Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! My Computer Is Possibly Infected And Slow!


  • Please log in to reply
9 replies to this topic

#1 Big Red

Big Red

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 30 January 2006 - 01:38 PM

Hi there,

Back in November my boyfriend (a very BAD boy), visited a site he shouldn't have, and soon realized we had become infested with something. It's taken me this long to figure out what to do. I've followed all the instructions posted on this site of things to do before posting a HijackThis log. I've also installed Zone Alarm Internet Security Suite. I was wondering if you could look at my log and tell me if there's anything else that needs fixing. I really appreciate your help with this.

Oh, I should tell you that I've already deleted vmlib.exe and also a bunch of trojans. Once I get some feedback on this log and get things cleared up, I plan to install Windows SP2 (unless you tell me otherwise).

Thanks,

Big Red


Logfile of HijackThis v1.99.1
Scan saved at 11:10:06 AM, on 1/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wwSecure.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - C:\Program Files\Anonymizer\Anon2005\AnonIEBar.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133189511515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137353587941
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe

Edited by Big Red, 31 January 2006 - 12:43 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:00 PM

Posted 31 January 2006 - 01:14 PM

The log looks clean to me. Are you having any particular problems or just being safe?

Lets check a few things to be safe:

Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

#3 Big Red

Big Red
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 21 February 2006 - 12:51 PM

Hi Grinler,

Sorry it took me so long to do this. I got caught up in school stuff and the recent snow storm. I ran WPFind and here are the results.

Thanks for your help.

-BigRed



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 11/21/2005 10:00:58 PM 13824 C:\WINDOWS\q1378843.dll
UPX! 11/16/2005 4:31:06 PM 13824 C:\WINDOWS\q286093.dll
UPX! 11/21/2005 5:21:18 PM 13824 C:\WINDOWS\q288156.dll
UPX! 11/16/2005 7:05:54 PM 13824 C:\WINDOWS\q298546.dll
UPX! 11/19/2005 9:03:08 PM 13824 C:\WINDOWS\q310546.dll
UPX! 11/15/2005 7:29:34 PM 13824 C:\WINDOWS\q346406.dll
UPX! 11/15/2005 5:14:20 PM 13824 C:\WINDOWS\q3493203.dll
UPX! 11/15/2005 5:40:18 PM 13824 C:\WINDOWS\q5060421.dll
UPX! 7/25/2005 1:06:20 AM 58368 C:\WINDOWS\Unwash6.exe

