Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Intermittant Reboots...


  • Please log in to reply
11 replies to this topic

#1 bhsx

bhsx

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 12 December 2005 - 11:17 AM

http://www.bleepingcomputer.com/forums/t/37306/rootkit-revealer-output-with-intermittent-restarts/
See this link for description of my ailments.

Basically, a few weeks ago I found a rootkit that was serving ads. When I tracked it down and removed it, something seemed to go wrong because now my box reboots itself about once per day.

In the link above is a more detailed explanation along with Rootkit Revealer logs.
Here's my Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:12:31 AM, on 12/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ExplorerXP\ExplorerXP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\temp\utils\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [!!!AntiHook] "C:\Program Files\InfoProcess\AntiHook\2.5\AntiHook.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop

Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie

Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program

Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program

Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program

Files\Foxie Suite\Cleaner.exe
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie

Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program

Files\Foxie Suite\Sweeper.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program

Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} -

C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5co....cab?1096402559

421
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program

Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MKQB - Sysinternals - www.sysinternals.com -

C:\DOCUME~1\Owner\LOCALS~1\Temp\MKQB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner -

%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program

Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service

(file missing)
__________________________________-

Thanks in advance, any advice is more than welcomed!

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 14 December 2005 - 05:03 PM

Hi bhsx and Welcome to the Bleeping Computer!

You obviously know your way around a computer by the looks of the software installed.

Lets have a deeper look in there and see whats up?


Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply->Close->Follow the Prompts to Restart

Restart Normal and Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"


Post back with a fresh HijackThis log and the results of WinPFind and Blacklight.

#3 bhsx

bhsx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 15 December 2005 - 09:38 PM

Thank you so much for lending a hand. Here's the winPFind log:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 12/7/2005 2:39:02 PM 97280 C:\RootkitRevealer.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 8/22/2004 4:04:56 PM 69120 C:\WINDOWS\daemon.dll
PECompact2 11/3/2005 12:15:30 PM 16315789 C:\WINDOWS\lpt$vpn.929
qoologic 11/3/2005 12:15:30 PM 16315789 C:\WINDOWS\lpt$vpn.929
SAHAgent 11/3/2005 12:15:30 PM 16315789 C:\WINDOWS\lpt$vpn.929
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 11/3/2005 12:15:30 PM 16315789 C:\WINDOWS\VPTNFILE.929
qoologic 11/3/2005 12:15:30 PM 16315789 C:\WINDOWS\VPTNFILE.929
SAHAgent 11/3/2005 12:15:30 PM 16315789 C:\WINDOWS\VPTNFILE.929
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 11/22/2002 9:21:28 AM 123904 C:\WINDOWS\SYSTEM32\avisynth.dll
PEC2 3/31/2003 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 11/1/2005 11:34:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/1/2005 11:34:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
PEC2 2/28/2002 1:42:54 PM 13107200 C:\WINDOWS\SYSTEM32\oembios.bin
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 3/31/2003 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 12/7/2005 8:08:36 AM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 12/7/2005 8:08:36 AM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 12/7/2005 8:08:36 AM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 12/7/2005 8:08:36 AM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/15/2005 4:06:46 PM S 2048 C:\WINDOWS\bootstat.dat
10/25/2005 5:50:42 PM H 24 C:\WINDOWS\puYwY
12/14/2005 12:02:22 PM H 54156 C:\WINDOWS\QTFont.qfn
12/15/2005 4:06:38 PM H 8192 C:\WINDOWS\system32\config\default.LOG
12/15/2005 4:07:02 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/15/2005 4:06:48 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
12/15/2005 4:07:26 PM H 118784 C:\WINDOWS\system32\config\software.LOG
12/15/2005 4:06:52 PM H 1245184 C:\WINDOWS\system32\config\system.LOG
11/10/2005 11:37:28 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
12/15/2005 4:05:02 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
5/25/2004 5:06:58 PM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 5/4/2004 9:05:08 PM 309760 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/18/2003 6:10:24 AM 122880 C:\WINDOWS\SYSTEM32\directx.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Ahead Software AG 10/9/2002 5:36:12 AM 57344 C:\WINDOWS\SYSTEM32\NeroBurnRights.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Symantec Corporation 8/18/1999 4:22:20 PM 143360 C:\WINDOWS\SYSTEM32\s32lucp1.cpl
3/25/2003 6:49:02 AM 98304 C:\WINDOWS\SYSTEM32\startup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 3/25/2003 6:49:02 AM 106544 C:\WINDOWS\SYSTEM32\tweakui.cpl
2/17/2004 11:11:00 AM 53248 C:\WINDOWS\SYSTEM32\vp6dec_settings.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
The Weather Channel Interactive5/18/2005 12:22:20 PM 3010560 C:\WINDOWS\SYSTEM32\wxfw.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/15/2005 9:58:44 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
2/4/2004 7:57:04 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
10/5/2004 5:39:14 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/4/2004 11:50:14 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
12/6/2005 1:44:08 AM 1755 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
2/4/2004 7:57:04 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
2/4/2004 11:50:14 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Erasext
{8BE13461-936F-11D1-A87D-444553540000} = C:\PROGRA~1\Eraser\erasext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TzShell
{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Erasext
{8BE13461-936F-11D1-A87D-444553540000} = C:\PROGRA~1\Eraser\erasext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TzShell
{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{306BBB66-D9E4-4481-833E-C1D5FCA06774}
ButtonText = Desktop Search :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{546E08AA-809F-4F1A-BE1A-6B122EBFCD5A}
ButtonText = Privacy Cleaner : C:\Program Files\Foxie Suite\Cleaner.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{61039B22-563D-4922-B844-B076C318A66A}
ButtonText = Swift Sweeper : C:\Program Files\Foxie Suite\Sweeper.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E4143585-2688-4EBC-B264-27C774F600D5}
ButtonText = The Infinity Button :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
High Definition Audio Property Page Shortcut HDAudPropShortcut.exe
SoundMan SOUNDMAN.EXE
SunKistEM C:\Program Files\Digital Media Reader\shwiconem.exe

