Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Error Message: Invalid Menu Handle


  • Please log in to reply
14 replies to this topic

#1 Woolysheep8

Woolysheep8

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 18 December 2005 - 06:54 PM

When I click on a link that will connect me to a pdf document I get an error message. I am posting one of these here.
C:\Documents and Settings\Candace Smothers.Computer-Y479PU\Local Settings\Temporary Internet files\Content.IES\KLA7ENWT\SPRinG05_Newsletter[1].pdf
Also, I think my Word Documents are infected because they keep freezing up and then I get the message, Word has run into an unexpected problem and has to close. I get the same kind of message with Enternet Explorer. It has a problem and has to close.
Thank you for looking at this for me.

Logfile of HijackThis v1.99.1
Scan saved at 6:37:09 PM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Logitech\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\PROGRA~2\SPRINT~1.0OF\Sprint\CAgent.exe
C:\Program Files\Winamp\winampa.exe
D:\Zone Alarm Firewall\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
D:\Adobe Reader\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Common Files\AOL\1133662090\ee\AOLHostManager.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\MySoftware\Newsflsh.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\AOL\1133662090\ee\AOLServiceHost.exe
C:\VstaScan\VsAccess.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\GuruNet\GuruNet.exe
C:\PROGRA~1\COMMON~1\ATOMIC~1\agtserv.exe
D:\HijackThis_sfx.exe\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: AtBHOObj Class - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: ArtToday Toolbar - {4C4C942D-03B0-4041-94F2-73991832615F} - C:\Program Files\ArtToday Toolbar\ArtTodayToolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PrintWhere Router 2.1] C:\WINDOWS\System32\PWCCRT21.EXE
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [ABBYY Community Agent] D:\PROGRA~2\SPRINT~1.0OF\Sprint\CAgent.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Zone Alarm Firewall\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133662090\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Adobe Reader\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
O4 - HKCU\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /M "Stylus C86" /EF "HKCU"
O4 - Startup: Epson printer Registration.lnk = E:\titles\ereg\EPSONREG.EXE
O4 - Startup: GotFusion WebForums.lnk = C:\Program Files\GotFusion WebForums\DBabble.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe Reader\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\Newsflsh.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VistaAccess.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://lookup.atomica.com
O15 - Trusted Zone: http://www.atomica.com
O16 - DPF: CabInstaller - http://www.arttoday.com/toolbar/CabInstaller.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrow...MINIBrowser.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DeepSight Extractor CC Service (ccExtractorService) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ccExtractorService.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 21 December 2005 - 04:22 AM

Hi Woolysheep8 and Welcome to the Bleeping Computer!

Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab

Make Sure "Normal Startup-load all device drivers and services" has a green tick by it

Click Apply->Close->Follow the Prompts to Restart

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from WinPFind and Panda

#3 Woolysheep8

Woolysheep8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  

Posted 24 December 2005 - 12:47 PM

Hi Cretemonster
Thanks for your help. I followed your instructions and am sending you the Hijackthis log, the panda activescan report, and the WinPFind report;
Happy Christmas Eve or Happy Hanukkah.
Woolysheep8
Logfile of HijackThis v1.99.1
Scan saved at 9:22:21 PM, on 12/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Logitech\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\safe-share\SafeShare.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\winampa.exe
D:\Zone Alarm Firewall\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1133662090\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1133662090\ee\AOLServiceHost.exe
D:\Adobe Reader\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\MySoftware\Newsflsh.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\VstaScan\VsAccess.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HijackThis_sfx.exe\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: AtBHOObj Class - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: ArtToday Toolbar - {4C4C942D-03B0-4041-94F2-73991832615F} - C:\Program Files\ArtToday Toolbar\ArtTodayToolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PrintWhere Router 2.1] C:\WINDOWS\System32\PWCCRT21.EXE
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [ABBYY Community Agent] D:\PROGRA~2\SPRINT~1.0OF\Sprint\CAgent.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Zone Alarm Firewall\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133662090\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Adobe Reader\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
O4 - HKCU\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /M "Stylus C86" /EF "HKCU"
O4 - Startup: Epson printer Registration.lnk = E:\titles\ereg\EPSONREG.EXE
O4 - Startup: GotFusion WebForums.lnk = C:\Program Files\GotFusion WebForums\DBabble.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe Reader\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\Newsflsh.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VistaAccess.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://lookup.atomica.com
O15 - Trusted Zone: http://www.atomica.com
O16 - DPF: CabInstaller - http://www.arttoday.com/toolbar/CabInstaller.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrow...MINIBrowser.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DeepSight Extractor CC Service (ccExtractorService) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ccExtractorService.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Activescan report

