Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Analyzing Hijackthis Log!


  • Please log in to reply
19 replies to this topic

#1 eperezruberte

eperezruberte

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 12 February 2006 - 09:23 PM

Dear Sirs:

You have helped me in the past and I sure hope you can help me this time. I have been experiencing some weird :thumbsup: behavior from my PC the last few days. First, I noticed I could no longer hit "View -> Source" to see the code of any webpage. Then I noticed that my desktop wallpaper was changed to a really ugly gray and when I try to change it (by right-clicking on it) it doesn't give me the options I was always used to see.
Here is the log from HijackThis I just performed today. I really appreciate your time in helping me getting my PC to top performance. Thank you very much in advance. :flowers:

---------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:39:24 PM, on 2/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LxrJD31s.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
H:\Program Files\Southwest\Ding\Ding.exe
H:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\Software\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ASUS Probe] "C:\Program Files\ASUS\Probe\AsusProb.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroCheck] "C:\WINNT\System32\NeroCheck.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "H:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] "H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Acrobat Assistant.lnk = H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DING!.lnk = H:\Program Files\Southwest\Ding\Ding.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINNT\System32\blocker.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://myvpn.ford.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...74/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
--------------------------------------------------------------------------------------------------------------

BC AdBot (Login to Remove)

 


#2 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 15 February 2006 - 10:54 PM

Hmm, OldTimer, Where are you???!!! :thumbsup:
Last time I had a problem you helped me solve it! :flowers:

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:44 PM

Posted 16 February 2006 - 08:01 AM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

If you have already followed these steps, then go ahead and post a new log as a reply.

#4 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 22 February 2006 - 12:51 AM

Grinler! :huh: It took me some time to finish running the preparations you told me below and at the post you referred me to, plus I was out of town, but I have finished everything and you will find my log below. There are a few things I want to point out first. The "cleanmgr" (step 3) step DID NOT WORK. :thumbsup: It just hung there for A WHOLE DAY and when I came back from work, I just canceled it. :flowers: I went in and cleaned the Temporary Internet Files through the browser Internet Options, but I couldn't do it the way that post explained it. Also, the Panda Anti Virus DID NOT WORK either. :huh: I went to their page, but nothing happened when I click on the buttons there. Spybot did not find any problems, and neither did Housecall, or Stinger. The Bit Defender said it fixed some problems.
So, with nothing else, here is my log. I sure wish you can help me figure out what's wrong. :huh: Right now my desktop is all messed up (no wallpaper and no option to set up one) and my icons for MyComputer and My Network Places are missing (I have a theme). Plus I am more afraid for what could be going on behind scenes. :huh:
Thanks in advance for your time.
-----------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:47:14 PM, on 2/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LxrJD31s.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
H:\Program Files\Ares\Ares.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
H:\Program Files\Southwest\Ding\Ding.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\WISPTIS.EXE
G:\Software\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ASUS Probe] "C:\Program Files\ASUS\Probe\AsusProb.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroCheck] "C:\WINNT\System32\NeroCheck.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "H:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] "H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "H:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Acrobat Assistant.lnk = H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DING!.lnk = H:\Program Files\Southwest\Ding\Ding.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINNT\System32\blocker.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://myvpn.ford.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...74/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
----------------------------------------------------------------------------------------------------------

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:44 PM

Posted 22 February 2006 - 08:04 AM

Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Configure scan option, make sure ther eis a check in run addons, and then put a check next to each addon. Now press apply. Next click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

#6 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 25 February 2006 - 02:30 PM

Grinler! My comp is getting worse!!! Now a few minutes after rebooting, my mouse and keyboard get disabled. I sure hope you can help me fix this.

Here is the contents of WinPFind.txt
Thanks in advance!
------------------------------------------
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12/21/1999 7:58:02 AM 21312 C:\WINNT\choice.exe
PECompact2 8/3/2005 8:01:16 PM 15532707 C:\WINNT\LPT$VPN.757
qoologic 8/3/2005 8:01:16 PM 15532707 C:\WINNT\LPT$VPN.757
SAHAgent 8/3/2005 8:01:16 PM 15532707 C:\WINNT\LPT$VPN.757
UPX! 8/3/2005 8:01:16 PM 170053 C:\WINNT\tsc.exe
UPX! 2/10/2006 4:44:14 PM 3584 C:\WINNT\uninstDsk.exe
PECompact2 8/3/2005 8:01:16 PM 15532707 C:\WINNT\VPTNFILE.757
qoologic 8/3/2005 8:01:16 PM 15532707 C:\WINNT\VPTNFILE.757
SAHAgent 8/3/2005 8:01:16 PM 15532707 C:\WINNT\VPTNFILE.757
UPX! 8/3/2005 8:01:16 PM 1044560 C:\WINNT\vsapi32.dll
aspack 8/3/2005 8:01:16 PM 1044560 C:\WINNT\vsapi32.dll

