Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Computer Is Infected With Malware...


  • Please log in to reply
9 replies to this topic

#1 DJS2005

DJS2005

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 12 November 2005 - 11:55 AM

My computer has slowed down tremendously over the past week or so during booting time and my Internet Explorer Settings are constantly being changed. I used Adware and Spybot and while it deleted many of the malware, some of them keep coming back. I also used XoftSpy and it found some files that the others didn't find, including a cws.mrhop. I hope someone more knowledgeable can lead me through this. I also wanted to eliminate all the running processes that are unnecesarily taking up system resources, if possible. I appreciate everything you do in advance!

Here's the HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 11:49:46 AM, on 11/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\system32\sdkyw32.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\msje.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jose Daniel\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qowgt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qowgt.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {B39DD509-E1F5-073C-7DCC-52B6550CEC40} - C:\WINDOWS\mfcqu32.dll
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [sdkyw32.exe] C:\WINDOWS\system32\sdkyw32.exe
O4 - HKCU\..\Run: [Weather Pulse] D:\Program Files\Weather Pulse\weatherpulse.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WB - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\msje.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

Edited by DJS2005, 12 November 2005 - 12:08 PM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:49 AM

Posted 12 November 2005 - 03:58 PM

Hi and Welcome to techguy.com! Posted Image

My name is David Posted Image

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was

It may look like a lot below - follow the instructions as carefully as possible and everything should be kool!
________________________________________________

Download CWShredder Here to its own folder.
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Click here to download AboutBuster created by Rubber Ducky
Unzip AboutBuster to the desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit".

Click here to download cwsserviceremove.zip : http://castlecops.com/zx/flrman1/cwsserviceremove.zip
Unzip it to your desktop and have it ready to run later.

Download CleanUp!
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK

    DO NOT run it yet!
Make sure that you can see hidden files (Windows XP).
  • Click "Start".
  • Click "My Computer".
  • Select the "Tools" menu and click "Folder Options".
  • Select the "View" tab.
  • Under the "Hidden files and folders" heading, select "Show hidden files and folders".
  • Uncheck the "Hide protected operating system files (recommended)" option.
  • Click "Yes" to confirm.
  • Uncheck the "Hide file extensions for known file types".
  • Click "OK".

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find

Network Security Service

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Boot into Safe Mode (start tapping the F8 key at Startup, before the Windows logo screen)

Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry.......Answer yes when asked to have it's contents added to the registry

Please Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Then go to Start > Run and type [b]%temp%[/b] in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

Next run AboutBuster. Double click Aboutbuster.exe, click OK, click Start then click OK. This will scan your computer for the bad files and delete them.

Now, run CWShredder. Just click on the cwshredder.exe then click Fix (Not Scan only) and let it do its thing.

Now run cleanup!
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.
Click Here to do a Panda online scan
  • If it asks you install active x controls click Yes
  • if a box comes up telling you to install the program also click Yes
  • Make sure you tick Disinfect automatically under Scan Options
  • complete the scan and post the log that you can save afterwards in the same way you did the HJT log.
  • It is normal for it to take a reasonable time to complete
Please download hoster from the link below.
http://www.funkytoad.com/download/hoster.zip
  • Unzip Hoster.zip
  • Open Hoster.exe
  • Then click on "Restore Original Hosts"
  • Close program when complete.
  • Empty Recycle Bin
  • Reboot and "copy/paste" a new log file into this thread, after completing any other instructions given
If you have Spybot S&D installed you will also need to replace one file.
Go here: http://www.spywareinfo.com/~merijn/winfiles.html
Download SDHelper.dll
Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.
Find shell.dll and right click on it. Choose Copy from the menu.
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

Reboot and post another HijackThis log please.

#3 DJS2005

DJS2005
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 13 November 2005 - 09:53 AM

Hey, David! I did everything you told me to do, but there were a few things that I need to point out.

When I ran one of the first few programs (I believe it was Aboutbuster), at the end this message popped up:

Run-time error '339':

Component 'comctl32.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.

I don't know what that means, but wanted to make sure you knew about it.

Also, when I ran CWShredder in Safe Mode it didn't detect anything. However, I ran it again in Normal mode and it did detect one file infecting my system. I believe it was CWS.HomeSearch. It was deleted.

When you told me to scan using the Panda Online scan, I figured that I couldn't do it in Safe Mode (since I needed to be connected to the internet for that), so I rebooted my system to scan my computer. Was that OK? Also, where I can I find a logfile of the Panda scan? It didn't ask me to save anything.