Incident Status Location

Adware:Adware/Gator Not disinfected C:\Candace DS\Local Settings\Temp\trickler_3210.ex_[trickler_3210.exe]
Virus:Trj/Downloader.BJ Not disinfected C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\.jpi_cache\jar\1.0\archive.jar-27b6d962-53fe0b76.idx
Dialer:Dialer.RP Not disinfected C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\OZ7JUO9L\SYSsfitb[1].cab[d_loader.exe]
Dialer:Dialer.RP Not disinfected C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\U3Q7UDQB\SYSsfitb[1].cab[d_loader.exe]
Virus:Trj/Downloader.BJ Not disinfected C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\.jpi_cache\jar\1.0\archive.jar-27b6d962-64b0f11e.idx
Virus:Exploit/Mhtredir.CU Not disinfected C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\3B5ZRP0W\dia326[1].htm
Virus:Exploit/Mhtredir.CU Not disinfected C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\B6B5PD3J\dia326[1].htm
Virus:Exploit/Mhtredir.CU Not disinfected C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\GZRZQOX1\dia326[1].htm
Virus:Exploit/Mhtredir.CU Not disinfected C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\LVNX75J4\dia326[1].htm
Virus:Exploit/Mhtredir.CU Not disinfected C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\S1M3C5U3\dia326[1].htm
Adware:Adware/Gator Not disinfected C:\ErdUndoCache\E0000012\Local Settings\Temp\trickler_3210.ex_[trickler_3210.exe]
Virus:Trj/Downloader.BJ Not disinfected C:\ErdUndoCache\E0000013\.jpi_cache\jar\1.0\archive.jar-27b6d962-64b0f11e.idx
Adware:Adware/SideSearch Not disinfected C:\ErdUndoCache\E0000014\Local Settings\Temp\lycos_ss.exe
Adware:Adware/SaveNow Not disinfected C:\ErdUndoCache\E0000D8F
Spyware:Spyware/New.net Not disinfected C:\ErdUndoCache\rp254\A0041678.exe
Spyware:Spyware/New.net Not disinfected C:\ErdUndoCache\rp257\A0045043.exe
Spyware:Spyware/New.net Not disinfected C:\ErdUndoCache\rp257\A0046061.exe
Adware:adware/gator Not disinfected C:\GatorPatch.log
Adware:adware/delfinmedia Not disinfected C:\keys.ini
Adware:adware/clickalchemy Not disinfected C:\WINDOWS\alchem.ini
Adware:adware/isearch Not disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/NetPals Not disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/ISearch Not disinfected C:\WINDOWS\Downloaded Program Files\initial.inf
Adware:Adware Program Not disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\alchem.inf
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall4_88.exe
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall4_94.exe
Dialer:dialer.bny Not disinfected C:\WINDOWS\pcconfig.dat
Adware:adware/keenvalue Not disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Dialer:dialer.b Not disinfected C:\WINDOWS\tmlpcert2005
Adware:adware/ezula Not disinfected C:\WINDOWS\woinstall.exe

WinPFind report
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 12/11/2003 3:01:02 AM 410128 C:\WINDOWS\eFaxview.exe
aspack 1/25/2003 1:57:40 PM 535040 C:\WINDOWS\flashax.exe
UPX! 9/12/2000 11:30:18 AM R 104960 C:\WINDOWS\GizmoZone Screensaver.scr
UPX! 9/24/2003 3:09:26 PM 923136 C:\WINDOWS\vsapi32.dll
aspack 9/24/2003 3:09:26 PM 923136 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/18/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 7/17/2004 10:52:54 AM 244736 C:\WINDOWS\SYSTEM32\in10b6s.dll
aspack 7/17/2004 10:52:54 AM 244736 C:\WINDOWS\SYSTEM32\in10b6s.dll
PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 12/8/2005 7:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 12/8/2005 7:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/18/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/21/2005 12:33:44 PM S 2048 C:\WINDOWS\bootstat.dat
12/6/2005 5:47:36 PM HS 6656 C:\WINDOWS\Thumbs.db
12/21/2005 11:41:40 AM H 36020 C:\WINDOWS\system32\vsconfig.xml
12/10/2005 11:42:40 AM H 4212 C:\WINDOWS\system32\zllictbl.dat
11/30/2005 11:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 7:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
12/21/2005 12:33:38 PM H 8192 C:\WINDOWS\system32\config\default.LOG
12/21/2005 12:34:10 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/21/2005 12:33:46 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
12/21/2005 12:41:10 PM H 65536 C:\WINDOWS\system32\config\software.LOG
12/21/2005 12:33:50 PM H 905216 C:\WINDOWS\system32\config\system.LOG
12/15/2005 5:14:16 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
12/18/2005 2:47:36 PM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
12/18/2005 2:47:36 PM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/18/2005 2:47:36 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
12/18/2005 2:47:36 PM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/9/2005 12:51:24 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\b50231c2-2ee7-40c6-8456-9a93d5c10acc
12/9/2005 12:51:24 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
11/6/2005 6:58:14 PM H 8628 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SMSTE3.GID
12/21/2005 12:33:14 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 2/10/2004 10:53:24 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 12/7/2003 10:54:52 PM 229487 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
WildTangent, Inc. 3/12/2004 2:53:44 PM 45056 C:\WINDOWS\SYSTEM32\wtcpl.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 10:53:24 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/5/2005 3:31:30 PM 1458 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
10/25/2002 2:42:32 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2/26/2003 11:05:06 AM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
10/25/2002 3:17:30 PM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
11/28/2003 5:47:42 PM 1659 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MySoftware NewsFlash.lnk
8/19/2005 4:54:20 PM 1648 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
3/30/2004 11:22:30 AM 1861 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
5/13/2005 11:34:44 AM 343 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VistaAccess.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/25/2002 10:35:48 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
10/18/2004 1:03:36 PM 16 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameD.txt
1/22/2005 4:49:40 PM 16 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt
11/5/2005 7:00:10 PM 2159 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
7/19/2005 9:46:40 AM H 20000 C:\Documents and Settings\All Users\Application Data\T09F8