Checking %System% folder...
PEC2 2/14/1997 10:24:14 PM 197171 C:\WINNT\SYSTEM32\Dwapilib.tlb
UPX! 10/7/2003 8:10:02 PM H 50588 C:\WINNT\SYSTEM32\o1716ov0.tmp
UPX! 10/13/2003 9:09:22 PM H 50588 C:\WINNT\SYSTEM32\o78kdov0.tmp
UPX! 8/29/2002 7:14:40 AM 18432 C:\WINNT\SYSTEM32\oleext.dll
Umonitor 6/19/2003 12:05:04 PM 529168 C:\WINNT\SYSTEM32\RASDLG.DLL
winsync 12/7/1999 5:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/18/2006 5:34:42 AM H 743674 C:\WINNT\ShellIconCache
2/25/2006 12:06:26 PM S 64 C:\WINNT\CSC\00000001
2/25/2006 12:06:26 PM S 64 C:\WINNT\CSC\00000002
2/25/2006 10:37:20 AM S 64 C:\WINNT\CSC\csc1.tmp
2/25/2006 12:06:54 PM H 1003 C:\WINNT\system32\vsconfig.xml
2/25/2006 12:08:04 PM H 1024 C:\WINNT\system32\config\default.LOG
2/25/2006 12:11:46 PM H 1024 C:\WINNT\system32\config\SAM.LOG
2/25/2006 12:09:54 PM H 1024 C:\WINNT\system32\config\SECURITY.LOG
2/25/2006 12:14:22 PM H 1024 C:\WINNT\system32\config\software.LOG
2/25/2006 12:06:16 PM H 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 12/7/1999 5:00:00 AM 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
5/10/1999 1:53:48 PM 57344 C:\WINNT\SYSTEM32\dapanel.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 12/7/1999 5:00:00 AM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 12/7/1999 5:00:00 AM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 12/7/1999 5:00:00 AM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 5/1/2002 6:51:36 PM 326144 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 9:31:48 PM 49265 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 12/7/1999 5:00:00 AM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 12/7/1999 5:00:00 AM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 12/7/1999 5:00:00 AM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 12/7/1999 5:00:00 AM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 7/13/2001 9:31:28 AM 36864 C:\WINNT\SYSTEM32\odbccp32.cpl
Autodesk, Inc. 3/25/1999 3:28:40 AM 393216 C:\WINNT\SYSTEM32\PLOTMAN.CPL
Microsoft Corporation 6/19/2003 12:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
SiSoftware 3/9/2003 9:44:46 PM 53248 C:\WINNT\SYSTEM32\SanCpl.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Autodesk, Inc. 3/25/1999 3:28:46 AM 393216 C:\WINNT\SYSTEM32\STYLEMAN.CPL
Microsoft Corporation 6/19/2003 12:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 12/7/1999 5:00:00 AM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 12/7/1999 5:00:00 AM 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 54272 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation 9/23/1999 6:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 12/7/1999 5:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 7/13/2001 9:31:28 AM 36864 C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/19/2005 10:17:40 AM 1484 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
9/26/2004 9:43:50 PM 811 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
2/8/2006 6:10:08 PM 1375 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DING!.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/12/2005 8:03:16 PM 4532 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = h:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CopyToCD
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = H:\PROGRA~1\vso\COPYTO~1\CTCDSH~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CopyToCD
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = H:\PROGRA~1\vso\COPYTO~1\CTCDSH~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\CopyToCD
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = H:\PROGRA~1\vso\COPYTO~1\CTCDSH~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{029CA12C-89C1-46a7-A3C7-82F2F98635CB}
ZIBho Class = C:\Program Files\Kontiki\bin\bh309190.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = h:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{08361226-6472-43BD-8A40-D9221FF1C4CE}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\System32\msdxm.ocx
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{B195B3B3-8A05-11D3-97A4-0004ACA6948E} = :
{0E1230F8-EA50-42A9-983C-D22ABC2EED3B} = :
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
ATIPTA "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
ASUS Probe "C:\Program Files\ASUS\Probe\AsusProb.exe"
Smapp C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
NeroCheck "C:\WINNT\System32\NeroCheck.exe"
VSOCheckTask "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online C:\Program Files\McAfee.com\VSO\mcvsshld.exe
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
ElbyCheckAnyDVD "H:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
AnyDVD "H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
OASClnt C:\Program Files\McAfee.com\VSO\oasclnt.exe
iTunesHelper "H:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ares "H:\Program Files\Ares\Ares.exe" -h