AlcWzrd ALCWZRD.EXE
CHotkey zHotkey.exe
ShowWnd ShowWnd.exe
Tweak UI
WinVNC "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
CoolSwitch C:\WINDOWS\system32\taskswitch.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
DAEMON Tools-1033 "C:\Program Files\D-Tools\daemon.exe" -lang 1033
!1_pgaccount "C:\Program Files\ProcessGuard\pgaccount.exe"
!!!AntiHook "C:\Program Files\InfoProcess\AntiHook\2.5\AntiHook.exe"
Google Desktop Search "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\WINDOWS\system32\qttask.exe" -atboottime
KernelFaultCheck %systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/15/2005 4:17:05 PM


Here's the BlackLight Log (Showed 0 hiden on scan):

12/15/05 20:29:29 [Info]: BlackLight Engine 1.0.24 initialized
12/15/05 20:29:29 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/15/05 20:29:29 [Note]: 4019 4
12/15/05 20:29:29 [Note]: 4005 0
12/15/05 20:29:31 [Note]: 4006 0
12/15/05 20:29:31 [Note]: 4011 1308
12/15/05 20:29:31 [Note]: FSRAW library version 1.7.1013

And finally the newer Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 8:33:29 PM, on 12/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ExplorerXP\ExplorerXP.exe
C:\temp\utils\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [!!!AntiHook] "C:\Program Files\InfoProcess\AntiHook\2.5\AntiHook.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096402559421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MKQB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\MKQB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)


I hope this helps you help me! :thumbsup:
BTW, One thing that looks like a probable culprit is Windows/puYwY.
Never seen that before and google shows some disturbing hits.
Thanks again!

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 December 2005 - 05:45 AM

Yes Sir that file is crap and can cause much grief since its usually associated with the Apropos infection.

Lets check for that infection first and then delete that file.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.


While you are in Safe Mode,after running the Apropos Fix,locate and delete--> C:\WINDOWS\puYwY


Restart Normal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with the log from the Apropos fix.


#5 bhsx

bhsx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 16 December 2005 - 02:35 PM

OK, wow that Kaspersky scan took over two hours; but it certainly found things nothing else did.
Here's the Kaspersky log:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

K A S P E R S K Y O N - L I N E S C A N N E R R E P O R T

F r i d a y , D e c e m b e r 1 6 , 2 0 0 5 1 3 : 1 0 : 1 9

O p e r a t i n g S y s t e m : M i c r o s o f t W i n d o w s X P H o m e E d i t i o n , S e r v i c e P a c k 2 ( B u i l d 2 6 0 0 )

K a s p e r s k y O n - l i n e S c a n n e r v e r s i o n : 5 . 0 . 6 7 . 0

K a s p e r s k y A n t i - V i r u s d a t a b a s e l a s t u p d a t e : 1 6 / 1 2 / 2 0 0 5

K a s p e r s k y A n t i - V i r u s d a t a b a s e r e c o r d s : 1 6 5 5 5 4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



S c a n S e t t i n g s :

S c a n u s i n g t h e f o l l o w i n g a n t i v i r u s d a t a b a s e : e x t e n d e d

S c a n A r c h i v e s : t r u e

S c a n M a i l B a s e s : t r u e



S c a n T a r g e t - M y C o m p u t e r :

C : \

D : \

E : \

F : \

G : \

H : \

I : \

J : \

K : \



S c a n S t a t i s t i c s :