Checking files in %USERPROFILE%\Startup folder...
10/25/2002 2:42:32 PM HS 84 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Start Menu\Programs\Startup\desktop.ini
1/19/2005 2:40:24 PM 662 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Start Menu\Programs\Startup\Epson printer Registration.lnk
8/18/2005 1:16:58 PM 1764 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Start Menu\Programs\Startup\GotFusion WebForums.lnk
5/27/2004 1:56:38 PM 1467 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...
12/6/2005 10:38:20 AM 1904 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Application Data\AdobeDLM.log
10/25/2002 10:35:48 AM HS 62 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Application Data\desktop.ini
12/5/2005 3:29:30 PM 0 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Application Data\dm.ini
2/28/2005 9:51:40 AM 2346 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Application Data\evpro32.prf
12/5/2005 6:15:14 PM 101832 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
Avant Browser [avantbrowser.com] =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\GotFusion WebForums
{8fe487ac-370e-4adc-9c2f-7fcfe5922770} = C:\Program Files\GotFusion WebForums\SendShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IMMenuShellExt
{F8984111-38B6-11D5-8725-0050DA2761C4} = C:\Program Files\IncrediMail\bin\IMShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PKZIP Shell Extension
{248A7248-2D62-4B49-ACFB-0C1B70C04F0D} = C:\Program Files\Common Files\PKWARE\PKZIP7\PKCOM700.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\RecognizeMenu
{44BCBE49-4D78-11d2-B108-549301C1FF74} = cfmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PKZIP Shell Extension
{248A7248-2D62-4B49-ACFB-0C1B70C04F0D} = C:\Program Files\Common Files\PKWARE\PKZIP7\PKCOM700.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= D:\Adobe Reader\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = D:\Adobe Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3392BD0A-A851-4AA4-86E0-4651006F9EA8}
AtBHOObj Class = C:\Program Files\Common Files\Atomica Shared\agtbho.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= D:\Spybot\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}
EpsonToolBandKicker Class = C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
= C:\Program Files\Microsoft Money\System\mnyviewer.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{4C4C942D-03B0-4041-94F2-73991832615F} = ArtToday Toolbar : C:\Program Files\ArtToday Toolbar\ArtTodayToolbar.dll
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} = EPSON Web-To-Page : C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}
MoneySide = C:\Program Files\Microsoft Money\System\mnyviewer.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
zBrowser Launcher C:\Program Files\Logitech\iTouch\iTouch.exe
WorksFUD C:\Program Files\Microsoft Works\wkfud.exe
Smapp C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
MoneyStartUp10.0 "C:\Program Files\Microsoft Money\System\Activation.exe"
Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
EM_EXEC C:\PROGRA~1\Logitech\SYSTEM\EM_EXEC.EXE
CARPService carpserv.exe
PrintWhere Router 2.1 C:\WINDOWS\System32\PWCCRT21.EXE
Unshare C:\Program Files\safe-share\SafeShare.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
nod32kui "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
EPSON Stylus C86 Series C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
ABBYY Community Agent D:\PROGRA~2\SPRINT~1.0OF\Sprint\CAgent.exe
WinampAgent C:\Program Files\Winamp\winampa.exe
Zone Labs Client D:\Zone Alarm Firewall\ZoneAlarm\zlclient.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
MediaGateway C:\Program Files\MediaGateway\MediaGateway.exe
HostManager C:\Program Files\Common Files\AOL\1133662090\ee\AOLHostManager.exe
Adobe Photo Downloader "D:\Adobe Reader\3.0\Apps\apdproxy.exe"
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Mozilla Quick Launch "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
MoneyAgent "C:\Program Files\Microsoft Money\System\Money Express.exe"
IncrediMail C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
MSMSGS "C:\Program Files\Messenger\MSMSGS.EXE" /background
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
PopUpStopperFreeEdition C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
EPSON Stylus C86 Series C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /M "Stylus C86" /EF "HKCU"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\bhoreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
SpecifyDefaultButtons 0
Btn_Search 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/21/2005 1:01:27 PM

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 December 2005 - 11:26 AM

Please check Add\Remove Programs for any of these entries and remove if found.

IPInsight
ISearch
MediaGateway
NetPals
New.Net or NewDotNet
SaveNow
SideSearch


Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Candace DS\Local Settings\Temp\trickler_3210.ex_trickler_3210.exe
    C:\Candace DS\Local Settings\Temp\trickler_3210.exe
    C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\.jpi_cache\jar\1.0\archive.jar-27b6d962-53fe0b76.idx
    C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\OZ7JUO9L\SYSsfitb[1].cab
    C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\U3Q7UDQB\SYSsfitb[1].cab
    C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\.jpi_cache\jar\1.0\archive.jar-27b6d962-64b0f11e.idx
    C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\3B5ZRP0W\dia326[1].htm
    C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\B6B5PD3J\dia326[1].htm
    C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\GZRZQOX1\dia326[1].htm
    C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\LVNX75J4\dia326[1].htm
    C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\S1M3C5U3\dia326[1].htm
    C:\ErdUndoCache\E0000012\Local Settings\Temp\trickler_3210.ex_
    C:\ErdUndoCache\E0000012\Local Settings\Temp\trickler_3210.exe
    C:\ErdUndoCache\E0000013\.jpi_cache\jar\1.0\archive.jar-27b6d962-64b0f11e.idx
    C:\ErdUndoCache\E0000014\Local Settings\Temp\lycos_ss.exe
    C:\ErdUndoCache\E0000D8F
    C:\ErdUndoCache\rp254\A0041678.exe
    C:\ErdUndoCache\rp257\A0045043.exe
    C:\ErdUndoCache\rp257\A0046061.exe
    C:\GatorPatch.log
    C:\keys.ini
    C:\WINDOWS\alchem.ini
    C:\WINDOWS\deskbar.ini
    C:\WINDOWS\Downloaded Program Files\ATPartners.inf
    C:\WINDOWS\Downloaded Program Files\initial.inf
    C:\WINDOWS\Downloaded Program Files\WildApp.inf
    C:\WINDOWS\inf\alchem.inf
    C:\WINDOWS\NDNuninstall4_88.exe
    C:\WINDOWS\NDNuninstall4_94.exe
    C:\WINDOWS\pcconfig.dat
    C:\WINDOWS\SYSTEM32\in10b6s.dll
    C:\WINDOWS\system32\drivers\etc\hosts.bho
    C:\WINDOWS\tmlpcert2005
    C:\WINDOWS\woinstall.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Reboot into SAFE MODE(Tap F8 when restarting)


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


With all other Windows and Browsers Closed-> Open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Restart Normal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with the report from Ewido.