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key tW=҃ S6
Hint mi esposa
FileName0 C:\WINNT\System32\RSACi.rat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
Allow_Unknowns 1
PleaseMom 1
Enabled 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
l 0
n 0
s 0
v 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
NumSys 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\SYSTEM32\Userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


<<<<<<<<<< Checking for AddOn Monitors.def information >>>>>>>>>>
Parameter line : regkey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors found!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Adobe PDF Port
Driver C:\WINNT\system32\AdobePDF.dll


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Adobe PDF Port\Ports

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\BJ Language Monitor
Driver cnbjmon.dll


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\hpzsnt09
Driver hpzsnt09.dll


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port
Driver localspl.dll


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Microsoft Document Imaging Writer Monitor
Driver mdimon.dll


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\PDF-XChange
Driver pxc25pm.dll


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\PJL Language Monitor
Driver pjlmon.dll
EOJTimeout 60000


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port
Driver tcpmon.dll


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports
StatusUpdateInterval 10
StatusUpdateEnabled 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\USB Monitor
Driver usbmon.dll



<<<<<<<<<< Checking for AddOn OpenCommand.def information >>>>>>>>>>
>>>>>>>>>> Exporting Shell Open\Command entries
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\batfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\batfile\shell\open\command found!
"%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\comfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\comfile\shell\open\command found!
"%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command found!
"%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\piffile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\piffile\shell\open\command found!
"%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\regfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\regfile\shell\open\command found!
regedit.exe "%1"

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command found!
"%1" /S

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\vbsfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\vbsfile\shell\open\command found!

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\htmlfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\htmlfile\shell\open\command found!
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\http\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\http\shell\open\command found!
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mp3file\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mp3file\shell\open\command found!
"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "%L"

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mpegfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mpegfile\shell\open\command found!
"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:9 /Open "%L"

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\jsfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\jsfile\shell\open\command found!