T o t a l n u m b e r o f s c a n n e d o b j e c t s : 2 2 3 0 7 7

N u m b e r o f v i r u s e s f o u n d : 2 5

N u m b e r o f i n f e c t e d o b j e c t s : 7 3

N u m b e r o f s u s p i c i o u s o b j e c t s : 2

D u r a t i o n o f t h e s c a n p r o c e s s : 9 6 5 5 s e c



I n f e c t e d O b j e c t N a m e - V i r u s N a m e

C : \ D o c u m e n t s a n d S e t t i n g s \ d e n i s e \ A p p l i c a t i o n D a t a \ S u n \ J a v a \ D e p l o y m e n t \ c a c h e \ j a v a p i \ v 1 . 0 \ j a r \ j a v a i n s t a l l e r . j a r - 5 a a 0 b 4 3 6 - 2 a e b a 8 8 9 . z i p / j a v a i n s t a l l e r / I n s t a l l e r A p p l e t . c l a s s I n f e c t e d : T r o j a n - D o w n l o a d e r . J a v a . O p e n S t r e a m . w

C : \ D o c u m e n t s a n d S e t t i n g s \ d e n i s e \ A p p l i c a t i o n D a t a \ S u n \ J a v a \ D e p l o y m e n t \ c a c h e \ j a v a p i \ v 1 . 0 \ j a r \ j a v a i n s t a l l e r . j a r - 5 a a 0 b 4 3 6 - 2 a e b a 8 8 9 . z i p I n f e c t e d : T r o j a n - D o w n l o a d e r . J a v a . O p e n S t r e a m . w

C : \ D o c u m e n t s a n d S e t t i n g s \ j o r d a n \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ 8 Z F 7 Y O 5 P \ c o d e p r o [ 1 ] . h t m I n f e c t e d : E x p l o i t . H T M L . M h t

C : \ D o c u m e n t s a n d S e t t i n g s \ j o r d a n \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ F R D H P P 1 M \ i n d e x [ 5 ] . h t m I n f e c t e d : T r o j a n - C l i c k e r . H T M L . I F r a m e . b

C : \ D o c u m e n t s a n d S e t t i n g s \ j o r d a n \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ O 9 Y J Y 5 E 9 \ t g p [ 1 ] . h t m I n f e c t e d : T r o j a n - C l i c k e r . H T M L . I F r a m e . b

C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ O p e r a \ O p e r a \ p r o f i l e \ c a c h e 4 \ o p r 0 0 W K O . j s I n f e c t e d : T r o j a n - D o w n l o a d e r . J S . I s t B a r . a i

C : \ p e b u i l d e r 3 1 3 \ c y g w i n 3 2 r e c o v e r \ d i a l u p a s s 2 \ d i a l u p a s s . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . D i a l u p a s s . f

C : \ p e b u i l d e r 3 1 3 \ p l u g i n \ V N C S e r v e r \ v n c c o n f i g . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C . 4

C : \ p e b u i l d e r 3 1 3 \ p l u g i n \ V N C S e r v e r \ w i n v n c 4 . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C . 4

C : \ p e b u i l d e r 3 1 3 \ p l u g i n \ V N C S e r v e r \ w m _ h o o k s . d l l I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C . 4

C : \ p e b u i l d e r 3 1 3 \ w i n 3 2 r e c o v e r y \ i 3 8 6 \ s y s t e m 3 2 \ w m _ h o o k s . d l l I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C . 4

C : \ p e b u i l d e r 3 1 3 \ w i n 3 2 r e c o v e r y \ P r o g r a m s \ v n c s e r v e r \ v n c c o n f i g . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C . 4

C : \ p e b u i l d e r 3 1 3 \ w i n 3 2 r e c o v e r y \ P r o g r a m s \ v n c s e r v e r \ w i n v n c 4 . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C . 4

C : \ P r o g r a m F i l e s \ M i c r o s o f t A n t i S p y w a r e \ Q u a r a n t i n e \ F 8 E E 0 A 4 C - 0 4 9 3 - 4 3 2 0 - 8 E 5 F - 4 D 7 F B 6 \ C 2 5 D E D 4 B - F 0 5 7 - 4 8 F D - A 8 6 C - D C 5 A F 6 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . S u r f A c c u r a c y . d

C : \ P r o g r a m F i l e s \ T E S T O L D M E A N I E \ a c e . d l l I n f e c t e d : T r o j a n . W i n 3 2 . C r y p t . t

C : \ P r o g r a m F i l e s \ T E S T O L D M E A N I E \ C a c h e \ 0 0 0 0 7 2 a e _ 4 3 5 c 6 0 d 5 _ 0 0 0 b e b c 2 I n f e c t e d : E x p l o i t . H T M L . C o d e B a s e E x e c

C : \ P r o g r a m F i l e s \ T E S T O L D M E A N I E \ m c h s h i s n . e x e I n f e c t e d : T r o j a n . W i n 3 2 . C r y p t . t

C : \ P r o g r a m F i l e s \ T E S T O L D M E A N I E \ O L D d d r s s a p i . e x e I n f e c t e d : T r o j a n . W i n 3 2 . C r y p t . t

C : \ P r o g r a m F i l e s \ T E S T O L D M E A N I E \ w a v b c l n t . e x e I n f e c t e d : T r o j a n . W i n 3 2 . C r y p t . t