#5 Woolysheep8

Woolysheep8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 29 December 2005 - 05:49 PM

CreteMonster
I have followed your latest instructions and am posting the Kaspersky Scan and the Ewido report.
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, December 29, 2005 17:24:10
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/12/2005
Kaspersky Anti-Virus database records: 168234
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 130314
Number of viruses found: 15
Number of infected objects: 50
Number of suspicious objects: 0
Duration of the scan process: 4888 sec

Infected Object Name - Virus Name
C:\!KillBox\A0046061.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\!KillBox\dia326[1].htm Infected: Exploit.HTML.Mht
C:\!KillBox\lycos_ss.exe/data0004 Infected: not-a-virus:AdWare.Win32.Sidesearch.a
C:\!KillBox\lycos_ss.exe Infected: not-a-virus:AdWare.Win32.Sidesearch.a
C:\!KillBox\NDNuninstall4_88.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\!KillBox\NDNuninstall4_94.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\!KillBox\SYSsfitb[1].cab/d_loader.exe Infected: Trojan-Downloader.Win32.IstBar.gen
C:\!KillBox\SYSsfitb[1].cab Infected: Trojan-Downloader.Win32.IstBar.gen
C:\!KillBox\trickler_3210.ex_/ Infected: not-a-virus:AdWare.Win32.Gator.3210
C:\!KillBox\trickler_3210.ex_ Infected: not-a-virus:AdWare.Win32.Gator.3210
C:\!KillBox\woinstall.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.EZula.ak
C:\!KillBox\woinstall.exe Infected: not-a-virus:AdWare.Win32.EZula.ak
C:\Candace DS\Local Settings\Application Data\Identities\{6A631EB0-A249-4722-970E-595D09042959}\Microsoft\Outlook Express\Deleted Items.dbx/[From "MS Network Security Division" <pzgeivocqik-hvvw@support.microsoft.net>][Date Tue, 23 Sep 2003 04:49:03 -0700]/UNNAMED/patch84.exe Infected: Email-Worm.Win32.Swen
C:\Candace DS\Local Settings\Application Data\Identities\{6A631EB0-A249-4722-970E-595D09042959}\Microsoft\Outlook Express\Deleted Items.dbx/[From "MS Network Security Division" <pzgeivocqik-hvvw@support.microsoft.net>][Date Tue, 23 Sep 2003 04:49:03 -0700]/UNNAMED Infected: Email-Worm.Win32.Swen
C:\Candace DS\Local Settings\Application Data\Identities\{6A631EB0-A249-4722-970E-595D09042959}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Swen
C:\Candace DS\Local Settings\Temp\trickler_3210.ex_/ Infected: not-a-virus:AdWare.Win32.Gator.3210
C:\Candace DS\Local Settings\Temp\trickler_3210.ex_ Infected: not-a-virus:AdWare.Win32.Gator.3210
C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temp\IH110.tmp Infected: Trojan-Dropper.Win32.Small.ue
C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temp\IH25E.tmp Infected: Trojan-Downloader.Win32.Small.ayl
C:\ErdUndoCache\E0000012\Local Settings\Application Data\Identities\{6A631EB0-A249-4722-970E-595D09042959}\Microsoft\Outlook Express\Deleted Items.dbx/[From "MS Network Security Division" <pzgeivocqik-hvvw@support.microsoft.net>][Date Tue, 23 Sep 2003 04:49:03 -0700]/UNNAMED/patch84.exe Infected: Email-Worm.Win32.Swen
C:\ErdUndoCache\E0000012\Local Settings\Application Data\Identities\{6A631EB0-A249-4722-970E-595D09042959}\Microsoft\Outlook Express\Deleted Items.dbx/[From "MS Network Security Division" <pzgeivocqik-hvvw@support.microsoft.net>][Date Tue, 23 Sep 2003 04:49:03 -0700]/UNNAMED Infected: Email-Worm.Win32.Swen
C:\ErdUndoCache\E0000012\Local Settings\Application Data\Identities\{6A631EB0-A249-4722-970E-595D09042959}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Swen
C:\ErdUndoCache\rp256\A0044753.exe Infected: not-a-virus:AdWare.Win32.Casino.p
C:\Program Files\Eset\infected\0AZEEFAA.NQF Infected: not-a-virus:Dialer.Win32.PlayGames.a
C:\Program Files\Eset\infected\1KD1OSCA.NQF Infected: Trojan-Downloader.Win32.Small.ayl
C:\Program Files\Eset\infected\21M11CAA.NQF Infected: Trojan-Downloader.Win32.Small.ayl
C:\Program Files\Eset\infected\2HQJJHAA.NQF Infected: Trojan-Dropper.Win32.Small.ue
C:\Program Files\Eset\infected\4OMIJ4CA.NQF Infected: Trojan-Downloader.Win32.Small.ayl
C:\Program Files\Eset\infected\5HVZNECA.NQF Infected: Trojan-Downloader.Win32.Small.ayl
C:\Program Files\Eset\infected\DYRTPGBA.NQF Infected: Trojan-Downloader.Win32.Small.ayl
C:\Program Files\Eset\infected\H2KZMZBA.NQF/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Program Files\Eset\infected\H2KZMZBA.NQF/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Program Files\Eset\infected\H2KZMZBA.NQF Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Program Files\Eset\infected\J4DXD2DA.NQF Infected: Trojan-Downloader.Win32.Small.ayl
C:\Program Files\Eset\infected\LQROUZBA.NQF Infected: Trojan-Dropper.Win32.Mudrop.k
C:\Program Files\Eset\infected\PNCNIGDA.NQF Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Program Files\Eset\infected\W5DN2ABA.NQF Infected: Trojan-Downloader.Win32.Small.ayl
C:\Program Files\Eset\infected\XRNYMWAA.NQF Infected: not-a-virus:AdWare.Win32.SaveNow.af
C:\Program Files\Eset\infected\ZUTO1LBA.NQF Infected: Trojan-Downloader.Win32.Small.ayl
C:\System Volume Information\_restore{F4390F4E-4A9E-449A-B8FF-77F06B885626}\RP6\A0000319.exe/data0004 Infected: not-a-virus:AdWare.Win32.Sidesearch.a
C:\System Volume Information\_restore{F4390F4E-4A9E-449A-B8FF-77F06B885626}\RP6\A0000319.exe Infected: not-a-virus:AdWare.Win32.Sidesearch.a
C:\System Volume Information\_restore{F4390F4E-4A9E-449A-B8FF-77F06B885626}\RP6\A0000320.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{F4390F4E-4A9E-449A-B8FF-77F06B885626}\RP6\A0000321.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{F4390F4E-4A9E-449A-B8FF-77F06B885626}\RP6\A0000322.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{F4390F4E-4A9E-449A-B8FF-77F06B885626}\RP6\A0000327.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{F4390F4E-4A9E-449A-B8FF-77F06B885626}\RP6\A0000328.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{F4390F4E-4A9E-449A-B8FF-77F06B885626}\RP6\A0000329.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.EZula.ak
C:\System Volume Information\_restore{F4390F4E-4A9E-449A-B8FF-77F06B885626}\RP6\A0000329.exe Infected: not-a-virus:AdWare.Win32.EZula.ak
C:\System Volume Information\_restore{F4390F4E-4A9E-449A-B8FF-77F06B885626}\RP6\A0000354.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{F4390F4E-4A9E-449A-B8FF-77F06B885626}\RP6\A0000355.exe Infected: not-a-virus:AdWare.Win32.NewDotNet

