Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log -- Ms Update Problem


  • Please log in to reply
12 replies to this topic

#1 azurman

azurman

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 09 January 2006 - 12:36 AM

Hello. This is my first post, so bear with me. I'm running win xp home sp2 and started getting shutdown hang and could not access microsoft update or windows update sites; internet explorer would hang. can access any other site. so went thru startup services and disabling automatic update cured shutdown problem, and could access microsoft update and windows update site, but service was stopped so couldn't do the updates.
so reinstalled auapi.dll from sp2 CD and miraculously could get to update sites, reregister w/ microsoft update. Then restarted and all the same problems again. have scanned w/ spybot s&d, adaware, cwshredder all in safe mode. no trojans, no nothing. here's my hijack this log. I hope you can help me so I can get automatic updates going again. Thanks.Logfile of HijackThis v1.99.1
Scan saved at 9:20:00 PM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1134465860\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1134465860\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Common Files\AOL\1134465860\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1134465860\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\program files\common files\aol\1134465860\ee\aolssc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\AzurAdmin\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134465860\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1134465860\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1134465860\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136781875250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134463363109
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1134465860\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 AM

Posted 18 January 2006 - 11:38 AM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

#3 azurman

azurman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 21 January 2006 - 11:05 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:01:43 PM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1134465860\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1134465860\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1134465860\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Common Files\AOL\1134465860\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
c:\program files\common files\aol\1134465860\ee\aolssc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134465860\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1134465860\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1134465860\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136781875250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134463363109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1134465860\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 AM

Posted 22 January 2006 - 01:28 AM

To use RootKit Revealer please make sure you are logged in as an Administrator to the computer.
  • Please download and unzip Rootkit Revealer to your desktop.
  • Please leave the defaults set as they are to:
    • Hide NTFS Metadata Files: this option is on by default
    • Scan Registry: this option is on by default.
  • Launch rootkit revealer on the system and press the Scan button.
    RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
  • The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
  • Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)]
Then Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log along with the rootkit revealer log.

#5 azurman

azurman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 22 January 2006 - 03:33 AM

Hello and thanks for helping me out. The blbeta scan showed no problems. Here is the desktop log:
01/22/06 00:14:35 [Info]: BlackLight Engine 1.0.30 initialized
01/22/06 00:14:35 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/22/06 00:14:35 [Note]: 7019 4
01/22/06 00:14:35 [Note]: 7005 0
01/22/06 00:14:52 [Note]: 7006 0
01/22/06 00:14:52 [Note]: 7011 1648
01/22/06 00:14:53 [Note]: FSRAW library version 1.7.1014
01/22/06 00:17:44 [Note]: 7007 0

I ran RkR twice. B4 blbeta I found only the top three items in the log below. After blbeta ran, the other items showed up in the RkR log.

Here is the RkR log:

HKLM\SOFTWARE\Classes\webcal\URL Protocol 7/6/2005 10:28 PM 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ 8/30/2004 4:07 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch 1/22/2006 12:11 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpDomain 1/22/2006 12:11 AM 26 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer 1/22/2006 12:11 AM 44 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{19DFF320-3470-47B1-8973-535A1F8842C7}\DhcpRetryTime 1/22/2006 12:11 AM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{19DFF320-3470-47B1-8973-535A1F8842C7}\DhcpRetryStatus 1/22/2006 12:11 AM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{19DFF320-3470-47B1-8973-535A1F8842C7}\DhcpDomain 1/22/2006 12:11 AM 26 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{19DFF320-3470-47B1-8973-535A1F8842C7}\DhcpNameServer 1/22/2006 12:11 AM 44 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{19DFF320-3470-47B1-8973-535A1F8842C7}\DhcpDefaultGateway 1/22/2006 12:11 AM 26 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{19DFF320-3470-47B1-8973-535A1F8842C7}\DhcpSubnetMaskOpt 1/22/2006 12:11 AM 30 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\{19DFF320-3470-47B1-8973-535A1F8842C7}\Parameters\Tcpip\DhcpDefaultGateway 1/22/2006 12:11 AM 26 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\{19DFF320-3470-47B1-8973-535A1F8842C7}\Parameters\Tcpip\DhcpSubnetMaskOpt 1/22/2006 12:11 AM 30 bytes Hidden from Windows API.