I then proceeded to follow the rest of your instructions, but I found out that the SDHelper.dll file wouldn't copy to the Spybot program, so I let it stay the way it was.

Now to finish my long post, I ran XoftSpy and thanks to all your instructions, I only have 2 possible threats still in my system (compared to 10-15 I had before). The first one is called CWSIEFeats. It says that it is Adware and changes my Internet Explorer Settings and Default HomePages, etc... It can also display pop-ups and download files without my knowledge. Can you please help me with this one?

The second one relates to the Windows Update Features which were altered by some malicious program. It says that I might be unable to update my Operating system to remove a security hole. Please help!

In the meantime here's my HijackThis logfile... Again, I thank you VERY much for your time and efforts to help me.

Logfile of HijackThis v1.99.1
Scan saved at 9:50:29 AM, on 11/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\XoftSpy\XoftSpy.exe
C:\Documents and Settings\Jose Daniel\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.nhc.noaa.gov
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.nhc.noaa.gov
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKCU\..\Run: [Weather Pulse] D:\Program Files\Weather Pulse\weatherpulse.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WB - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:49 AM

Posted 13 November 2005 - 09:57 AM

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - Default URLSearchHook is missing


Do you know what this is?

O4 - HKCU\..\Run: [Weather Pulse] D:\Program Files\Weather Pulse\weatherpulse.exe

David

#5 DJS2005

DJS2005
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 13 November 2005 - 10:10 AM

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - Default URLSearchHook is missing


Do you know what this is?

O4 - HKCU\..\Run: [Weather Pulse] D:\Program Files\Weather Pulse\weatherpulse.exe

David


Thanks for the quick reply. I did follow your instructions above.

Yes, I know what that program is. It is a program that displays local weather conditions on my Desktop. I know that's not spyware.

Do you know anything about the other 2 spyware I told you about? What about the Panda scan logfile? Do you need it to go more indepth?

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:49 AM

Posted 13 November 2005 - 10:14 AM

1) Can you find and post the Panda log

2) Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

David

#7 DJS2005

DJS2005
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 13 November 2005 - 10:39 AM

David, here's the log for the latest program I downloaded:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...
PEC2 11/3/2005 1:55:34 PM 35840 C:\command.exe
PECompact2 11/3/2005 1:55:34 PM 35840 C:\command.exe
UPX! 8/23/2005 12:50:00 PM 354 C:\patterns.txt
FSG! 8/23/2005 12:50:00 PM 354 C:\patterns.txt
PEC2 8/23/2005 12:50:00 PM 354 C:\patterns.txt
PECompact2 8/23/2005 12:50:00 PM 354 C:\patterns.txt
Umonitor 8/23/2005 12:50:00 PM 354 C:\patterns.txt
qoologic 8/23/2005 12:50:00 PM 354 C:\patterns.txt
aspack 8/23/2005 12:50:00 PM 354 C:\patterns.txt
PTech 8/23/2005 12:50:00 PM 354 C:\patterns.txt
urllogic 8/23/2005 12:50:00 PM 354 C:\patterns.txt
ad-beh 8/23/2005 12:50:00 PM 354 C:\patterns.txt
ad-behNior.com 8/23/2005 12:50:00 PM 354 C:\patterns.txt
sYVLLSAKY 8/23/2005 12:50:00 PM 354 C:\patterns.txt
_rtneg3 8/23/2005 12:50:00 PM 354 C:\patterns.txt
SAHAgent 8/23/2005 12:50:00 PM 354 C:\patterns.txt
buddy.exe 8/23/2005 12:50:00 PM 354 C:\patterns.txt
ZepMon 8/23/2005 12:50:00 PM 354 C:\patterns.txt
aurora.exe 8/23/2005 12:50:00 PM 354 C:\patterns.txt
;2x(V]@BMD 8/23/2005 12:50:00 PM 354 C:\patterns.txt
Tlji7Mk 8/23/2005 12:50:00 PM 354 C:\patterns.txt
KavSvc 8/23/2005 12:50:00 PM 354 C:\patterns.txt
69.59.186.63 8/23/2005 12:50:00 PM 354 C:\patterns.txt
209.66.67.134 8/23/2005 12:50:00 PM 354 C:\patterns.txt
66.63.167.97 8/23/2005 12:50:00 PM 354 C:\patterns.txt
66.63.167.77 8/23/2005 12:50:00 PM 354 C:\patterns.txt
abetterinternet.com 8/23/2005 12:50:00 PM 354 C:\patterns.txt
8B!7F\(T 8/23/2005 12:50:00 PM 354 C:\patterns.txt
testpopup 8/23/2005 12:50:00 PM 354 C:\patterns.txt
web-nex 8/23/2005 12:50:00 PM 354 C:\patterns.txt
yourkey 8/23/2005 12:50:00 PM 354 C:\patterns.txt
winsync 8/23/2005 12:50:00 PM 354 C:\patterns.txt
rec2_run 8/23/2005 12:50:00 PM 354 C:\patterns.txt
WinShutDown 8/23/2005 12:50:00 PM 354 C:\patterns.txt
ad-w-a-r-e.com 8/23/2005 12:50:00 PM 354 C:\patterns.txt
UPX! 9/22/2005 10:14:00 AM 206336 C:\winpfind.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 9/28/2005 4:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 9/28/2005 4:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
UPX! 9/22/2005 8:09:30 PM 444928 C:\WINDOWS\SYSTEM32\Hurricanes.scr
PTech 8/29/2005 12:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
Umonitor 8/29/2002 7:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 9/8/2004 1:04:44 AM 172032 C:\WINDOWS\SYSTEM32\UC3D.scr
winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\HOSTS