Scan process completed.

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:28:57 PM, 12/29/2005
+ Report-Checksum: 75AF7F67

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3392BD0A-A851-4AA4-86E0-4651006F9EA8} -> Spyware.Atomica : Ignored
C:\!KillBox\A0046061.exe -> Spyware.NewDotNet : Ignored
C:\!KillBox\lycos_ss.exe -> Spyware.Sidesearch.a : Ignored
C:\!KillBox\SYSsfitb[1].cab/d_loader.exe -> Downloader.IstBar : Ignored
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3392BD0A-A851-4AA4-86E0-4651006F9EA8} -> Spyware.Atomica : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2E30AC01-99D7-4E9C-B13E-94E1701B0AC9} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6B1BE803-567F-11D1-B652-0060976C699F} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6B1BE807-567F-11D1-B652-0060976C699F} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{86E5D74F-02EB-11D3-A464-0080C858F182} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{86E5D751-02EB-11D3-A464-0080C858F182} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8F0A06F6-DF4D-4D54-B8CA-E8EEDBAE6DDB} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{916694A8-8AD6-11D2-B6FD-0060976C699F} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{916694A9-8AD6-11D2-B6FD-0060976C699F} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{6B1BE80A-567F-11D1-B652-0060976C699F} -> Spyware.BonziBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Dsi -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\MaxSpeed -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8F9FBEB8-D216-4d6c-8D21-513157E09C0D} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WildArcade -> Spyware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8F9FBEB8-D216-4d6c-8D21-513157E09C0D} -> Spyware.Maxspeed : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3392BD0A-A851-4AA4-86E0-4651006F9EA8} -> Spyware.Atomica : Cleaned with backup
HKU\S-1-5-21-842925246-1078081533-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3392BD0A-A851-4AA4-86E0-4651006F9EA8} -> Spyware.Atomica : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3392BD0A-A851-4AA4-86E0-4651006F9EA8} -> Spyware.Atomica : Cleaned with backup
C:\!KillBox\A0041678.exe -> Spyware.NewDotNet : Cleaned with backup
C:\!KillBox\A0045043.exe -> Spyware.NewDotNet : Cleaned with backup
C:\Candace DS\Local Settings\Temporary Internet Files\Content.IE5\49MFODIN\42167[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Cookies\candace smothers@e-2dj6wfkioodpkho.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Cookies\candace smothers@e-2dj6wjlicic5eap.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Cookies\candace smothers@e-2dj6wjliknczelo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Cookies\candace smothers@e-2dj6wjmywnczwlo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Cookies\candace smothers@news.com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Cookies\candace smothers@stats.adbrite[1].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Cookies\candace smothers@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Cookies\jesse smothers@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Cookies\jesse smothers@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Cookies\jesse smothers@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Cookies\jesse smothers@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Cookies\jesse smothers@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Cookies\jesse smothers@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Cookies\jesse smothers@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Cookies\jesse smothers@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Cookies\jesse smothers@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Cookies\jesse smothers@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\ErdUndoCache\E0000012\Local Settings\Temporary Internet Files\Content.IE5\49MFODIN\42167[2].html -> Spyware.BookedSpace : Cleaned with backup
C:\ErdUndoCache\E0000014\Cookies\mark smothers@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\ErdUndoCache\E0000014\Cookies\mark smothers@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\ErdUndoCache\E0000014\Cookies\mark smothers@oxcash[1].txt -> Spyware.Cookie.Oxcash : Cleaned with backup
C:\ErdUndoCache\E0000014\Cookies\mark smothers@programs.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\ErdUndoCache\E0000014\Cookies\mark smothers@specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\ErdUndoCache\E0000C20 -> Spyware.WildTangent : Cleaned with backup
C:\ErdUndoCache\rp254\A0040737.dll -> Spyware.WildTangent : Cleaned with backup
C:\ErdUndoCache\rp254\A0040747.dll -> Spyware.WildTangent : Cleaned with backup
C:\ErdUndoCache\rp254\A0040755.dll -> Spyware.WildTangent : Cleaned with backup
C:\ErdUndoCache\rp254\A0040765.dll -> Spyware.WildTangent : Cleaned with backup
C:\ErdUndoCache\rp255\A0043737.dll -> Spyware.WildTangent : Cleaned with backup
C:\ErdUndoCache\rp257\A0044971.dll -> Spyware.WildTangent : Cleaned with backup
C:\ErdUndoCache\rp257\A0044981.dll -> Spyware.WildTangent : Cleaned with backup
C:\ErdUndoCache\rp257\A0044989.dll -> Spyware.WildTangent : Cleaned with backup
C:\ErdUndoCache\rp257\A0044999.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\Netscape\Netscape\Plugins\npwthost.dll -> Spyware.WildTangent : Cleaned with backup


