we will later.


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...torial=62#winxp


Locate and Delete this file

C:\WINDOWS\System32\axrzu.dll


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\axrzu.dll

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Post back with a fresh HijackThis log and the reports from Ewido and Panda!

#3 kerinbey

kerinbey
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  

Posted 10 October 2005 - 02:56 PM

Hi Cretemonster, and thank you for taking the time to look at my problem. The instructions are much appreciated.
As requested I have attached the new HijackThis Log tohether with the Ewido log. I have not managed to obtain a scan result from the Panda scanner. The download appeared to go alright but I cannot trace either an installation icon or a scan result. I do get a message saying that the software is not compatible with my version of Windows (XP) and I should contact Microsoft. Should I repeat the process?

Logfile of HijackThis v1.99.1
Scan saved at 20:41:12, on 10/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Raymond\My Documents\Docs\HijackThis\HijackThis2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mirago.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe"
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com
O16 - DPF: symsupportutil - https://www-secure.symantec.com/region/reg_...supportutil.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe






---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 19:58:56, 10/10/2005
+ Report-Checksum: B9D961FB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{08BEC6AA-49FC-4379-3587-4B21E286C19E}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9D573D0E-663C-435F-BF31-2C4497373C41}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B1E68D42-02C4-465B-8368-5ED9B732E22D}\TypeLib\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CLSID\\ -> Spyware.SBSoft : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj.1 -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj.1\CLSID\\ -> Spyware.SBSoft : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{110FA82F-DB6C-3C24-8929-60961D10C56E} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Error during cleaning
[184] VM_00D60000 -> TrojanDownloader.Agent.uj : Error during cleaning
[208] VM_00C10000 -> TrojanDownloader.Agent.uj : Error during cleaning
[724] VM_007B0000 -> TrojanDownloader.Agent.uj : Error during cleaning
C:\ms32.sys -> TrojanDownloader.Small.bns : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005050.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005053.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005063.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005066.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005083.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005086.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005091.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005094.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005172.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005174.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005208.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005211.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0006206.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0007206.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0007211.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0008208.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0008211.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0008216.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0008219.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0008224.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0008227.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0008233.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0008235.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0008250.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0008252.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0008268.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0009268.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0009271.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0009299.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0009301.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0009306.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0009309.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0009312.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0009318.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0010312.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0010317.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0010337.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0010338.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0010341.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0010346.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0010351.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0010354.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011351.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011355.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011363.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011365.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011372.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011374.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011383.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011386.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011391.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011394.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011399.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011402.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011409.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011410.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011413.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011418.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011426.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011431.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011436.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011439.exe -> Trojan.Small.fb : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011443.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011811.dll -> Spyware.SBSoft : Cleaned with backup
C:\WINDOWS\svchost.exe -> Spyware.Runner : Cleaned with backup
C:\WINDOWS\system32\dmyvj.exe -> Trojan.Small.fb : Cleaned with backup

Thanks again.
Kerinbey
::Report End

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 October 2005 - 05:14 PM

Were you able to do the Panda Scan?

#5 kerinbey

kerinbey
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 11 October 2005 - 01:44 PM

Were you able to do the Panda Scan?

I tried, but even though the download appeared to run ok there was no report. I did receive an error message saying that the software was not compatable with my version of windows. I am running Windows XP. Should I re-try?

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2005 - 02:27 AM

Lets try another approach!

Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!


Restart Normal and try this Online Scan
http://support.f-secure.com/enu/home/ols.shtml


Post back with the results of those 2 scans please!

#7 kerinbey

kerinbey
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  

Posted 13 October 2005 - 02:50 PM

Here are the two alternative logs.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 11/12/2002 17:13:36 44032 C:\WINDOWS\unwash.exe