C : \ P r o g r a m F i l e s \ T E S T O L D M E A N I E \ W i n G e n e r i c s . d l l I n f e c t e d : T r o j a n . W i n 3 2 . C r y p t . t

C : \ P r o g r a m F i l e s \ T i g h t V N C \ V N C H o o k s . d l l I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . b

C : \ P r o g r a m F i l e s \ T i g h t V N C \ W i n V N C . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . h

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 3 9 3 \ A 2 6 0 6 4 5 7 . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . D i a l u p a s s . f

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 3 9 3 \ A 2 6 0 8 1 1 5 . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . M e s s e n . 1 0 3

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 3 9 3 \ A 2 6 0 9 1 4 5 . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . D i a l u p a s s . f

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 3 9 3 \ A 2 6 1 0 8 0 1 . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . M e s s e n . 1 0 3

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 3 9 3 \ A 2 6 1 4 9 2 0 . d l l I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . b

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 3 9 3 \ A 2 6 1 4 9 2 1 . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . h

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 0 7 \ A 2 6 2 6 9 4 5 . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . M e s s e n . 1 0 3

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 0 7 \ A 2 6 2 6 9 4 6 . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . M e s s e n . 1 0 3

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 0 9 \ A 2 6 3 1 1 5 0 . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . D i a l u p a s s . f

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 3 0 \ A 2 6 4 6 9 1 9 . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . D i a l u p a s s . f

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 3 0 \ A 2 6 5 5 1 1 4 . d l l I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . b

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 3 0 \ A 2 6 5 5 1 1 5 . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . h

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 3 7 \ A 2 6 7 2 0 4 1 . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . D i a l u p a s s . f

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 3 7 \ A 2 6 8 0 1 9 4 . d l l I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . b

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 3 7 \ A 2 6 8 0 1 9 5 . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . h

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 5 9 \ A 2 7 0 3 7 7 6 . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . D i a l u p a s s . f

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 5 9 \ A 2 7 1 2 2 7 4 . d l l I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . b

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 5 9 \ A 2 7 1 2 2 7 5 . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . h

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 6 4 \ A 2 7 2 3 0 7 8 . s y s S u s p i c i o u s : R o o t k i t . W i n 3 2 . A g e n t . a o

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 6 4 \ A 2 7 2 3 0 7 9 . d l l I n f e c t e d : T r o j a n . W i n 3 2 . C r y p t . t

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { F C C C 5 C 1 4 - 4 6 B 9 - 4 F 4 6 - A A 1 A - A 7 7 2 4 3 2 E B E 2 4 } \ R P 4 6 4 \ A 2 7 2 3 0 8 0 . e x e I n f e c t e d : T r o j a n . W i n 3 2 . C r y p t . t

C : \ t e m p \ H e l i x _ V 1 . 6 - 0 7 - 2 8 - 2 0 0 5 . i s o . p a r t / I R / B I N / C R Y P T C A T . E X E ; 1 I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . N e t C a t

C : \ t e m p \ H e l i x _ V 1 . 6 - 0 7 - 2 8 - 2 0 0 5 . i s o . p a r t / I R / B I N / O M N I T H R E A D _ R T . D L L ; 1 I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . g

C : \ t e m p \ H e l i x _ V 1 . 6 - 0 7 - 2 8 - 2 0 0 5 . i s o . p a r t / I R / B I N / P W D U M P 2 . E X E ; 1 I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . P W D u m p 2

C : \ t e m p \ H e l i x _ V 1 . 6 - 0 7 - 2 8 - 2 0 0 5 . i s o . p a r t / I R / B I N / P W D U M P 3 E . E X E ; 1 I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . P W D u m p 3

C : \ t e m p \ H e l i x _ V 1 . 6 - 0 7 - 2 8 - 2 0 0 5 . i s o . p a r t / I R / F O U N D S T O N E / A T T A C K E R . E X E ; 1 I n f e c t e d : D o S . W i n 3 2 . A t a k e r . a

C : \ t e m p \ H e l i x _ V 1 . 6 - 0 7 - 2 8 - 2 0 0 5 . i s o . p a r t / I R / F O U N D S T O N E / B O P I N G . E X E ; 1 I n f e c t e d : n o t - a - v i r u s : N e t T o o l . W i n 3 2 . B O P i n g . 2 0

C : \ t e m p \ H e l i x _ V 1 . 6 - 0 7 - 2 8 - 2 0 0 5 . i s o . p a r t / I R / F O U N D S T O N E / D D O S P I N G . E X E ; 1 I n f e c t e d : n o t - a - v i r u s : N e t T o o l . W i n 3 2 . D D o S P i n g . 2 0 0

C : \ t e m p \ H e l i x _ V 1 . 6 - 0 7 - 2 8 - 2 0 0 5 . i s o . p a r t / I R / N I R S O F T / M A I L P V / M A I L P V . E X E ; 1 I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . M a i l P a s s V i e w