<<<<<<<<<< Checking for AddOn Policies.def information >>>>>>>>>>

<<<<<<<<<< Checking for AddOn Qoologic.def information >>>>>>>>>>
>>>>>>>>>> Search by size and name
>>>>>>>>>> Files found by this method are not necessarily bad
>>>>>>>>>> Example PNGFILT.DLL is a windows file
Parameter line : file=%sysdir%;*.exe;150;61952;;;
File C:\WINNT\SYSTEM32\*.exe for today - 150 days with a size of 61952 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;7680;;;
File C:\WINNT\SYSTEM32\*.exe for today - 150 days with a size of 7680 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;91648;;;
File C:\WINNT\SYSTEM32\*.exe for today - 150 days with a size of 91648 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;81920;;;
File C:\WINNT\SYSTEM32\*.exe for today - 150 days with a size of 81920 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;7168;;;
File C:\WINNT\SYSTEM32\*.exe for today - 150 days with a size of 7168 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;65536;;;
File C:\WINNT\SYSTEM32\*.exe for today - 150 days with a size of 65536 bytes was not found!
Parameter line : file=%sysdir%;redit.cpl;;;;;
File C:\WINNT\SYSTEM32\redit.cpl was not found!
Parameter line : file=%sysdir%;conres.cpl;;;;;
File C:\WINNT\SYSTEM32\conres.cpl was not found!
Parameter line : file=%sysdir%;datadx.dll;;;;;
File C:\WINNT\SYSTEM32\datadx.dll was not found!
Parameter line : file=%sysdir%;*.dll;150;10240;;;
File C:\WINNT\SYSTEM32\*.dll for today - 150 days with a size of 10240 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;46080;;;
File C:\WINNT\SYSTEM32\*.dll for today - 150 days with a size of 46080 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;34816;;;
File C:\WINNT\SYSTEM32\*.dll for today - 150 days with a size of 34816 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;16384;;;
File C:\WINNT\SYSTEM32\*.dll for today - 150 days with a size of 16384 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;29184;;;
File C:\WINNT\SYSTEM32\*.dll for today - 150 days with a size of 29184 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;26624;;;
File C:\WINNT\SYSTEM32\*.dll for today - 150 days with a size of 26624 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;9728;;;
File C:\WINNT\SYSTEM32\*.dll for today - 150 days with a size of 9728 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;10843;;;
File C:\WINNT\SYSTEM32\*.dll for today - 150 days with a size of 10843 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;18432;;;
File C:\WINNT\SYSTEM32\*.dll for today - 150 days with a size of 18432 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;23040;;;
File C:\WINNT\SYSTEM32\*.dll for today - 150 days with a size of 23040 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;17920;;;
File C:\WINNT\SYSTEM32\*.dll for today - 150 days with a size of 17920 bytes was not found!
Parameter line : file=%allusers%\start menu\programs\startup;*.exe;;;;;
File C:\Documents and Settings\All Users\start menu\programs\startup\*.exe was not found!
>>>>>>>>>> Misc Checks
Parameter line : file=%sysdir%;*.dat;150;81920;;;
File C:\WINNT\SYSTEM32\*.dat for today - 150 days with a size of 81920 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;61952;;;
File C:\WINNT\SYSTEM32\*.dat for today - 150 days with a size of 61952 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;65536;;;
File C:\WINNT\SYSTEM32\*.dat for today - 150 days with a size of 65536 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;7680;;;
File C:\WINNT\SYSTEM32\*.dat for today - 150 days with a size of 7680 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;91648;;;
File C:\WINNT\SYSTEM32\*.dat for today - 150 days with a size of 91648 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;7168;;;
File C:\WINNT\SYSTEM32\*.dat for today - 150 days with a size of 7168 bytes was not found!
Parameter line : file=%windir%;*.dll;150;10843;;;
File C:\WINNT\*.dll for today - 150 days with a size of 10843 bytes was not found!
Parameter line : file=%windir%;*.dll;150;3950;;;
File C:\WINNT\*.dll for today - 150 days with a size of 3950 bytes was not found!
Parameter line : file=%windir%;*.dll;150;3943;;;
File C:\WINNT\*.dll for today - 150 days with a size of 3943 bytes was not found!

<<<<<<<<<< Checking for AddOn RDriv.def information >>>>>>>>>>
Registry Entries
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Updates;;
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Updates not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center AntiVirus;;
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center AntiVirus not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Firewall;;
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Firewall not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\OLE;;
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE found!
EnableDCOM Y

HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\NONREDIST
System.EnterpriseServices.Thunk.dll


Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iTunesMusic;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iTunesMusic not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_ITUNESMUSIC;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_ITUNESMUSIC not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_RDRIV;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_RDRIV not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate;;
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall;;
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters;;
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters found!
autodisconnect 15
enableforcedlogoff 1
enablesecuritysignature 0
requiresecuritysignature 0
Lmannounce 0
Size 1
Guid poJ[v
Parameter line : RegKey=HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters;;
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters found!
enableplaintextpassword 0
enablesecuritysignature 1
requiresecuritysignature 0

Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions;;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions found!