Checking %System% folder...
PEC2 18/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 29/08/2002 04:41:10 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 27/09/2005 19:54:12 302621 C:\WINDOWS\SYSTEM32\SetupCarnival.exe
FSG! 05/10/2003 16:46:10 R 1536 C:\WINDOWS\SYSTEM32\TFTP3180
winsync 18/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
13/10/2005 19:03:24 S 2048 C:\WINDOWS\bootstat.dat
13/10/2005 19:03:14 H 8192 C:\WINDOWS\system32\config\default.LOG
13/10/2005 19:03:38 H 1024 C:\WINDOWS\system32\config\SAM.LOG
13/10/2005 19:03:28 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
13/10/2005 19:04:34 H 110592 C:\WINDOWS\system32\config\software.LOG
13/10/2005 19:03:26 H 782336 C:\WINDOWS\system32\config\system.LOG
10/10/2005 11:15:20 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\3bbf8125-2ec2-4bbb-a972-e8ccaa335b05
10/10/2005 11:15:20 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
13/10/2005 19:02:06 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 18/08/2001 13:00:00 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 29/08/2002 04:41:28 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 04:41:28 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 18/08/2001 13:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29/08/2002 04:41:28 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 04:41:28 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 04:41:28 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 18/08/2001 13:00:00 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 18/08/2001 13:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 18/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 18/08/2001 13:00:00 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/12/2001 11:05:14 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
11/10/2001 18:56:58 475136 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 29/08/2002 04:41:28 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 18/08/2001 13:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 18/08/2001 13:00:00 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 18/08/2001 13:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 29/08/2002 04:41:28 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18/08/2001 13:00:00 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18/08/2001 13:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 18/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 18/08/2001 13:00:00 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 18/08/2001 13:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/12/2001 07:20:22 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/06/2004 18:52:58 551 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/12/2001 07:12:06 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
10/12/2001 07:20:22 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
10/12/2001 07:12:04 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
BTOW V9.0 = IEAKBT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EasyCryptoMenu
{A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EasyCryptoMenu
{A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe
NvCplDaemon RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
EM_EXEC C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
ACTIVBOARD C:\Apps\ActivBoard\MMKeybd.exe
REGSHAVE C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
OpwareSE2 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 13/10/2005 19:11:16


Finished: 20 viruses found

Scanned files: 36290 Warning: 20 file(s) still infected!


C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0005056.exe Trojan.Win32.DNSChanger.aa

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011812.sys Trojan-Downloader.Win32.Small.bns

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011813.exe Trojan-Clicker.Win32.Runner

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011814.exe Trojan.Win32.Small.fb

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011817.exe Trojan-Downloader.Win32.Agent.uj

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011821.exe Trojan.Win32.Small.fb

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011825.exe Trojan-Downloader.Win32.Agent.uj

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011832.exe Trojan.Win32.Small.fb

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0011837.exe Trojan-Downloader.Win32.Agent.uj

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0012835.exe Trojan-Downloader.Win32.Agent.uj

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0013835.exe Trojan-Downloader.Win32.Agent.uj

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0014835.exe Trojan-Downloader.Win32.Agent.uj

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP5\A0014840.exe Trojan.Win32.Small.fb

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP6\A0014851.exe Trojan-Downloader.Win32.Agent.uj

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP6\A0014855.exe Trojan.Win32.Small.fb

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP6\A0014861.exe Trojan-Downloader.Win32.Agent.uj

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP6\A0014867.exe Trojan-Downloader.Win32.Agent.uj

C:\System Volume Information\_restore{CA276FFF-4587-4CE7-8642-13CA762BC01B}\RP6\A0014870.exe Trojan.Win32.Small.fb

C:\WINDOWS\system32\dmcfn.exe Trojan.Win32.Small.fb

C:\WINDOWS\system32\TFTP3180 Worm.Win32.Lovesan.a



Up | Down | Top | Bottom
New scan
Close

Step 1

Step 2

Step 3

Step 4

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 October 2005 - 04:53 AM

Sorry this has taken so long but the person that signs my paycheck,actually required I work for it! :thumbsup:

Go back into Safe Mode-> Locate and Delete these 2

C:\WINDOWS\system32\dmcfn.exe<- File

C:\WINDOWS\system32\TFTP3180<- Not sure if this is a file or a folder!

While in Safe Mode,Scan again with WinPFind and Post those results!

#9 kerinbey

kerinbey
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 17 October 2005 - 01:21 PM

Please don't apologise. I'm grateful for your help, and unfortunately work does take priority, sometimes! Here's the latest log.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 11/12/2002 17:13:36 44032 C:\WINDOWS\unwash.exe

Checking %System% folder...
PEC2 18/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 29/08/2002 04:41:10 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 18/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
17/10/2005 19:00:48 S 2048 C:\WINDOWS\bootstat.dat
17/10/2005 19:01:28 H 1024 C:\WINDOWS\system32\config\default.LOG
17/10/2005 19:00:52 H 1024 C:\WINDOWS\system32\config\SAM.LOG
17/10/2005 19:01:18 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
17/10/2005 19:10:44 H 1024 C:\WINDOWS\system32\config\software.LOG
17/10/2005 19:03:44 H 1024 C:\WINDOWS\system32\config\system.LOG
10/10/2005 11:15:20 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\3bbf8125-2ec2-4bbb-a972-e8ccaa335b05
10/10/2005 11:15:20 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
17/10/2005 19:00:50 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 18/08/2001 13:00:00 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 29/08/2002 04:41:28 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 04:41:28 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 18/08/2001 13:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29/08/2002 04:41:28 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 04:41:28 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 04:41:28 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 18/08/2001 13:00:00 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 18/08/2001 13:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 18/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 18/08/2001 13:00:00 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/12/2001 11:05:14 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
11/10/2001 18:56:58 475136 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 29/08/2002 04:41:28 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 18/08/2001 13:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 18/08/2001 13:00:00 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 18/08/2001 13:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 29/08/2002 04:41:28 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18/08/2001 13:00:00 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18/08/2001 13:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 18/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 18/08/2001 13:00:00 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 18/08/2001 13:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/12/2001 07:20:22 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/06/2004 18:52:58 551 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/12/2001 07:12:06 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
10/12/2001 07:20:22 HS 84 C:\Documents and Settings\Raymond\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
10/12/2001 07:12:04 HS 62 C:\Documents and Settings\Raymond\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
BTOW V9.0 = IEAKBT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EasyCryptoMenu
{A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EasyCryptoMenu
{A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe
NvCplDaemon RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
EM_EXEC C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
ACTIVBOARD C:\Apps\ActivBoard\MMKeybd.exe
REGSHAVE C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
OpwareSE2 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
OpwareSE2 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
BullGuard 5.0 "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
washindex C:\Program Files\Washer\washidx.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoBandCustomize 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 17/10/2005 19:14:37