C : \ t e m p \ H e l i x _ V 1 . 6 - 0 7 - 2 8 - 2 0 0 5 . i s o . p a r t / I R / N I R S O F T / M S P A S S / M S P A S S . E X E ; 1 I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . M e s s e n . 1 0 3

C : \ t e m p \ H e l i x _ V 1 . 6 - 0 7 - 2 8 - 2 0 0 5 . i s o . p a r t / I R / N I R S O F T / N E T P A S S / N E T P A S S . E X E ; 1 I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . N e t P a s s . a

C : \ t e m p \ H e l i x _ V 1 . 6 - 0 7 - 2 8 - 2 0 0 5 . i s o . p a r t / I R / N I R S O F T / P S P V / P S P V . E X E ; 1 I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . P a s s V i e w . 1 6 2

C : \ t e m p \ H e l i x _ V 1 . 6 - 0 7 - 2 8 - 2 0 0 5 . i s o . p a r t I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . P a s s V i e w . 1 6 2

C : \ t e m p \ m p 3 _ ( p i x i e s ) _ d o w n l o a d - 1 . e x e / d a t a 0 0 0 1 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . I N S e r v i c e . j a

C : \ t e m p \ m p 3 _ ( p i x i e s ) _ d o w n l o a d - 1 . e x e I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . I N S e r v i c e . j a

C : \ t e m p \ m p 3 _ ( p i x i e s ) _ d o w n l o a d . e x e / d a t a 0 0 0 1 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . I N S e r v i c e . j a

C : \ t e m p \ m p 3 _ ( p i x i e s ) _ d o w n l o a d . e x e I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . I N S e r v i c e . j a

C : \ t e m p \ t i g h t v n c - 1 . 2 . 9 - s e t u p . e x e / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . h

C : \ t e m p \ t i g h t v n c - 1 . 2 . 9 - s e t u p . e x e / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . b

C : \ t e m p \ t i g h t v n c - 1 . 2 . 9 - s e t u p . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C - b a s e d . b

C : \ t e m p \ U B C D 4 W i n V 2 5 5 . e x e / p l u g i n / k e y f i n d e r p e / k e y f i n d e r . e x e / x p k e y . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . R A S . a

C : \ t e m p \ U B C D 4 W i n V 2 5 5 . e x e / p l u g i n / k e y f i n d e r p e / k e y f i n d e r . e x e / o f f i c e k e y . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . R A S . a

C : \ t e m p \ U B C D 4 W i n V 2 5 5 . e x e / p l u g i n / k e y f i n d e r p e / k e y f i n d e r . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . R A S . a

C : \ t e m p \ U B C D 4 W i n V 2 5 5 . e x e / p l u g i n / V N C S e r v e r / v n c c o n f i g . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C . 4

C : \ t e m p \ U B C D 4 W i n V 2 5 5 . e x e / p l u g i n / V N C S e r v e r / w i n v n c 4 . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C . 4

C : \ t e m p \ U B C D 4 W i n V 2 5 5 . e x e / p l u g i n / V N C S e r v e r / w m _ h o o k s . d l l I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C . 4

C : \ t e m p \ U B C D 4 W i n V 2 5 5 . e x e I n f e c t e d : n o t - a - v i r u s : R e m o t e A d m i n . W i n 3 2 . W i n V N C . 4

C : \ t e m p \ u t i l s \ d i a l u p a s s 2 \ d i a l u p a s s . e x e I n f e c t e d : n o t - a - v i r u s : P S W T o o l . W i n 3 2 . D i a l u p a s s . f

C : \ t e m p \ W i n P F i n d \ W i n P F i n d \ a p r o p o s F I X \ a p r o p o s f i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / l f f m i n t f . e x e I n f e c t e d : T r o j a n . W i n 3 2 . C r y p t . t

C : \ t e m p \ W i n P F i n d \ W i n P F i n d \ a p r o p o s F I X \ a p r o p o s f i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / n d p s l i p . s y s S u s p i c i o u s : R o o t k i t . W i n 3 2 . A g e n t . a o

C : \ t e m p \ W i n P F i n d \ W i n P F i n d \ a p r o p o s F I X \ a p r o p o s f i x \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / s c l u n i 1 1 . d l l I n f e c t e d : T r o j a n . W i n 3 2 . C r y p t . t

C : \ t e m p \ W i n P F i n d \ W i n P F i n d \ a p r o p o s F I X \ a p r o p o s f i x \ b a c k u p s \ b a c k u p s . z i p I n f e c t e d : T r o j a n . W i n 3 2 . C r y p t . t

C : \ W I N D O W S \ s y s t e m 3 2 \ O L D d d r s s a p i . e x e I n f e c t e d : T r o j a n . W i n 3 2 . C r y p t . t



S c a n p r o c e s s c o m p l e t e d .