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{00022613-0000-0000-C000-000000000046} Multimedia File Property Sheet
{176d6597-26d3-11d1-b350-080036a75b03} ICM Scanner Management
{1F2E5C40-9550-11CE-99D2-00AA006E086C} NTFS Security Page
{3EA48300-8CF6-101B-84FB-666CCB9BCD32} OLE Docfile Property Page
{40dd6e20-7c17-11ce-a804-00aa003ca9f6} Shell extensions for sharing
{41E300E0-78B6-11ce-849B-444553540000} PlusPack CPL Extension
{42071712-76d4-11d1-8b24-00a0c9068ff3} Display Adapter CPL Extension
{42071713-76d4-11d1-8b24-00a0c9068ff3} Display Monitor CPL Extension
{42071714-76d4-11d1-8b24-00a0c9068ff3} Display Panning CPL Extension
{4E40F770-369C-11d0-8922-00A024AB2DBB} DS Security Page
{56117100-C0CD-101B-81E2-00AA004AE837} Shell Scrap DataHandler
{59099400-57FF-11CE-BD94-0020AF85B590} Disk Copy Extension
{59be4990-f85c-11ce-aff7-00aa003ca9f6} Shell extensions for Microsoft Windows Network objects
{5DB2625A-54DF-11D0-B6C4-0800091AA605} ICM Monitor Management
{675F097E-4C4D-11D0-B6C1-0800091AA605} ICM Printer Management
{764BF0E1-F219-11ce-972D-00AA00A14F56} Shell extensions for file compression
{77597368-7b15-11d0-a0c2-080036af3f03} Web Printer Shell Extension
{7988B573-EC89-11cf-9C00-00AA00A14F56} Disk Quota UI
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Encryption Context Menu
{85BBD920-42A0-1069-A2E4-08002B30309D} Briefcase
{88895560-9AA2-1069-930E-00AA0030EBC8} HyperTerminal Icon Ext
{BD84B380-8CA2-1069-AB1D-08000948F534} Fonts
{DBCE2480-C732-101B-BE72-BA78E9AD5B27} ICC Profile
{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} Printers Security Page
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} Shell extensions for sharing
{f92e8c40-3d33-11d2-b1aa-080036a75b03} Display TroubleShoot CPL Extension
{60254CA5-953B-11CF-8C96-00AA00B8708C} Shell extensions for Windows Script Host
{7444C717-39BF-11D1-8CD9-00C04FC29D45} Crypto PKO Extension
{7444C719-39BF-11D1-8CD9-00C04FC29D45} Crypto Sign Extension
{7007ACC7-3202-11D1-AAD2-00805FC1270E} Network and Dial-up Connections
{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} Tasks Folder Icon Handler
{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} Tasks Folder Shell Extension
{D6277990-4C6A-11CF-8D87-00AA0060F5BF} Scheduled Tasks
{1A9BA3A0-143A-11CF-8350-444553540000} Shell Favorite Folder
{20D04FE0-3AEA-1069-A2D8-08002B30309D} My Computer
{86747AC0-42A0-1069-A2E6-08002B30309D} Briefcase Folder
{0AFACED1-E828-11D1-9187-B532F1E9575D} Folder Shortcut
{12518493-00B2-11d2-9FA5-9E3420524153} Mounted Volume
{21B22460-3AEA-1069-A2DC-08002B30309D} File Property Page Extension
{B091E540-83E3-11CF-A713-0020AFD79762} File Types Page
{FBF23B41-E3F0-101B-8488-00AA003E56F8} MIME File Types Hook
{C2FBB630-2971-11d1-A18C-00C04FD75D13} Microsoft CopyTo Service
{C2FBB631-2971-11d1-A18C-00C04FD75D13} Microsoft MoveTo Service
{13709620-C279-11CE-A49E-444553540000} Shell Automation Service
{62112AA1-EBE4-11cf-A5FB-0020AFE7292D} Shell Automation Folder View
{4622AD11-FF23-11d0-8D34-00A0C90F2719} Start Menu
{7BA4C740-9E81-11CF-99D3-00AA004AE837} Microsoft SendTo Service
{D969A300-E7FF-11d0-A93B-00A0C90F2719} Microsoft New Object Service
{09799AFB-AD67-11d1-ABCD-00C04FC30936} Open With Context Menu Handler
{3FC0B520-68A9-11D0-8D77-00C04FD70822} Display Control Panel HTML Extensions
{75048700-EF1F-11D0-9888-006097DEACF9} ActiveDesktop
{6D5313C0-8C62-11D1-B2CD-006097DF8C11} Folder Options Property Page Extension
{57651662-CE3E-11D0-8D77-00C04FC99D61} CmdFileIcon
{4657278A-411B-11d2-839A-00C04FD918D0} Shell Drag and Drop helper