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/13/2005 10:23:18 AM S 2048 C:\WINDOWS\bootstat.dat
11/12/2005 11:10:36 PM H 54156 C:\WINDOWS\QTFont.qfn
9/23/2005 8:25:28 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
9/22/2005 6:57:04 PM H 0 C:\WINDOWS\inf\oem11.inf
9/22/2005 6:58:16 PM H 0 C:\WINDOWS\inf\oem12.inf
11/13/2005 10:16:58 AM H 0 C:\WINDOWS\LastGood\INF\oem15.inf
11/13/2005 10:16:58 AM H 0 C:\WINDOWS\LastGood\INF\oem15.PNF
9/26/2005 8:30:10 PM HS 23552 C:\WINDOWS\Resources\Themes\ForeverBlue\Icons\Thumbs.db
9/26/2005 8:30:02 PM HS 11264 C:\WINDOWS\Resources\Themes\ForeverBlue\Screenshots\Thumbs.db
9/26/2005 8:30:14 PM HS 3584 C:\WINDOWS\Resources\Themes\ForeverBlue\User Icon\Thumbs.db
9/26/2005 8:30:16 PM HS 4096 C:\WINDOWS\Resources\Themes\ForeverBlue\Wallpaper\Thumbs.db
11/13/2005 10:23:08 AM H 8192 C:\WINDOWS\system32\config\default.LOG
11/13/2005 10:23:40 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
11/13/2005 10:23:20 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
11/13/2005 10:24:28 AM H 86016 C:\WINDOWS\system32\config\software.LOG
11/13/2005 10:23:24 AM H 921600 C:\WINDOWS\system32\config\system.LOG
9/22/2005 10:41:14 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
9/22/2005 10:41:16 PM H 262144 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
9/22/2005 10:41:16 PM H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
9/22/2005 6:47:00 PM RH 0 C:\WINDOWS\system32\drivers\Sony_PCG-GRS700(UC)_.mrk
9/22/2005 10:43:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\233c9428-5eed-4f00-9a46-6ef52f92d7e4
9/22/2005 10:43:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\5543b7ea-5fb3-4aa8-b66e-40a9942bc6be
9/22/2005 10:43:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\6b3ce468-192c-4569-9b98-e9755482b0fd
9/22/2005 6:46:24 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a6c54e3c-75e4-49d8-a2a4-d957f5d00f7f
9/22/2005 10:43:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\b4464acb-a8a6-478c-ad83-29fd265fc57a
9/22/2005 10:43:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c60277f9-f8bb-4893-8d82-ad1fe810fc5e
9/22/2005 10:43:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d5655a80-a682-403c-abb8-af37fd6902b3
9/22/2005 10:43:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e83e2401-e62b-42f5-8321-d4208b1e95d1
9/22/2005 10:43:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\f7754b3c-2c64-42f7-bd24-5099737a1f8b
9/22/2005 6:46:24 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
9/22/2005 6:57:08 PM RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
11/13/2005 10:22:20 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 7:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 2:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Sony Corporation 8/6/2002 8:00:00 PM 53248 C:\WINDOWS\SYSTEM32\SNSetup.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/29/2002 7:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Sony Corporation 12/4/1999 7:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
YAMAHA CORPORATION 9/18/2002 5:54:26 PM 249856 C:\WINDOWS\SYSTEM32\yacxgc.cpl
Microsoft Corporation 8/29/2002 2:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
YAMAHA CORPORATION 9/18/2002 5:54:26 PM 249856 C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\yacxgc.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/5/2002 9:02:46 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/5/2002 12:51:32 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
11/9/2005 8:56:00 AM 1755 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
12/5/2002 9:02:46 PM HS 84 C:\Documents and Settings\Jose Daniel\Start Menu\Programs\Startup\desktop.ini
11/11/2005 10:49:26 PM 528 C:\Documents and Settings\Jose Daniel\Start Menu\Programs\Startup\SpywareGuard.lnk