____________________________________________________________

Here's the Apropos log:

Log of AproposFix v1

************

Running from directory:
C:\temp\WinPFind\WinPFind\aproposFIX\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CuXP3AE6Ke25]
@="y6JxyN4STTSTTUT7crbycYNSTTSiVT.otju.yTKQKL6EZYT5JAN6JKTF5HKDAHUKQK"
"Device"="\\\\.\\f6L5S62v"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\ndpslip.sys"
"DriverName"="SerRSvc"
"HideUninstallerName"="C:\\Program Files\\Weslorer\\wavbclnt.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\lffmintf.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{84477CBE-DC17-43DF-B242-D32A8978AE05}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\scluni11.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{Xfa81817-5e2b-1a2f-d695-da20fe0eedaf}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Weslorer\\mchshisn.exe"

************

Removing hidden service:
Service SerRSvc removed.

Removing hidden folder:
Deletion of folder Weslorer succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\ndpslip.sys succeeded!
Deletion of file C:\WINDOWS\system32\ddrssapi.exe succeeded!
Deletion of file C:\WINDOWS\system32\scluni11.dll succeeded!
Deletion of file C:\WINDOWS\system32\lffmintf.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CuXP3AE6Ke25]
[-HKEY_LOCAL_MACHINE\Software\CuXP3AE6Ke25]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{84477CBE-DC17-43DF-B242-D32A8978AE05}]

Done!

Finished!
______________________________________________________________________

And last, but not least, here's the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:14:33 PM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\ExplorerXP\ExplorerXP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Crypt Edit\CryptEdit.exe
C:\temp\utils\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [!!!AntiHook] "C:\Program Files\InfoProcess\AntiHook\2.5\AntiHook.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Program Files\Foxie Suite\Resources\HTML\Desktop.htm
O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Program Files\Foxie Suite\Cleaner.exe
O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Program Files\Foxie Suite\Sweeper.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Program Files\Foxie Suite\Resources\HTML\Infinity.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096402559421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MKQB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\MKQB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)



I deleted PuYwY, and removed the Google Desktop Search entries from HKLM, as I had uninstalled that a while ago (bad Google uninstall... Bad!). Other than that, I haven't messed with it.
Thanks again, and I hope this is useful.
BTW, is there a guide for what to look for? I obviously caught the PuYwY, but is there a howto on reading these logs?

Also, the TESTOLDMEANIE directory is where I'm storing the original rootkit that I explain in the uppermost link on /., so that can be ignored. I moved it for further testing/diagnostics. The "temp/Helix" references are a partial iso of a knoppix based intrusion detection liveCD, so those can be ignored as well (especially considering it's iso.part [i've just deleted it, going to grab the entire iso]).

The infected files inside WinPFind are not at all heart-warming. ;P

It looks like Apropos found my original rootkit reg entries! Yeah, now I can get that cleaned-up!

Anything else I'm missing that stands out to you? Also, could you comment on the "infected files" found in WinPFind?

Oh, one more thing... I did delete the mp3_download(pixies).exe files. GF must've been using some p2p to grab music, which may be how this whole thing started to begin with.

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 December 2005 - 07:18 PM

OK,knowing that you know what you know!

WinPFind is API based and hence,anything hidden from API may not be revealed.

As you know,RootKitRevealer and F-Secure Blacklight target such items and wil almost always show the Apropos infection.


So in Short,basically decyphering the WinPfind log by looks alone is what I depend on,some things just dont fit.


If you will,Go to safe mode and scan with WinPFind once more.

Restart Normal and if you feel jiggy,scan with RootKitRevealer and post both logs in the next reply.


Im sorry to say this,but LOL@GF,been there done that one!

#7 bhsx

bhsx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 16 December 2005 - 10:37 PM

Here's the log from Rootkit Revealer 1.6:
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 12/9/2005 1:17 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf41 6/16/2005 8:39 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\0394A526d01 12/16/2005 9:11 PM 16.79 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\04BCA1A6d01 12/16/2005 9:05 PM 54.85 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\04BEA1A6d01 12/16/2005 9:06 PM 218.17 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\04BFA1A6d01 12/16/2005 9:05 PM 125.50 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\190ADD18d01 12/16/2005 9:02 PM 25.95 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\193E1A98d01 12/16/2005 9:06 PM 62.59 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\1FFCDD18d01 12/16/2005 9:02 PM 26.11 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\226EC3B3d01 12/16/2005 9:12 PM 27.18 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\27688CEBd01 12/16/2005 9:12 PM 4.99 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\3AC85C20d01 12/16/2005 8:55 PM 48.37 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\3E6AF3CEd01 12/16/2005 9:06 PM 61.85 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\4413B05Fd01 12/16/2005 8:49 PM 50.34 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\59FC0CFDd01 12/16/2005 8:56 PM 21.57 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\5ED64279d01 12/16/2005 8:56 PM 20.73 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\608B0202d01 12/16/2005 9:12 PM 54.80 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\61594717d01 12/16/2005 9:06 PM 20.31 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\62B55672d01 12/16/2005 9:12 PM 36.91 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\6495373Bd01 12/16/2005 9:12 PM 44.21 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\66719CCDd01 12/16/2005 9:12 PM 32.80 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\6784EEB5d01 12/16/2005 9:06 PM 25.08 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\678BEEB5d01 12/16/2005 9:06 PM 19.76 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\678FEEB5d01 12/16/2005 9:06 PM 32.77 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\6CE21F44d01 12/16/2005 9:12 PM 46.03 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\7380479Cd01 12/16/2005 8:49 PM 26.36 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\92AA4597d01 12/16/2005 8:49 PM 20.18 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\9513BF5Dd01 12/16/2005 9:05 PM 35.10 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\A3225E61d01 12/16/2005 9:06 PM 18.56 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\D70CD571d01 12/16/2005 9:02 PM 16.08 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\D87C442Ed01 12/16/2005 9:06 PM 55.32 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\EA6C397Bd01 12/16/2005 9:06 PM 162.59 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\F3243830d01 12/16/2005 9:11 PM 16.55 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\F4109112d01 12/16/2005 9:12 PM 34.30 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\F824AF01d01 12/16/2005 8:49 PM 28.48 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\FC89BAB2d01 12/16/2005 9:06 PM 26.34 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\zus1lduu.default\Cache\FE82B9D7d01 12/16/2005 9:12 PM 44.74 KB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 12/16/2005 8:44 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.