Thank you again.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 AM

Posted 22 January 2006 - 03:38 PM

Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

#7 azurman

azurman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 22 January 2006 - 04:18 PM

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 3/31/2003 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 1/4/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/3/2004 9:56:38 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/3/2004 9:56:46 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 3/31/2003 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 9/25/2003 2:26:54 AM 1807568 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/22/2006 1:06:20 PM S 2048 C:\WINDOWS\bootstat.dat
12/30/2005 9:33:28 PM H 54156 C:\WINDOWS\QTFont.qfn
12/13/2005 12:43:18 AM H 0 C:\WINDOWS\inf\oem17.inf
12/13/2005 1:14:52 AM H 0 C:\WINDOWS\inf\oem18.inf
12/12/2005 11:52:56 PM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_6.cab
1/8/2006 8:49:46 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0b6d86f526d6a471e29c08891cfb70fb\BIT395.tmp
1/8/2006 6:58:40 PM H 151332 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\35fe7b19652e81d34148bc14421c553c\BITE19.tmp
1/21/2006 12:00:34 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3fb146e6214775e386a4a30a89045205\BIT484.tmp
1/21/2006 12:00:34 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\879a7abe6afbadbeffa84f65522e9dda\BIT483.tmp
11/30/2005 8:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 4:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 3:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/22/2006 1:06:10 PM H 8192 C:\WINDOWS\system32\config\default.LOG
1/22/2006 1:06:32 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
1/22/2006 1:06:22 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
1/22/2006 1:06:32 PM H 65536 C:\WINDOWS\system32\config\software.LOG
1/22/2006 1:06:26 PM H 966656 C:\WINDOWS\system32\config\system.LOG
1/21/2006 9:05:20 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
12/13/2005 12:13:58 AM S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
12/13/2005 12:14:00 AM S 22563 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
12/13/2005 12:13:58 AM S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
12/13/2005 12:14:00 AM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
1/8/2006 8:47:56 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\d61e0ec0-7a05-4eb6-ae6b-e0180c76e177
1/8/2006 8:47:56 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
1/21/2006 9:33:20 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/3/2004 9:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/25/2003 2:26:36 AM 8605696 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/3/2004 9:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 7/6/2005 10:28:32 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 1/6/2004 4:02:36 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SmartLink 7/2/2002 3:40:00 PM 339968 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 3/31/2003 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/17/2005 5:25:02 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
12/13/2005 12:00:02 AM 831 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
2/10/2004 9:40:44 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/10/2004 1:31:02 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
2/10/2004 9:40:44 AM HS 84 C:\Documents and Settings\AzurAdmin\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/17/2005 5:23:52 PM 1428 C:\Documents and Settings\AzurAdmin\Application Data\AdobeDLM.log
2/10/2004 1:31:02 AM HS 62 C:\Documents and Settings\AzurAdmin\Application Data\desktop.ini
12/17/2005 5:23:52 PM 0 C:\Documents and Settings\AzurAdmin\Application Data\dm.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{4982D40A-C53B-4615-B15B-B5B5E98D167C} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CHotkey mHotkey.exe
Apoint C:\Program Files\Apoint2K\Apoint.exe
ATIModeChange Ati2mdxx.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
RoxioEngineUtility "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
AOLDialer C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
HostManager C:\Program Files\Common Files\AOL\1134465860\ee\AOLSoftware.exe
AOLSPScheduler C:\Program Files\Common Files\AOL\1134465860\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
sscRun C:\Program Files\Common Files\AOL\1134465860\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
OASClnt C:\Program Files\mcafee.com\antivirus\oasclnt.exe
EmailScan C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
MPFExe C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Start WingMan Profiler "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ComDlg32

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ComDlg32\PlacesBar
Place0 ::{C55C499D-3518-44a1-998E-796AC5FC989D}
Place1 8
Place2 0
Place3 5
Place4 17

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/22/2006 1:11:51 PM

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 AM

Posted 22 January 2006 - 07:04 PM

Download the Registry Search Tool from here:
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:
winik

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

#9 azurman

azurman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 22 January 2006 - 10:29 PM

No instances of winik after regsrch.

#10 azurman

azurman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 23 January 2006 - 01:11 AM

Also, I ran housecall again. During the session I got an AOL antivirus (McAfee) dialog that said:

SC0019

We found and cleaned a virus infected file
(C:\Documents and Settings\AzurAdmin\Local Settings\Temp\VAFGFHb03112).
Cleaning removed the file from your PC.

I don't know if this was a real virus or a housecall file. But I'm sure that you do...

Thanks.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 AM

Posted 23 January 2006 - 12:21 PM

The log looks clean so I do not think this is a malware related issue. What made you reinstall this file? auapi.dll

#12 azurman

azurman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 23 January 2006 - 11:26 PM

I appreciate your help.
I can't get to microsoft update or windows update page. The page freezes while loading and never loads. I checked some posts and this was suggested, so I reinstalled wuapi.dll, but no good. I have also tried WUFix.exe, but this didn't work either...not sure where to go from here.
Thanks.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:58 AM

Posted 24 January 2006 - 08:49 AM

Fix these entries in hijackthis:

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136781875250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134463363109

Reboot and go visit windowsupdate.com. It should ask to install the software. let it do so and see if this fixes the problem




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users