::Report End

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 29 December 2005 - 09:19 PM

Open Outlook Express and Click Tools-> Options-> Maintinence

Put a check by-> Empty Messages from the 'Delete Items' folders on exit.

Click the tab labeled-> "Clean up now"

Click Appy-> OK and close Outlook Express


Go to Safe Mode and Make sure Windows is Showing hidden files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp


Navigate to this location

C:\Candace DS\Local Settings\Application Data\Identities\{6A631EB0-A249-4722-970E-595D09042959}\Microsoft\Outlook Express

Make sure this file is gone-> Deleted Items.dbx


Now navigate to these locations and empty the contents of each Temp folder but DO NOT delete the temp folder itself

You may find that index.dat and desktop.ini wont delete and thats fine but everything else in the folders should.

C:\Temp

C:\Windows\Temp

C:\Documents and Settings\Owner\Local Settings\Temp

C:\Documents and Settings\Jesse Smothers.COMPUTER-Y479PU\Local Settings\Temp

C:\Documents and Settings\<All other users Profile>\Local Settings\Temp


You can also delete this file as well-> C:\ErdUndoCache\rp256\A0044753.exe


Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)

Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning)


Empty your "Recycle Bin"


Still in Safe Mode-> Scan the System again with WinPFind.

Restart Normal and post a fresh HijackThis log along with the results of the WinPFind Scan.

#7 Woolysheep8

Woolysheep8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  

Posted 30 December 2005 - 06:21 PM

Cretemonster,
I have deleted every possible temporary file. The only one I don't want to remove is Gurunet by Atomica. I purchased this 3 years ago. It is a legitimate program. My son may be annoyed because I deleted all of his temporary files too. So, I think I've followed all of your directions. Lets see what you think.
I'm posting a new HijackThis Log and the results of the WinPFind Scan.