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
Umonitor 8/29/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
FSG! 11/15/2005 5:09:52 PM 3221 C:\WINDOWS\SYSTEM32\vmlib.exe
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/16/2006 10:21:06 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
1/19/2006 8:30:24 PM H 0 C:\WINDOWS\INF\oem29.inf
1/28/2006 5:56:06 PM H 477936 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\01a1255c7a2de973c2a3067555de1f0b\BIT6.tmp
1/15/2006 2:58:26 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\01a87d6cdae8d00685023c2227fbd901\BIT1B.tmp
1/15/2006 2:58:06 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\09a5679abc8f910f48af2100a235af8d\BIT11.tmp
1/19/2006 8:44:08 PM H 1071328 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\09f3832e005a9a2540207136daa73705\BIT3.tmp
1/28/2006 5:51:06 PM H 148353 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2fb2efdfd9315a9f2abc34c505673a1b\BIT5.tmp
1/15/2006 2:57:56 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\35fe7b19652e81d34148bc14421c553c\BIT9.tmp
1/19/2006 8:39:08 PM H 490736 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3ca8c39b9b899185c2c09c220865d1ed\BIT2.tmp
1/15/2006 2:58:12 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\4161db3f23053dc2b9214e0f68ee43d8\BIT14.tmp
1/15/2006 2:58:16 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\4405f895a09e520f39df11c7994228c6\BIT16.tmp
1/15/2006 2:58:08 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\46471706f149ff7efd510ac67fbf2083\BIT12.tmp
1/15/2006 2:58:38 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\58da2700258c7c7e3f8f7bdf6965cb89\BIT21.tmp
1/15/2006 2:58:28 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\64f4b928dc866c5f88f963eeffa42a3d\BIT1C.tmp
1/29/2006 11:26:36 AM H 478960 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\65030dac8468c4ea1d7a83c2d607818c\BITF.tmp
1/15/2006 2:58:22 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6d6ec88ba3cbf999d4bcc1d838f53ce6\BIT19.tmp
1/29/2006 11:21:36 AM H 31346 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\76033438d40f9746b6ec0e8aaf51e236\BITE.tmp
1/15/2006 2:33:02 PM H 488176 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7f9ed00b8ab9f384a670920f20096ec5\BIT2.tmp
1/15/2006 2:58:32 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\851ca82aef1b7b908fd1385b2f64ab7c\BIT1E.tmp
1/19/2006 8:49:08 PM H 151177 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\879a7abe6afbadbeffa84f65522e9dda\BIT4.tmp
1/28/2006 6:06:06 PM H 151105 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8e527178241f7c4675e7f007b5cab5b1\BIT8.tmp
1/15/2006 2:58:36 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\9b42571356bb2e09e9aa248e870f3b4a\BIT20.tmp
1/15/2006 2:58:20 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\9d51f82f11794d8ebbf8f609ad791c6c\BIT18.tmp
1/29/2006 11:20:20 AM H 4073736 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a06e7351fcdc817b6e57396c6e531ed3\BITC.tmp
1/15/2006 2:58:40 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a5fe7d920afc6b7360c46d0fbd5ffc83\BIT22.tmp
1/29/2006 11:21:12 AM H 477424 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a98cb8bcd42533ae42cca6c7a4282b7a\BITD.tmp
1/15/2006 2:58:46 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b557efae9523e650b89a51506b535cf9\BIT24.tmp
1/15/2006 2:58:42 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c2e736bcbbc1a37e82e9c71c7bc1e99b\BIT23.tmp
1/15/2006 2:58:48 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c5481ed85104865c537bcd4e567eab3d\BIT25.tmp
1/15/2006 2:34:34 PM H 2585864 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ca1c9a5f6bfb5c940f7b592a816e164e\BIT18.tmp
1/29/2006 11:29:56 AM H 478960 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\d78af668673c436852155f7dfcca83e7\BIT10.tmp
1/28/2006 6:01:06 PM H 491248 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\db38026d4c7c731bf876ffafac4b434d\BIT7.tmp
1/28/2006 6:11:06 PM H 896240 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\f4cd476bee083b0e594340e23205826c\BITA.tmp
1/15/2006 2:58:14 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\f6e2bdf66b6b403d4c41f96fe0c20e68\BIT15.tmp
1/15/2006 2:58:18 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fc77a08cba52ad57cf2f0a10d4723036\BIT17.tmp
1/15/2006 2:58:30 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ff9844a0f0feaa5597f75dcffabb8d43\BIT1D.tmp
2/16/2006 10:19:22 PM H 38360 C:\WINDOWS\SYSTEM32\vsconfig.xml
2/8/2006 7:04:28 AM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
1/2/2006 6:09:36 PM S 11223 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
2/16/2006 10:20:56 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
2/16/2006 10:21:44 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
2/16/2006 10:21:08 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
2/16/2006 10:22:22 PM H 73728 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
2/16/2006 10:21:46 PM H 790528 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
2/16/2006 10:19:58 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
Broadcom Corporation 9/10/2002 5:07:54 PM 716800 C:\WINDOWS\SYSTEM32\B57exp.cpl
11/12/1999 1:11:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
5/24/2002 12:45:48 PM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Intel Corporation 6/20/2002 3:10:10 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
RealNetworks, Inc. 1/9/2003 10:38:02 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 6/20/2001 5:34:36 PM 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Intel Corporation 6/20/2002 3:10:10 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\Karen\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\Karen\Application Data\DESKTOP.INI
10/17/2004 7:30:08 PM 0 C:\Documents and Settings\Karen\Application Data\dm.ini
1/16/2003 9:52:54 PM 12358 C:\Documents and Settings\Karen\Application Data\PFP100JCM.{PB
1/16/2003 9:52:54 PM 61678 C:\Documents and Settings\Karen\Application Data\PFP100JPR.{PB