Checking files in %USERPROFILE%\Application Data folder...
9/24/2005 9:47:06 PM 877 C:\Documents and Settings\Jose Daniel\Application Data\AdobeDLM.log
12/5/2002 12:51:32 PM HS 62 C:\Documents and Settings\Jose Daniel\Application Data\desktop.ini
9/24/2005 9:47:06 PM 0 C:\Documents and Settings\Jose Daniel\Application Data\dm.ini
11/11/2005 7:25:08 PM 2227427 C:\Documents and Settings\Jose Daniel\Application Data\Install.dat

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
Maxthon = IEAK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{81559C35-8464-49F7-BB0E-07A383BEF910} = D:\Program Files\SpywareGuard\spywareguard.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= D:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : D:\Program Files\AIM\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HKSERV.EXE C:\Program Files\Sony\HotKey Utility\HKserv.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Weather Pulse D:\Program Files\Weather Pulse\weatherpulse.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB
= D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/13/2005 10:31:31 AM



By the way, Is this the Panda log? If not, then I have no idea where it downloaded.


[SetupAPI Log]
OS Version = 5.1.2600 Service Pack 1
Platform ID = 2 (NT)
Service Pack = 1.0
Suite = 0x0300
Product Type = 1
Architecture = x86
[2005/11/11 23:03:50 700.3 Driver Install]
#-019 Searching for hardware ID(s): usb\unknown
#-018 Searching for compatible ID(s): usb\unknown
#-198 Command line processed: C:\WINDOWS\system32\services.exe
#I393 Modified INF cache "C:\WINDOWS\inf\INFCACHE.1".
#I022 Found "USB\UNKNOWN" in C:\WINDOWS\inf\usb.inf; Device: "Unknown Device"; Driver: "Unknown Device"; Provider: "Microsoft"; Mfg: "(Standard USB Host Controller)"; Section name: "BADDEVICE.Dev".
#I023 Actual install section: [BADDEVICE.Dev.NT]. Rank: 0x00000000. Effective driver date: 07/01/2001.
#-166 Device install function: DIF_SELECTBESTCOMPATDRV.
#I063 Selected driver installs from section [BADDEVICE.Dev] in "c:\windows\inf\usb.inf".
#I320 Class GUID of device remains: {36FC9E60-C465-11CF-8056-444553540000}.
#I060 Set selected driver.
#I058 Selected best compatible driver.
#-166 Device install function: DIF_INSTALLDEVICEFILES.
#I124 Doing copy-only install of "USB\VID_0000&PID_0000\5&253606C4&0&2".
#-166 Device install function: DIF_REGISTER_COINSTALLERS.
#I056 Coinstallers registered.
#-166 Device install function: DIF_INSTALLINTERFACES.
#-011 Installing section [BADDEVICE.Dev.NT.Interfaces] from "c:\windows\inf\usb.inf".
#I054 Interfaces installed.
#-166 Device install function: DIF_INSTALLDEVICE.
#I123 Doing full install of "USB\VID_0000&PID_0000\5&253606C4&0&2".
#I121 Device install of "USB\VID_0000&PID_0000\5&253606C4&0&2" finished successfully.
[2005/11/13 09:09:44 3336.2]
#-198 Command line processed: "C:\Program Files\Internet Explorer\iexplore.exe"
#E361 An unsigned or incorrectly signed file "c:\docume~1\joseda~1\locals~1\temp\icd1.tmp\asinst.inf" will be installed (Policy=Ignore). Error 1168: Element not found.
#-024 Copying file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\asinst.cfg" to "C:\WINDOWS\System32\asinst.cfg".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\asinst.cfg" will be installed (Policy=Ignore). Error 0xe000022f: The third-party INF does not contain digital signature information.
#-336 Copying file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\getrootcert.cer" to "C:\WINDOWS\System32\ActiveScan\getrootcert.cer" via temporary file "C:\WINDOWS\System32\ActiveScan\SET7.tmp".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\getrootcert.cer" will be installed (Policy=Ignore). Error 0xe000022f: The third-party INF does not contain digital signature information.
#-336 Copying file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\certdll.dll" to "C:\WINDOWS\System32\ActiveScan\certdll.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET8.tmp".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\certdll.dll" will be installed (Policy=Ignore). Error 0xe000022f: The third-party INF does not contain digital signature information.
[2005/11/13 09:09:51 3336.6]
#-198 Command line processed: "C:\Program Files\Internet Explorer\iexplore.exe"
#-024 Copying file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\asinst.dll" to "C:\WINDOWS\Downloaded Program Files\asinst.dll".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\asinst.dll" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
[2005/11/13 09:09:51 3336.7]
#-198 Command line processed: "C:\Program Files\Internet Explorer\iexplore.exe"
#-024 Copying file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\asinst.inf" to "C:\WINDOWS\Downloaded Program Files\asinst.inf".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\asinst.inf" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
[2005/11/13 09:10:25 3336.8]
#-198 Command line processed: "C:\Program Files\Internet Explorer\iexplore.exe"
#E361 An unsigned or incorrectly signed file "c:\docume~1\joseda~1\locals~1\temp\_asb.tmp\assetup.inf" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "as.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SETC.tmp" (target is "C:\WINDOWS\System32\ActiveScan\as.dll").
#-024 Copying file "C:\WINDOWS\System32\ActiveScan\SETC.tmp" to "C:\WINDOWS\System32\ActiveScan\as.dll".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SETC.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "asmdat.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SETE.tmp" (target is "C:\WINDOWS\System32\ActiveScan\asmdat.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SETE.tmp" to "C:\WINDOWS\System32\ActiveScan\asmdat.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SETF.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SETE.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "instlsp.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET10.tmp" (target is "C:\WINDOWS\System32\ActiveScan\instlsp.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET10.tmp" to "C:\WINDOWS\System32\ActiveScan\instlsp.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET11.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET10.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "memvfile.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET12.tmp" (target is "C:\WINDOWS\System32\ActiveScan\memvfile.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET12.tmp" to "C:\WINDOWS\System32\ActiveScan\memvfile.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET13.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET12.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pavaleas.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET14.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pavaleas.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET14.tmp" to "C:\WINDOWS\System32\ActiveScan\pavaleas.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET15.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET14.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pavdr.exe" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET16.