______________________________________________________________________

Here's the new WinPFind log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 12/7/2005 2:39:02 PM 97280 C:\RootkitRevealer.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 8/22/2004 4:04:56 PM 69120 C:\WINDOWS\daemon.dll
PECompact2 11/3/2005 12:15:30 PM 16315789 C:\WINDOWS\lpt$vpn.929
qoologic 11/3/2005 12:15:30 PM 16315789 C:\WINDOWS\lpt$vpn.929
SAHAgent 11/3/2005 12:15:30 PM 16315789 C:\WINDOWS\lpt$vpn.929
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 11/3/2005 12:15:30 PM 16315789 C:\WINDOWS\VPTNFILE.929
qoologic 11/3/2005 12:15:30 PM 16315789 C:\WINDOWS\VPTNFILE.929
SAHAgent 11/3/2005 12:15:30 PM 16315789 C:\WINDOWS\VPTNFILE.929
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 11/22/2002 9:21:28 AM 123904 C:\WINDOWS\SYSTEM32\avisynth.dll
PEC2 3/31/2003 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 11/1/2005 11:34:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/1/2005 11:34:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
PEC2 2/28/2002 1:42:54 PM 13107200 C:\WINDOWS\SYSTEM32\oembios.bin
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 3/31/2003 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 12/7/2005 8:08:36 AM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 12/7/2005 8:08:36 AM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 12/7/2005 8:08:36 AM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 12/7/2005 8:08:36 AM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/16/2005 8:22:56 PM S 2048 C:\WINDOWS\bootstat.dat
12/16/2005 2:45:04 PM H 54156 C:\WINDOWS\QTFont.qfn
12/16/2005 10:21:32 AM H 0 C:\WINDOWS\LastGood\INF\oem16.inf
12/16/2005 10:21:32 AM H 0 C:\WINDOWS\LastGood\INF\oem16.PNF
12/16/2005 8:22:48 PM H 8192 C:\WINDOWS\system32\config\default.LOG
12/16/2005 8:23:12 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/16/2005 8:22:58 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
12/16/2005 8:23:28 PM H 122880 C:\WINDOWS\system32\config\software.LOG
12/16/2005 8:23:02 PM H 1232896 C:\WINDOWS\system32\config\system.LOG
11/10/2005 11:37:28 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
12/16/2005 8:22:02 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
5/25/2004 5:06:58 PM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 5/4/2004 9:05:08 PM 309760 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/18/2003 6:10:24 AM 122880 C:\WINDOWS\SYSTEM32\directx.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Ahead Software AG 10/9/2002 5:36:12 AM 57344 C:\WINDOWS\SYSTEM32\NeroBurnRights.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Symantec Corporation 8/18/1999 4:22:20 PM 143360 C:\WINDOWS\SYSTEM32\s32lucp1.cpl
3/25/2003 6:49:02 AM 98304 C:\WINDOWS\SYSTEM32\startup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/31/2003 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 3/25/2003 6:49:02 AM 106544 C:\WINDOWS\SYSTEM32\tweakui.cpl
2/17/2004 11:11:00 AM 53248 C:\WINDOWS\SYSTEM32\vp6dec_settings.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
The Weather Channel Interactive5/18/2005 12:22:20 PM 3010560 C:\WINDOWS\SYSTEM32\wxfw.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/15/2005 9:58:44 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
2/4/2004 7:57:04 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
10/5/2004 5:39:14 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/4/2004 11:50:14 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
12/6/2005 1:44:08 AM 1755 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
2/4/2004 7:57:04 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
2/4/2004 11:50:14 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Erasext
{8BE13461-936F-11D1-A87D-444553540000} = C:\PROGRA~1\Eraser\erasext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TzShell
{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Erasext
{8BE13461-936F-11D1-A87D-444553540000} = C:\PROGRA~1\Eraser\erasext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TzShell
{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{306BBB66-D9E4-4481-833E-C1D5FCA06774}
ButtonText = Desktop Search :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{546E08AA-809F-4F1A-BE1A-6B122EBFCD5A}
ButtonText = Privacy Cleaner : C:\Program Files\Foxie Suite\Cleaner.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{61039B22-563D-4922-B844-B076C318A66A}
ButtonText = Swift Sweeper : C:\Program Files\Foxie Suite\Sweeper.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E4143585-2688-4EBC-B264-27C774F600D5}
ButtonText = The Infinity Button :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
High Definition Audio Property Page Shortcut HDAudPropShortcut.exe
SoundMan SOUNDMAN.EXE
SunKistEM C:\Program Files\Digital Media Reader\shwiconem.exe