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2005 - 01:48 PM

Its definatly looking better but I seem some registry changes occuring and need to clarify what has been downloaded or installed in the last few days!

Lets see what this Online Scan shows us and maybe we can wrap this up!
http://support.f-secure.com/enu/home/ols.shtml


Lets see the results of the Online Scan and a fresh HijackThis log!

Let me know how the PC is acting?

#11 kerinbey

kerinbey
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  

Posted 19 October 2005 - 12:51 PM

Its definatly looking better but I seem some registry changes occuring and need to clarify what has been downloaded or installed in the last few days!

Lets see what this Online Scan shows us and maybe we can wrap this up!
http://support.f-secure.com/enu/home/ols.shtml


Lets see the results of the Online Scan and a fresh HijackThis log!

Let me know how the PC is acting?


Here are the two suggested Scan logs

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 18:37:14, on 19/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Documents and Settings\Raymond\My Documents\Docs\HijackThis\HijackThis2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mirago.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com
O16 - DPF: symsupportutil - https://www-secure.symantec.com/region/reg_...supportutil.CAB
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

FScanner

Finished: 2 viruses found

Scanned files: 35621 Warning: 2 file(s) still infected!


C:\RECYCLER\S-1-5-21-1409082233-115176313-682003330-500\Dc1.exe Trojan.Win32.Small.fb

C:\RECYCLER\S-1-5-21-1409082233-115176313-682003330-500\Dc2 Worm.Win32.Lovesan.a


My PC generally acts OK. It is when using Internet Explorer that the problems really appear.
If I search, say on Google, and then click on a listed site, the connection is to something else, a casino, dating agency or porn site.
I haven't tried to search and connect since first realising there was a problem.
This is the first time I have logged on since my last message on this thread and in the meantime a dozen new addresses have been added to my Favorites list.
The only other signs are that the System Restore seems to have a rolling date, for example I cannot go back beyond this month, so I have now disabled it. The other one is that I cannot download the latest Bullguard 5.0 software I purchased to replace the antivirus software I recently uninstalled. The reason I uninstalled it was to make way for the new software!

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2005 - 04:01 AM

Lets get Windows Updated to SP2,this will fix alot of bugs in Internet Explorer and make the PC more secure!

After you have fully updated the PC,go to Safe Mode and Scan again with WinPFind!

Post those results!

#13 kerinbey

kerinbey
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 20 October 2005 - 02:00 PM

Lets get Windows Updated to SP2,this will fix alot of bugs in Internet Explorer and make the PC more secure!

After you have fully updated the PC,go to Safe Mode and Scan again with WinPFind!

Post those results!

Having some trouble with SP2 download, but will post as soon as resolved.

#14 kerinbey

kerinbey
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  

Posted 23 October 2005 - 05:01 AM


Lets get Windows Updated to SP2,this will fix alot of bugs in Internet Explorer and make the PC more secure!

After you have fully updated the PC,go to Safe Mode and Scan again with WinPFind!

Post those results!

Having some trouble with SP2 download, but will post as soon as resolved.


Sorry for delay. Service Pack now fully installed. Latest WinPFind log follows.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 11/12/2002 17:13:36 44032 C:\WINDOWS\unwash.exe