Logfile of HijackThis v1.99.1
Scan saved at 5:59:41 PM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Desktop\Desktop Folder\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: ArtToday Toolbar - {4C4C942D-03B0-4041-94F2-73991832615F} - C:\Program Files\ArtToday Toolbar\ArtTodayToolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PrintWhere Router 2.1] C:\WINDOWS\System32\PWCCRT21.EXE
O4 - HKLM\..\Run: [Unshare] C:\Program Files\safe-share\SafeShare.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [ABBYY Community Agent] D:\PROGRA~2\SPRINT~1.0OF\Sprint\CAgent.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Zone Alarm Firewall\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133662090\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Adobe Reader\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
O4 - HKCU\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /M "Stylus C86" /EF "HKCU"
O4 - Startup: Epson printer Registration.lnk = E:\titles\ereg\EPSONREG.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe Reader\Reader\reader_sl.exe
O4 - Global Startup: GuruNet.lnk = C:\Program Files\GuruNet\GuruNet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\Newsflsh.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VistaAccess.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://lookup.atomica.com
O15 - Trusted Zone: http://www.atomica.com
O16 - DPF: CabInstaller - http://www.arttoday.com/toolbar/CabInstaller.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrow...MINIBrowser.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DeepSight Extractor CC Service (ccExtractorService) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ccExtractorService.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\My Documents\ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 12/11/2003 3:01:02 AM 410128 C:\WINDOWS\eFaxview.exe
aspack 1/25/2003 1:57:40 PM 535040 C:\WINDOWS\flashax.exe
UPX! 9/12/2000 11:30:18 AM R 104960 C:\WINDOWS\GizmoZone Screensaver.scr
UPX! 9/24/2003 3:09:26 PM 923136 C:\WINDOWS\vsapi32.dll
aspack 9/24/2003 3:09:26 PM 923136 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/18/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 12/8/2005 7:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 12/8/2005 7:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/18/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/30/2005 2:20:10 PM S 2048 C:\WINDOWS\bootstat.dat
12/6/2005 5:47:36 PM HS 6656 C:\WINDOWS\Thumbs.db
12/30/2005 11:33:24 AM H 36020 C:\WINDOWS\system32\vsconfig.xml
12/10/2005 11:42:40 AM H 4212 C:\WINDOWS\system32\zllictbl.dat
11/30/2005 11:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 7:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
12/30/2005 2:20:02 PM H 8192 C:\WINDOWS\system32\config\default.LOG
12/30/2005 2:20:20 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/30/2005 2:20:12 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
12/30/2005 4:09:04 PM H 503808 C:\WINDOWS\system32\config\software.LOG
12/30/2005 2:20:28 PM H 954368 C:\WINDOWS\system32\config\system.LOG
12/15/2005 5:14:16 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
12/18/2005 2:47:36 PM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
12/18/2005 2:47:36 PM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/18/2005 2:47:36 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
12/18/2005 2:47:36 PM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/9/2005 12:51:24 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\b50231c2-2ee7-40c6-8456-9a93d5c10acc
12/9/2005 12:51:24 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
11/6/2005 6:58:14 PM H 8628 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SMSTE3.GID
12/30/2005 2:17:14 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 2/10/2004 10:53:24 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 12/7/2003 10:54:52 PM 229487 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
WildTangent, Inc. 3/12/2004 2:53:44 PM 45056 C:\WINDOWS\SYSTEM32\wtcpl.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 10:53:24 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/5/2005 3:31:30 PM 1458 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
10/25/2002 2:42:32 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/30/2005 3:33:06 PM 628 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GuruNet.lnk
2/26/2003 11:05:06 AM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
10/25/2002 3:17:30 PM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
11/28/2003 5:47:42 PM 1659 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MySoftware NewsFlash.lnk
8/19/2005 4:54:20 PM 1648 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
3/30/2004 11:22:30 AM 1861 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
5/13/2005 11:34:44 AM 343 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VistaAccess.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/25/2002 10:35:48 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
10/18/2004 1:03:36 PM 16 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameD.txt
1/22/2005 4:49:40 PM 16 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt
11/5/2005 7:00:10 PM 2159 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
7/19/2005 9:46:40 AM H 20000 C:\Documents and Settings\All Users\Application Data\T09F8

Checking files in %USERPROFILE%\Startup folder...
10/25/2002 2:42:32 PM HS 84 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Start Menu\Programs\Startup\desktop.ini
1/19/2005 2:40:24 PM 662 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Start Menu\Programs\Startup\Epson printer Registration.lnk
5/27/2004 1:56:38 PM 1467 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...
12/6/2005 10:38:20 AM 1904 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Application Data\AdobeDLM.log
10/25/2002 10:35:48 AM HS 62 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Application Data\desktop.ini
12/5/2005 3:29:30 PM 0 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Application Data\dm.ini
2/28/2005 9:51:40 AM 2346 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Application Data\evpro32.prf
12/5/2005 6:15:14 PM 101832 C:\Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
Avant Browser [avantbrowser.com] =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\GotFusion WebForums
{8fe487ac-370e-4adc-9c2f-7fcfe5922770} = C:\Program Files\GotFusion WebForums\SendShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IMMenuShellExt
{F8984111-38B6-11D5-8725-0050DA2761C4} = C:\Program Files\IncrediMail\bin\IMShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PKZIP Shell Extension
{248A7248-2D62-4B49-ACFB-0C1B70C04F0D} = C:\Program Files\Common Files\PKWARE\PKZIP7\PKCOM700.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\RecognizeMenu
{44BCBE49-4D78-11d2-B108-549301C1FF74} = cfmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PKZIP Shell Extension
{248A7248-2D62-4B49-ACFB-0C1B70C04F0D} = C:\Program Files\Common Files\PKWARE\PKZIP7\PKCOM700.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= D:\Adobe Reader\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = D:\Adobe Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3392BD0A-A851-4AA4-86E0-4651006F9EA8}
AtBHOObj Class = C:\Program Files\Common Files\Atomica Shared\agtbho.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= D:\Spybot\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}
EpsonToolBandKicker Class = C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
= C:\Program Files\Microsoft Money\System\mnyviewer.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{4C4C942D-03B0-4041-94F2-73991832615F} = ArtToday Toolbar : C:\Program Files\ArtToday Toolbar\ArtTodayToolbar.dll
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} = EPSON Web-To-Page : C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}
MoneySide = C:\Program Files\Microsoft Money\System\mnyviewer.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
zBrowser Launcher C:\Program Files\Logitech\iTouch\iTouch.exe
WorksFUD C:\Program Files\Microsoft Works\wkfud.exe
Smapp C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
MoneyStartUp10.0 "C:\Program Files\Microsoft Money\System\Activation.exe"
Microsoft Works Portfolio C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
EM_EXEC C:\PROGRA~1\Logitech\SYSTEM\EM_EXEC.EXE
CARPService carpserv.exe
PrintWhere Router 2.1 C:\WINDOWS\System32\PWCCRT21.EXE
Unshare C:\Program Files\safe-share\SafeShare.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
nod32kui "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
EPSON Stylus C86 Series C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
ABBYY Community Agent D:\PROGRA~2\SPRINT~1.0OF\Sprint\CAgent.exe
WinampAgent C:\Program Files\Winamp\winampa.exe
Zone Labs Client D:\Zone Alarm Firewall\ZoneAlarm\zlclient.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
HostManager C:\Program Files\Common Files\AOL\1133662090\ee\AOLHostManager.exe
Adobe Photo Downloader "D:\Adobe Reader\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Mozilla Quick Launch "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
MoneyAgent "C:\Program Files\Microsoft Money\System\Money Express.exe"
IncrediMail C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
MSMSGS "C:\Program Files\Messenger\MSMSGS.EXE" /background
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
PopUpStopperFreeEdition C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
EPSON Stylus C86 Series C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /M "Stylus C86" /EF "HKCU"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\bhoreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
SpecifyDefaultButtons 0
Btn_Search 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/30/2005 5:48:22 PM

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 31 December 2005 - 08:06 AM

I was going to ask you about Atomica since I saw this in the Ewido log

HKLM\SOFTWARE\Classes\CLSID\{3392BD0A-A851-4AA4-86E0-4651006F9EA8} -> Spyware.Atomica : Cleaned with backup

Please make sure everything still works with the program?