{A470F8CF-A1E8-4f65-8335-227475AA5C46} Add encryption item to context menus in explorer
{5E6AB780-7743-11CF-A12B-00AA004AE837} Microsoft Internet Toolbar
{22BF0C20-6DA7-11D0-B373-00A0C9034938} Download Status
{568804CA-CBD7-11d0-9816-00C04FD91972} Menu Shell Folder
{5b4dae26-b807-11d0-9815-00c04fd91972} Menu Band
{8278F931-2A3E-11d2-838F-00C04FD918D0} Tracking Shell Menu
{E13EF4E4-D2F2-11d0-9816-00C04FD91972} Menu Site
{ECD4FC4F-521C-11D0-B792-00A0C90312E1} Menu Desk Bar
{91EA3F8B-C99B-11d0-9815-00C04FD91972} Augmented Shell Folder
{6413BA2C-B461-11d1-A18A-080036B11A03} Augmented Shell Folder 2
{F61FFEC1-754F-11d0-80CA-00AA005B4383} BandProxy
{D82BE2B0-5764-11D0-A96E-00C04FD705A2} IShellFolderBand
{7BA4C742-9E81-11CF-99D3-00AA004AE837} Microsoft BrowserBand
{30D02401-6A81-11d0-8274-00C04FD5AE38} Search Band
{169A0691-8DF9-11d1-A1C4-00C04FD75D13} In-pane search
{07798131-AF23-11d1-9111-00A0C98BA67D} Web Search
{0E5CBF21-D15F-11d0-8301-00AA005B4383} &Links
{AF4F6510-F982-11d0-8595-00AA004CD6D8} Registry Tree Options Utility
{01E04581-4EEE-11d0-BFE9-00AA005B4383} &Address
{A08C11D2-A228-11d0-825B-00AA005B4383} Address EditBox
{00BB2763-6A77-11D0-A535-00C04FD7D062} Microsoft AutoComplete
{7487cd30-f71a-11d0-9ea7-00805f714772} Thumbnail Image
{7376D660-C583-11d0-A3A5-00C04FD706EC} TridentImageExtractor
{6756A641-DE71-11d0-831B-00AA005B4383} MRU AutoComplete List
{00BB2764-6A77-11D0-A535-00C04FD7D062} Microsoft History AutoComplete List
{03C036F1-A186-11D0-824A-00AA005B4383} Microsoft Shell Folder AutoComplete List
{00BB2765-6A77-11D0-A535-00C04FD7D062} Microsoft Multiple AutoComplete List Container
{ECD4FC4E-521C-11D0-B792-00A0C90312E1} Shell Band Site Menu
{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} Shell DeskBarApp
{ECD4FC4C-521C-11D0-B792-00A0C90312E1} Shell DeskBar
{ECD4FC4D-521C-11D0-B792-00A0C90312E1} Shell Rebar BandSite
{DD313E04-FEFF-11d1-8ECD-0000F87A470C} User Assist
{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} Global Folder Settings
{EFA24E61-B078-11d0-89E4-00C04FC9E26E} Favorites Band
{0A89A860-D7B1-11CE-8350-444553540000} Shell Automation Inproc Service
{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} Shell DocObject Viewer
{FBF23B40-E3F0-101B-8488-00AA003E56F8} InternetShortcut
{3C374A40-BAE4-11CF-BF7D-00AA006946EE} Microsoft Url History Service
{FF393560-C2A7-11CF-BFF4-444553540000} History
{7BD29E00-76C1-11CF-9DD0-00A0C9034933} Temporary Internet Files
{CFBFAE00-17A6-11D0-99CB-00C04FD64497} Microsoft Url Search Hook
{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} IE4 Suite Splash Screen
{67EA19A0-CCEF-11d0-8024-00C04FD75D13} CDF Extension Copy Hook
{131A6951-7F78-11D0-A979-00C04FD705A2} ISFBand OC
{9461b922-3c5a-11d2-bf8b-00c04fb93661} Search Assistant OC
{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} The Internet
{871C5380-42A0-1069-A2EA-08002B30309D} Internet Name Space
{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} Thumbnails
{EAB841A0-9550-11CF-8C16-00805F1408F3} HTML Thumbnail Extractor
{1AEB1360-5AFC-11D0-B806-00C04FD706EC} Office Graphics Filters Thumbnail Extractor
{9DBD2C50-62AD-11D0-B806-00C04FD706EC} Summary Info Thumbnail handler (DOCFILES)
{500202A0-731E-11D0-B829-00C04FD706EC} LNK file thumbnail interface delegator
{352EC2B7-8B9A-11D1-B8AE-006008059382} Shell Application Manager
{0B124F8C-91F0-11D1-B8B5-006008059382} Installed Apps Enumerator
{CFCCC7A0-A282-11D1-9082-006008059382} Darwin App Publisher
{fe1290f0-cfbd-11cf-a330-00aa00c16e65} Directory Namespace