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZLAVShExt
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ZLAVShExt
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}
McBrwHelper Class = c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} = Easy-WebPrint : C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
{DB264E15-F83B-4603-BFC1-4EA7E3204686} = Anonymizer 2005 Toolbar : C:\Program Files\Anonymizer\Anon2005\AnonIEBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
BCMSMMSG BCMSMMSG.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
Window Washer C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
item America Online 7.0 Tray Icon
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
item America Online 7.0 Tray Icon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\DIGITA~1\DLG.exe
item Digital Line Detect
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\DIGITA~1\DLG.exe
item Digital Line Detect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BCMSMMSG
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BCMSMMSG
hkey HKLM
command BCMSMMSG.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BCMSMMSG
hkey HKLM
command BCMSMMSG.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HotKeysCmds
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\System32\hkcmd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\System32\hkcmd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IgfxTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\System32\igfxtray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\System32\igfxtray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCAgentExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcagent
hkey HKLM
command C:\Program Files\McAfee.com\Agent\mcagent.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcagent
hkey HKLM
command C:\Program Files\McAfee.com\Agent\mcagent.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCUpdateExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcupdate
hkey HKLM
command C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcupdate
hkey HKLM
command C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MPFExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MpfTray
hkey HKLM
command C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MpfTray
hkey HKLM
command C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MPSExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mscifapp
hkey HKLM
command C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mscifapp
hkey HKLM
command C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VirusScan Online
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/16/2006 10:28:30 PM

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:00 PM

Posted 21 February 2006 - 04:14 PM

It looks like you disabled some mcafee programs in msconfig. As this is your AV software, I suggest you reenable those.

Download Killbox.

Extract killbox.zip to your desktop and then double-click on the Killbox.exe icon.

Select the option "Delete on reboot".

Now copy the next bold part:


C:\WINDOWS\q1378843.dll
C:\WINDOWS\q286093.dll
C:\WINDOWS\q288156.dll
C:\WINDOWS\q298546.dll
C:\WINDOWS\q310546.dll
C:\WINDOWS\q346406.dll
C:\WINDOWS\q3493203.dll
C:\WINDOWS\q5060421.dll
C:\WINDOWS\SYSTEM32\vmlib.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Click the button: All Files (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer must reboot now.

#5 Big Red

Big Red
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 21 February 2006 - 04:46 PM

Hi Grinler,

Will do that. But I uninstalled McAfee so I could install ZoneAlarm Internet Pro instead. The only problem I have with it is that I have trouble downloading the most recent updates for it b/c of some problems I think ZoneAlarm has caused with my Internet connection. That's the next thing to get fixed (perhaps in another discussion forum).

Want me to re-run WinPFind after doing KillBox?

-BigRed

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:00 PM

Posted 21 February 2006 - 05:06 PM

Yes please...does zonealarm pro act as a av program as well?

#7 Big Red

Big Red
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 28 February 2006 - 01:07 PM

Hi Grinler,

Yes, ZoneAlarm has anti-virus and anti-spyware, as well as a triple firewall.

Here is the results of WinPFind after I ran KillBox on those programs as you said. How's it looking?

-BigRed



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 7/25/2005 1:06:20 AM 58368 C:\WINDOWS\Unwash6.exe

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
Umonitor 8/29/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/27/2006 9:09:00 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
1/19/2006 8:30:24 PM H 0 C:\WINDOWS\INF\oem29.inf
1/15/2006 2:58:26 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\01a87d6cdae8d00685023c2227fbd901\BIT1B.tmp
1/15/2006 2:58:06 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\09a5679abc8f910f48af2100a235af8d\BIT11.tmp
1/19/2006 8:44:08 PM H 1071328 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\09f3832e005a9a2540207136daa73705\BIT3.tmp
1/15/2006 2:57:56 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\35fe7b19652e81d34148bc14421c553c\BIT9.tmp
1/19/2006 8:39:08 PM H 490736 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3ca8c39b9b899185c2c09c220865d1ed\BIT2.tmp
1/15/2006 2:58:08 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\46471706f149ff7efd510ac67fbf2083\BIT12.tmp
1/15/2006 2:33:02 PM H 488176 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7f9ed00b8ab9f384a670920f20096ec5\BIT2.tmp
1/19/2006 8:49:08 PM H 151177 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\879a7abe6afbadbeffa84f65522e9dda\BIT4.tmp
1/29/2006 11:20:20 AM H 4073736 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a06e7351fcdc817b6e57396c6e531ed3\BITC.tmp
1/15/2006 2:58:42 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\c2e736bcbbc1a37e82e9c71c7bc1e99b\BIT23.tmp
1/15/2006 2:34:34 PM H 2585864 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ca1c9a5f6bfb5c940f7b592a816e164e\BIT18.tmp
1/28/2006 6:01:06 PM H 491248 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\db38026d4c7c731bf876ffafac4b434d\BIT7.tmp
1/15/2006 2:58:14 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\f6e2bdf66b6b403d4c41f96fe0c20e68\BIT15.tmp
1/15/2006 2:58:30 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ff9844a0f0feaa5597f75dcffabb8d43\BIT1D.tmp
2/27/2006 9:09:42 PM H 38360 C:\WINDOWS\SYSTEM32\vsconfig.xml
2/8/2006 7:04:28 AM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
1/2/2006 6:09:36 PM S 11223 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
2/27/2006 9:14:38 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
2/27/2006 9:09:42 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
2/27/2006 9:10:12 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
2/27/2006 9:13:06 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
2/27/2006 9:12:44 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
2/27/2006 9:09:04 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
Broadcom Corporation 9/10/2002 5:07:54 PM 716800 C:\WINDOWS\SYSTEM32\B57exp.cpl
11/12/1999 1:11:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
5/24/2002 12:45:48 PM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Intel Corporation 6/20/2002 3:10:10 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
RealNetworks, Inc. 1/9/2003 10:38:02 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 6/20/2001 5:34:36 PM 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Intel Corporation 6/20/2002 3:10:10 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\Karen\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\Karen\Application Data\DESKTOP.INI
10/17/2004 7:30:08 PM 0 C:\Documents and Settings\Karen\Application Data\dm.ini
1/16/2003 9:52:54 PM 12358 C:\Documents and Settings\Karen\Application Data\PFP100JCM.{PB
1/16/2003 9:52:54 PM 61678 C:\Documents and Settings\Karen\Application Data\PFP100JPR.{PB