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pavdr.exe").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET16.tmp" to "C:\WINDOWS\System32\ActiveScan\pavdr.exe" via temporary file "C:\WINDOWS\System32\ActiveScan\SET17.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET16.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pavexcom.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET18.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pavexcom.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET18.tmp" to "C:\WINDOWS\System32\ActiveScan\pavexcom.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET19.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET18.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pavoe.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET1A.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pavoe.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET1A.tmp" to "C:\WINDOWS\System32\ActiveScan\pavoe.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET1B.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET1A.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pavpz.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET1C.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pavpz.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET1C.tmp" to "C:\WINDOWS\System32\ActiveScan\pavpz.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET1D.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET1C.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pfdnnt.exe" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET1E.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pfdnnt.exe").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET1E.tmp" to "C:\WINDOWS\System32\ActiveScan\pfdnnt.exe" via temporary file "C:\WINDOWS\System32\ActiveScan\SET1F.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET1E.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "port32.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET20.tmp" (target is "C:\WINDOWS\System32\ActiveScan\port32.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET20.tmp" to "C:\WINDOWS\System32\ActiveScan\port32.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET21.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET20.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskalloc.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET22.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskalloc.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET22.tmp" to "C:\WINDOWS\System32\ActiveScan\pskalloc.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET23.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET22.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskas.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET24.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskas.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET24.tmp" to "C:\WINDOWS\System32\ActiveScan\pskas.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET25.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET24.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskavs.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET26.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskavs.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET26.tmp" to "C:\WINDOWS\System32\ActiveScan\pskavs.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET27.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET26.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskcmp.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET28.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskcmp.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET28.tmp" to "C:\WINDOWS\System32\ActiveScan\pskcmp.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET29.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET28.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskfss.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET2A.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskfss.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET2A.tmp" to "C:\WINDOWS\System32\ActiveScan\pskfss.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET2B.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET2A.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskhtml.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET2C.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskhtml.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET2C.tmp" to "C:\WINDOWS\System32\ActiveScan\pskhtml.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET2D.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET2C.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskmas.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET2E.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskmas.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET2E.tmp" to "C:\WINDOWS\System32\ActiveScan\pskmas.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET2F.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET2E.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskmdfs.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET30.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskmdfs.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET30.tmp" to "C:\WINDOWS\System32\ActiveScan\pskmdfs.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET31.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET30.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskpack.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET32.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskpack.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET32.tmp" to "C:\WINDOWS\System32\ActiveScan\pskpack.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET33.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET32.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskscs.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET34.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskscs.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET34.tmp" to "C:\WINDOWS\System32\ActiveScan\pskscs.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET35.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET34.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskutil.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET36.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskutil.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET36.tmp" to "C:\WINDOWS\System32\ActiveScan\pskutil.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET37.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET36.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskvfile.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET38.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskvfile.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET38.tmp" to "C:\WINDOWS\System32\ActiveScan\pskvfile.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET39.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET38.