Checking %System% folder...
PEC2 18/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 29/08/2005 13:27:12 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
aspack 04/08/2004 08:56:36 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04/08/2004 08:56:44 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 18/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
23/10/2005 10:39:52 S 2048 C:\WINDOWS\bootstat.dat
20/10/2005 18:24:16 H 0 C:\WINDOWS\inf\oem40.inf
20/10/2005 18:26:00 H 0 C:\WINDOWS\inf\oem41.inf
22/10/2005 15:27:24 RHS 286777 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab
22/10/2005 10:08:40 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\01a1255c7a2de973c2a3067555de1f0b\BIT4.tmp
20/10/2005 19:15:44 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\01a87d6cdae8d00685023c2227fbd901\BIT15.tmp
20/10/2005 19:25:30 H 1071328 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\09f3832e005a9a2540207136daa73705\BIT2.tmp
07/10/2005 03:18:30 H 490736 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2e61ac6279fca149d54e79320ed0416e\BIT5.tmp
22/10/2005 10:08:42 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2e61ac6279fca149d54e79320ed0416e\BIT6.tmp
20/10/2005 19:20:30 H 490736 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3ca8c39b9b899185c2c09c220865d1ed\BIT1.tmp
22/10/2005 10:08:46 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\4161db3f23053dc2b9214e0f68ee43d8\BITB.tmp
10/10/2005 23:24:02 H 981856 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\48ac9184d034c62fe0202669ce802fae\BIT1A.tmp
22/10/2005 10:08:48 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\48ac9184d034c62fe0202669ce802fae\BITD.tmp
22/10/2005 10:08:44 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\65030dac8468c4ea1d7a83c2d607818c\BIT9.tmp
07/10/2005 02:47:46 H 141825 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\76033438d40f9746b6ec0e8aaf51e236\download\BIT23.tmp
22/10/2005 10:08:44 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\76033438d40f9746b6ec0e8aaf51e236\download\BIT8.tmp
20/10/2005 19:15:46 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\851ca82aef1b7b908fd1385b2f64ab7c\BIT17.tmp
22/10/2005 10:08:40 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\9d51f82f11794d8ebbf8f609ad791c6c\download\BIT3.tmp
20/10/2005 19:15:48 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a5fe7d920afc6b7360c46d0fbd5ffc83\BIT19.tmp
22/10/2005 10:08:42 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a98cb8bcd42533ae42cca6c7a4282b7a\BIT7.tmp
20/10/2005 19:15:50 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b557efae9523e650b89a51506b535cf9\BIT1B.tmp
22/10/2005 10:08:48 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c5481ed85104865c537bcd4e567eab3d\BITE.tmp
22/10/2005 10:08:46 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\d78af668673c436852155f7dfcca83e7\BITA.tmp
07/10/2005 02:43:56 H 491248 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\db38026d4c7c731bf876ffafac4b434d\BIT4.tmp
22/10/2005 10:08:40 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\db38026d4c7c731bf876ffafac4b434d\BIT5.tmp
20/10/2005 19:45:30 H 896240 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\f4cd476bee083b0e594340e23205826c\BIT6.tmp
23/10/2005 10:37:40 H 1025808 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\f6e2bdf66b6b403d4c41f96fe0c20e68\BITF.tmp
20/10/2005 19:15:40 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fc77a08cba52ad57cf2f0a10d4723036\BIT10.tmp
06/10/2005 22:37:54 H 4062472 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fea4cc63f0e4b7fc41bf21d5ef839233\BIT11.tmp
22/10/2005 10:08:46 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fea4cc63f0e4b7fc41bf21d5ef839233\BITC.tmp
20/10/2005 19:15:44 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ff9844a0f0feaa5597f75dcffabb8d43\BIT16.tmp
23/10/2005 10:39:38 H 8192 C:\WINDOWS\system32\config\default.LOG
23/10/2005 10:40:08 H 1024 C:\WINDOWS\system32\config\SAM.LOG
23/10/2005 10:39:54 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
23/10/2005 10:40:22 H 122880 C:\WINDOWS\system32\config\software.LOG
23/10/2005 10:40:00 H 806912 C:\WINDOWS\system32\config\system.LOG
10/10/2005 11:15:20 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\3bbf8125-2ec2-4bbb-a972-e8ccaa335b05
10/10/2005 11:15:20 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
23/10/2005 10:38:28 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 08:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 08:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04/08/2004 08:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 08:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 08:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04/08/2004 08:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 08:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 08:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 08:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 08:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 08:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04/08/2004 08:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 08:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/12/2001 11:05:14 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
11/10/2001 18:56:58 475136 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 04/08/2004 08:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 08:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 08:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 18/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/12/2001 07:20:22 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/06/2004 18:52:58 551 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/12/2001 07:12:06 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
10/12/2001 07:20:22 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
10/12/2001 07:12:04 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
BTOW V9.0 = IEAKBT
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EasyCryptoMenu
{A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EasyCryptoMenu
{A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe
NvCplDaemon RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
EM_EXEC C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
ACTIVBOARD C:\Apps\ActivBoard\MMKeybd.exe
REGSHAVE C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
OpwareSE2 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 23/10/2005 10:48:21

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 October 2005 - 08:28 AM

Everything looks good to me,lets go ahead and clear out the Recycle Bin

Copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back and let me know how things are?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users