AlcWzrd ALCWZRD.EXE
CHotkey zHotkey.exe
ShowWnd ShowWnd.exe
Tweak UI
WinVNC "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
CoolSwitch C:\WINDOWS\system32\taskswitch.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
DAEMON Tools-1033 "C:\Program Files\D-Tools\daemon.exe" -lang 1033
!1_pgaccount "C:\Program Files\ProcessGuard\pgaccount.exe"
!!!AntiHook "C:\Program Files\InfoProcess\AntiHook\2.5\AntiHook.exe"
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\WINDOWS\system32\qttask.exe" -atboottime
KernelFaultCheck %systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/16/2005 8:33:17 PM

_____________________________________________________________________

I haven't looked these over yet. Let me know what you think, and I'll take a look myself.

#8 bhsx

bhsx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 16 December 2005 - 10:49 PM

After giving it a once-over, I think everything seems in order. I'm still a bit worried about the iframe.b and java.openstream positives, is there a tested/proven way to safely remove these? I'll run another Kapersky scan now to see current status. Will post in a couple hours. (been drinking a bit [it is Friday night here{chicago}], so let me know if I'm incoherent! I'll post scan results if anything interesting pops up.

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 December 2005 - 05:30 AM

LMAO@Friday Night,now you know why i waited til this morning to post! :thumbsup:

Company Christmas Party last night :flowers:


As for the entries you see in the WinPfind folder,those appear to be the backups made by the Apropos fix.


I had some issues with the text on the Kaspersky report so I hope I saw it all correctly!


C : \ D o c u m e n t s a n d S e t t i n g s \ d e n i s e \ A p p l i c a t i o n D a t a \ S u n \ J a v a \ D e p l o y m e n t \ c a c h e \ j a v a p i \ v 1 . 0 \ j a r \ j a v a i n s t a l l e r . j a r - 5 a a 0 b 4 3 6 - 2 a e b a 8 8 9 . z i p

C : \ D o c u m e n t s a n d S e t t i n g s \ j o r d a n \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ 8 Z F 7 Y O 5 P \ c o d e p r o [ 1 ] . h t m

C : \ D o c u m e n t s a n d S e t t i n g s \ j o r d a n \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ F R D H P P 1 M \ i n d e x [ 5 ] . h t m

C : \ D o c u m e n t s a n d S e t t i n g s \ j o r d a n \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ O 9 Y J Y 5 E 9 \ t g p [ 1 ] . h t m

C : \ D o c u m e n t s a n d S e t t i n g s \ O w n e r \ A p p l i c a t i o n D a t a \ O p e r a \ O p e r a \ p r o f i l e \ c a c h e 4 \ o p r 0 0 W K O . j s

C : \ t e m p \ m p 3 _ ( p i x i e s ) _ d o w n l o a d - 1 . e x e

C : \ W I N D O W S \ s y s t e m 3 2 \ O L D d d r s s a p i . e x e


I will let you sort through those since some may be on the system for a reason.

The Temporary Internet Files and the Zip folder from the Java folder can definatly go.


HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40<-- You have any idea what this is all about,is it related to Daemon Tools by any chance?

#10 bhsx

bhsx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 17 December 2005 - 12:16 PM

I've deleted all of the files you mentioned. I'm NOW(forgot I was running it last night and turned off the PC:) running the full Kaspersky scan. Will post the results.

#11 bhsx

bhsx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 17 December 2005 - 03:24 PM

Everything looks good!
Thanks so much. If I keep seeing the reboots, I'll be back. In fact, I'll most likely be back to help some others as I'm digging this site.
BTW, according to
http://www.sysinternals.com/Forum/forum_posts.asp?TID=399
and
http://www.daemon-tools.cc/dtcc/t7086-rootkit-dt.html

the HKLM entry is definately Daemon tools, so nothing to worry about.

You rock!

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 December 2005 - 05:47 AM

Heres a couple of progs and suggestions you may be interested in.

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup


Go ahead and Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users