{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} Shell properties for a DS object
{8A23E65E-31C2-11d0-891C-00A024AB2DBB} Directory Query UI
{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} Directory Object Find
{F020E586-5264-11d1-A532-0000F8757D7E} Directory Start/Search Find
{0D45D530-764B-11d0-A1CA-00AA00C16E65} Directory Property UI
{62AE1F9A-126A-11D0-A14B-0800361B1103} Directory Context Menu Verbs
{450D8FBA-AD25-11D0-98A8-0800361B1103} MyDocs Folder
{ECF03A33-103D-11d2-854D-006008059367} MyDocs Copy Hook
{ECF03A32-103D-11d2-854D-006008059367} MyDocs Drop Target
{4a7ded0a-ad25-11d0-98a8-0800361b1103} MyDocs Properties
{750fdf0e-2a26-11d1-a3ea-080036587f03} Offline Files Menu
{10CFC467-4392-11d2-8DB4-00C04FA31A66} Offline Files Folder Options
{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} Offline Files Folder
{7A80E4A8-8005-11D2-BCF8-00C04F72C717} MMC Icon Handler
{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} .CAB file viewer
{EFA24E64-B078-11d0-89E4-00C04FC9E26E} Explorer Band
{32714800-2E5F-11d0-8B85-00AA0044F941} For &People...
{E0D79304-84BE-11CE-9641-444553540000} WinZip
{E0D79305-84BE-11CE-9641-444553540000} WinZip
{E0D79306-84BE-11CE-9641-444553540000} WinZip
{E0D79307-84BE-11CE-9641-444553540000} WinZip
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} Adobe.Acrobat.ContextMenu
{B41DB860-8EE4-11D2-9906-E49FADC173CA} WinRAR shell extension
{1D2680C9-0E2A-469d-B787-065558BC7D43} Fusion Cache
{32683183-48a0-441b-a342-7c2a440a9478} Media Band
{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} Custom MRU AutoCompleted List
{7e653215-fa25-46bd-a339-34a2790f3cb7} Accessible
{acf35015-526e-4230-9596-becbe19f0ac9} Track Popup Bar
{E0E11A09-5CB8-4B6C-8332-E00720A168F2} Address Bar Parser
{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} Microsoft Browser Architecture
{7BD29E01-76C1-11CF-9DD0-00A0C9034933} Temporary Internet Files
{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} Sendmail service
{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} Sendmail service
{f39a0dc0-9cc8-11d0-a599-00c04fd64433} Channel File
{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} Channel Shortcut
{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} Channel Handler Object
{f3da0dc0-9cc8-11d0-a599-00c04fd64437} Channel Menu
{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} Channel Properties
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} WebCheck
{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} Subscription Mgr
{F5175861-2688-11d0-9C5E-00AA00A45957} Subscription Folder
{08165EA0-E946-11CF-9C87-00AA005127ED} WebCheckWebCrawler
{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} WebCheckChannelAgent
{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} TrayAgent
{7D559C10-9FE9-11d0-93F7-00AA0059CE02} Code Download Agent
{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} ConnectionAgent
{D8BD2030-6FC9-11D0-864F-00AA006809D9} PostAgent
{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} WebCheck SyncMgr Handler
{88C6C381-2E85-11D0-94DE-444553540000} ActiveX Cache Folder
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} CopyToCD shell extension
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} Web Folders
{00020D75-0000-0000-C000-000000000046} Microsoft Office Outlook Desktop Icon Handler
{0006F045-0000-0000-C000-000000000046} Microsoft Office Outlook Custom Icon Handler
{42042206-2D85-11D3-8CFF-005004838597} Microsoft Office HTML Icon Handler
{2206CDB2-19C1-11D1-89E0-00C04FD7A829} Microsoft Data Link