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZLAVShExt
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ZLAVShExt
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}
McBrwHelper Class = c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} = Easy-WebPrint : C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
{DB264E15-F83B-4603-BFC1-4EA7E3204686} = Anonymizer 2005 Toolbar : C:\Program Files\Anonymizer\Anon2005\AnonIEBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
BCMSMMSG BCMSMMSG.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
Window Washer C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
item America Online 7.0 Tray Icon
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
item America Online 7.0 Tray Icon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\DIGITA~1\DLG.exe
item Digital Line Detect
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\DIGITA~1\DLG.exe
item Digital Line Detect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BCMSMMSG
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BCMSMMSG
hkey HKLM
command BCMSMMSG.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BCMSMMSG
hkey HKLM
command BCMSMMSG.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HotKeysCmds
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\System32\hkcmd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\System32\hkcmd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IgfxTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\System32\igfxtray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\System32\igfxtray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCAgentExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcagent
hkey HKLM
command C:\Program Files\McAfee.com\Agent\mcagent.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcagent
hkey HKLM
command C:\Program Files\McAfee.com\Agent\mcagent.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCUpdateExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcupdate
hkey HKLM
command C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcupdate
hkey HKLM
command C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MPFExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MpfTray
hkey HKLM
command C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MpfTray
hkey HKLM
command C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MPSExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mscifapp
hkey HKLM
command C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mscifapp
hkey HKLM
command C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VirusScan Online
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/27/2006 9:14:42 PM

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:00 PM

Posted 28 February 2006 - 04:36 PM

Its looking good....how does it feel to you? Also did you properly uninstall mcafee or did you just disable its startup entries?

#9 Big Red

Big Red
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 02 March 2006 - 08:35 AM

It feels a little slow sometimes. And ZoneAlarm sometimes warns me that the program CIDAEMON may be doing something suspicious, but I'm not sure if this is really a problem. I had read that CIDAEMON is a good program that is supposed to be on your computer (though I can't remember right now exactly what purpose it serves). But to be safe, I always click "Deny" (ZoneAlarm allows to you to "Allow" or "Deny" the activity that the program is trying to do.)

And I have to fix the problems that ZoneAlarm has been causing with my Internet service. I can connect, but it's been much slower than normal. Is there a particular discussion group for this? This is important b/c due to the slowness, I haven't been able to download the most recent updates for the anti-virus component of ZoneAlarm.

I am almost certain that for McAfee, I went in "Start", "All Programs", "McAfee", "Uninstall McAfee". Was this the right way to do it?

So now it's safe to install Service Pack 2?

Thanks again for your help with this.

-BigRed (aka Karen)

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:00 PM

Posted 02 March 2006 - 10:49 AM

I would ask about your firewall question in this forum:

http://www.bleepingcomputer.com/forums/f/25/antivirus-firewall-and-privacy-products-and-protection-methods/

You did uninstall mcafee properly. Go ahead and install service pack 2 after you follow the instructions below:

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users