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskvfs.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET3A.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskvfs.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET3A.tmp" to "C:\WINDOWS\System32\ActiveScan\pskvfs.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET3B.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET3A.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskvm.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET3C.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskvm.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET3C.tmp" to "C:\WINDOWS\System32\ActiveScan\pskvm.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET3D.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET3C.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "psscan.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET3E.tmp" (target is "C:\WINDOWS\System32\ActiveScan\psscan.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET3E.tmp" to "C:\WINDOWS\System32\ActiveScan\psscan.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET3F.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET3E.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "qrv.krn" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET40.tmp" (target is "C:\WINDOWS\System32\ActiveScan\qrv.krn").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET40.tmp" to "C:\WINDOWS\System32\ActiveScan\qrv.krn" via temporary file "C:\WINDOWS\System32\ActiveScan\SET41.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET40.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "sporder.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET42.tmp" (target is "C:\WINDOWS\System32\ActiveScan\sporder.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET42.tmp" to "C:\WINDOWS\System32\ActiveScan\sporder.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET43.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET42.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "tcpvfile.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET44.tmp" (target is "C:\WINDOWS\System32\ActiveScan\tcpvfile.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET44.tmp" to "C:\WINDOWS\System32\ActiveScan\tcpvfile.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET45.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET44.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "ZPORT4AS.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\SET46.tmp" (target is "C:\WINDOWS\System32\ZPORT4AS.dll").
#-336 Copying file "C:\WINDOWS\System32\SET46.tmp" to "C:\WINDOWS\System32\ZPORT4AS.dll" via temporary file "C:\WINDOWS\System32\SET47.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\SET46.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pskahk.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\ActiveScan\SET48.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pskahk.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET48.tmp" to "C:\WINDOWS\System32\ActiveScan\pskahk.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET49.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET48.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "asuninst.exe" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_ASB.tmp\motor.cab" to "C:\WINDOWS\System32\SET4A.tmp" (target is "C:\WINDOWS\System32\asuninst.exe").
#-336 Copying file "C:\WINDOWS\System32\SET4A.tmp" to "C:\WINDOWS\System32\asuninst.exe" via temporary file "C:\WINDOWS\System32\SET4B.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\SET4A.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
[2005/11/13 09:10:34 3336.12]
#-198 Command line processed: "C:\Program Files\Internet Explorer\iexplore.exe"
#E361 An unsigned or incorrectly signed file "c:\docume~1\joseda~1\locals~1\temp\_as4c.tmp\assetup.inf" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "ascontrol.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_AS4C.tmp\ascontrol.cab" to "C:\WINDOWS\System32\ActiveScan\SET4D.tmp" (target is "C:\WINDOWS\System32\ActiveScan\ascontrol.dll").
#-024 Copying file "C:\WINDOWS\System32\ActiveScan\SET4D.tmp" to "C:\WINDOWS\System32\ActiveScan\ascontrol.dll".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET4D.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
#-340 Extracted file "pavinas.dll" from cabinet "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\_AS4C.tmp\ascontrol.cab" to "C:\WINDOWS\System32\ActiveScan\SET4F.tmp" (target is "C:\WINDOWS\System32\ActiveScan\pavinas.dll").
#-336 Copying file "C:\WINDOWS\System32\ActiveScan\SET4F.tmp" to "C:\WINDOWS\System32\ActiveScan\pavinas.dll" via temporary file "C:\WINDOWS\System32\ActiveScan\SET50.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\System32\ActiveScan\SET4F.tmp" will be installed (Policy=Ignore). Error 1168: Element not found.
[2005/11/13 10:16:56 2980.4]
#-198 Command line processed: "C:\Program Files\Internet Explorer\iexplore.exe"
#E361 An unsigned or incorrectly signed file "c:\docume~1\joseda~1\locals~1\temp\icd1.tmp\swflash.inf" will be installed (Policy=Ignore). Error 1168: Element not found.
#-024 Copying file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\Flash8.ocx" to "C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\Flash8.ocx" will be installed (Policy=Ignore). Error 1168: Element not found.
#-336 Copying file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\GetFlash.exe" to "C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe" via temporary file "C:\WINDOWS\System32\Macromed\Flash\SET9.tmp".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\GetFlash.exe" will be installed (Policy=Ignore). Error 0xe000022f: The third-party INF does not contain digital signature information.
#-336 Copying file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\GetFlash.man" to "C:\WINDOWS\System32\Macromed\Flash\GetFlash.exe.manifest" via temporary file "C:\WINDOWS\System32\Macromed\Flash\SETC.tmp".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\GetFlash.man" will be installed (Policy=Ignore). Error 0xe000022f: The third-party INF does not contain digital signature information.
#E197 Writing "C:\WINDOWS\INF\swflash.inf" to "C:\WINDOWS\INF" is not an approved method of installing INF files. Use a 'CopyINF' entry instead.
#-336 Copying file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\swflash.inf" to "C:\WINDOWS\INF\swflash.inf" via temporary file "C:\WINDOWS\INF\SET10.tmp".
#E361 An unsigned or incorrectly signed file "C:\WINDOWS\INF\SET10.tmp" will be installed (Policy=Ignore). Error 0xe0000237: An INF was copied into the Windows INF directory in an improper manner.
[2005/11/13 10:17:01 2980.9]
#-198 Command line processed: "C:\Program Files\Internet Explorer\iexplore.exe"
#-024 Copying file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\swflash.inf" to "C:\WINDOWS\Downloaded Program Files\swflash.inf".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\JOSEDA~1\LOCALS~1\Temp\ICD1.tmp\swflash.inf" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.