As for the temp files,create a folder just for the son to store these files he wants to keep in the future.

Temp folders are no place to store files you want to keep around.


How is the PC running so far?

The WinPFind log looks alot better.

#9 Woolysheep8

Woolysheep8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 31 December 2005 - 12:08 PM

Cretemonster,
I appreciate all of your help. Things seem to be running much better. However, My GuruNet isn't working now. I was trying to be careful to leave it alone but I think I inadvertantly erased something.
Upon start up I get the following message;

GuruNet.exe-Entry Point not Found
The Procedure entry point
?soap_call_tns_getConfigInfo@@YAHPAUsoap@@PBD1PAUtns_getConfigInfoResponse@@Z could not be located in the dynamic link library SoapClnt.dll.

I don't know if you can help me with this or if I need to locate the company on the web and email them.
I would hate to loose this program.
As for the extra storage file for my son...maybe you could tell me how to set that up. He was on the computer last night and didn't complain of lost information. He also has a site on MySpace. I don't know if he picks up spyware, malware, etc from that or not. He is a gamier and downloads music. These sites may be some of the reason I had such a mess with my computer. As for music downloads, He downloads to listen to what he likes. He buys music at a local store so he's not a pirate. The artists he likes he supports by purchasing their music.

Again, I am grateful for your help and donated to you yesterday. Thanks so much.
Woolysheep8

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 31 December 2005 - 12:58 PM

OK,it may take some doing on your part but look back at the Ewido Log and pull out all the entries that are associated with Atomica.

I know for sure some reg entries were removed.

Lets put all that together and see if you can locate the exact backups for these in the back folder of ewido.

Dont do anything with them yet,just open ewido and look for the backups and see if you can determine which are which.

I dont have the program installed on this PC and have never had to use the backups before.

So lets tinker with it and see what we can do.

Let me know how the search for the proper backups goes?

#11 Woolysheep8

Woolysheep8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  

Posted 31 December 2005 - 03:35 PM

Cretemonster,
I found four back up files for Atomica.
I copied them onto a notepad and am pasting them below.


HKLM\SOFTWARE\Classes\CLSID\{3392BD0A-A851-4AA4-86E0-4651006F9EA8} -> Spyware.Atomica : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3392BD0A-A851-4AA4-86E0-4651006F9EA8} -> Spyware.Atomica : Cleaned with backup
HKU\S-1-5-21-842925246-1078081533-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3392BD0A-A851-4AA4-86E0-4651006F9EA8} -> Spyware.Atomica : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3392BD0A-A851-4AA4-86E0-4651006F9EA8} -> Spyware.Atomica : Cleaned with backup

Let me know the next step. Thanks.

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 31 December 2005 - 04:43 PM

OK,thats the same I got.

Open Ewido
Click Quarantine on the left side.
Look for the following items:

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3392BD0A-A851-4AA4-86E0-4651006F9EA8}

HKU\S-1-5-21-842925246-1078081533-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3392BD0A-A851-4AA4-86E0-4651006F9EA8}

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3392BD0A-A851-4AA4-86E0-4651006F9EA8}

HKLM\SOFTWARE\Classes\CLSID\{3392BD0A-A851-4AA4-86E0-4651006F9EA8}


Press and HOLD the Ctrl key then left click each one of the items above. When ONLY those items are highlighted, click Restore.

A small window will open up. Click Restore on this one as well.


You may want to restart the PC for the changes to take effect and then try the program.


Let me know how it works out?

#13 Woolysheep8

Woolysheep8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 02 January 2006 - 01:22 PM

Cretemonster,
I went to Ewido,clicked quarantine and highlighted 3 of the items and went through the process of restoring them. The item that wasn't in the quarantine was:

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3392BD0A-A851-4AA4-86E0-4651006F9EA8} -> Spyware.Atomica : Cleaned with backup

I went to the Ewido scan report on my desktop and looked at it. This item was on it even though it wasn't in the Quarantine. I am getting the same message about Atomica GuruNet upon start up as I did before as if I hadn't corrected anything.

So, now what?

I emailed Atomica (GuruNet) which is now Answer.com. and sent them the error message. I should get an email reply in a couple of days.

Also....
I tried to download a pdf file today and got another error message almost identical to the original one.
It is:
C:Documents and Settings\Candace Smothers.COMPUTER-Y479PU\Local Settings\Temporary Internet Files\Content.IE5\IBAVA9UJ\esnJan06[1].pdf
Thanks for checking it.

Edited by Woolysheep8, 02 January 2006 - 06:16 PM.


#14 Woolysheep8

Woolysheep8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  

Posted 03 January 2006 - 03:00 PM

Cretemonster,
I went to the Adobe website and downloaded a new Adobe Reader 7 and now I can download pdf files. So, I guess that's ok. I'm hoping I can just redownload the gurunet stuff too. So everything else is ok. Thanks.

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 03 January 2006 - 06:19 PM

Sounds good,let me know what happens with answer.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users