Edited by DJS2005, 13 November 2005 - 10:41 AM.


#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:49 AM

Posted 13 November 2005 - 10:59 AM

The WinPfind log is looking OK.

No unfortunatley that isn't the panda log! Can you run it again?

david

#9 DJS2005

DJS2005
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:49 AM

Posted 14 November 2005 - 09:50 PM

David, I have just finished a Panda scan. Here is the log:



Incident Status Location

Adware:adware/activshopper No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\Program Files\Internet Explorer\ffrexhko.exe
Adware:Adware/SearchAid No disinfected C:\Program Files\Internet Explorer\gjerqwnj.exe
Adware:Adware/ActivShopper No disinfected C:\Program Files\themexp\Themexp.org File\txpshopper.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfccw32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netra32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\atlgw.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipvl.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\msje.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkus.exe
Thanks for your help.

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:49 AM

Posted 15 November 2005 - 12:06 PM

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was
_____________________

Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.
_____________________

Boot into Safe Mode

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Program Files\Internet Explorer\ffrexhko.exe
C:\Program Files\Internet Explorer\gjerqwnj.exe
C:\Program Files\themexp\Themexp.org File\txpshopper.exe
C:\WINDOWS\mfccw32.exe
C:\WINDOWS\mfccw32.exe
C:\WINDOWS\system32\atlgw.exe
C:\WINDOWS\system32\ipvl.exe
C:\WINDOWS\system32\msje.exe
C:\WINDOWS\system32\sdkus.exe


_____________________

Please Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. (if you cannot delete some items it's fine!)
_____________________

Then go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
_____________________

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.
_____________________

Empty the Recycle Bin.
_____________________

Reboot to normal mode and post a new HJT log
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users