Files
Parameter line : File=%sysdir%;rdriv.sys;;;;;
File C:\WINNT\SYSTEM32\rdriv.sys was not found!
Parameter line : File=%sysdir%;ItunesMusic.exe;;;;;
File C:\WINNT\SYSTEM32\ItunesMusic.exe was not found!
Parameter line : File=%sysdir%;wkssvc.exe;;;;;
File C:\WINNT\SYSTEM32\wkssvc.exe was not found!
Parameter line : File=%windir%;ItunesMusic.exe;;;;;
File C:\WINNT\ItunesMusic.exe was not found!
Parameter line : File=%windir%;wkssvc.exe;;;;;
File C:\WINNT\wkssvc.exe was not found!

<<<<<<<<<< Checking for AddOn SharedTaskScheduler.def information >>>>>>>>>>
>>>>>>>>>> Exporting Policies from HKLM
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler found!
{438755C2-A8BA-11D1-B96B-00A0C90312E1} Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} Component Categories cache daemon


<<<<<<<<<< Checking for AddOn WareOut.def information >>>>>>>>>>
>>>>>>>>>> PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Parameter line : file=%sysdir%;*.exe;300;55304;;;
File C:\WINNT\SYSTEM32\*.exe for today - 300 days with a size of 55304 bytes was not found!
Parameter line : file=%sysdir%;*.exe;;43528;;;
File C:\WINNT\SYSTEM32\*.exe with a size of 43528 bytes was not found!
Parameter line : file=%sysdir%;*.exe;300;4096;;;
File C:\WINNT\SYSTEM32\*.exe for today - 300 days with a size of 4096 bytes was not found!
Parameter line : file=%sysdir%;*.exe;;43528;;;
File C:\WINNT\SYSTEM32\*.exe with a size of 43528 bytes was not found!
Parameter line : file=%sysdir%;*.exe;300;28680;;;
File C:\WINNT\SYSTEM32\*.exe for today - 300 days with a size of 28680 bytes was not found!
Parameter line : file=%sysdir%;*.exe;;11264;;;
File C:\WINNT\SYSTEM32\*.exe with a size of 11264 bytes was not found!
Parameter line : file=%sysdir%;*.ren;300;43528;;;
File C:\WINNT\SYSTEM32\*.ren for today - 300 days with a size of 43528 bytes was not found!
Parameter line : file=%sysdir%;ntfsnlpa.exe;;;;;
File C:\WINNT\SYSTEM32\ntfsnlpa.exe was not found!
Parameter line : file=%sysdir%;cisvvc.exe;;;;;
File C:\WINNT\SYSTEM32\cisvvc.exe was not found!
Parameter line : file=%sysdir%;drv2cltr.dll;;;;;
File C:\WINNT\SYSTEM32\drv2cltr.dll was not found!
Parameter line : file=%sysdir%;hybsys32.dll;;;;;
File C:\WINNT\SYSTEM32\hybsys32.dll was not found!
Parameter line : file=%sysdir%;loadctr.exe;;;;;
File C:\WINNT\SYSTEM32\loadctr.exe was not found!
Parameter line : file=%sysdir%;rdsndin.exe;;;;;
File C:\WINNT\SYSTEM32\rdsndin.exe was not found!
Parameter line : file=%sysdir%;pxpcya64.exe;;;;;
File C:\WINNT\SYSTEM32\pxpcya64.exe was not found!
Parameter line : file=%windir%;*.exe;300;55304;;;
File C:\WINNT\*.exe for today - 300 days with a size of 55304 bytes was not found!
Parameter line : file=%windir%;*.exe;300;43528;;;
File C:\WINNT\*.exe for today - 300 days with a size of 43528 bytes was not found!
Parameter line : file=%windir%;*.exe;300;4096;;;
File C:\WINNT\*.exe for today - 300 days with a size of 4096 bytes was not found!
Parameter line : file=%windir%;rdt.ini;;;;;
File C:\WINNT\rdt.ini was not found!
Parameter line : file=%windir%;baloon.wav;;;;;
File C:\WINNT\baloon.wav was not found!
Parameter line : file=%allusers%\start menu\programs\startup;*.exe;;;;;
File C:\Documents and Settings\All Users\start menu\programs\startup\*.exe was not found!
>>>>>>>>>>Registry keys to look for
Parameter line : regvalue=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon;system;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon found!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\system found!
System
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\WareOut;;
HKEY_LOCAL_MACHINE\SOFTWARE\WareOut not found!
Parameter line : regkey=HKEY_CURRENT_USER\Software\WareOut;;
HKEY_CURRENT_USER\Software\WareOut not found!
Parameter line : regvalue=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer;NoBandCustomize;;
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer found!
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoBandCustomize not found!
Parameter line : regvalue=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion;Disabled;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion found!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\\Disabled not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar;;
HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar not found!
Parameter line : regkey=HKEY_CURRENT_USER\Software\SearchToolbar;;
HKEY_CURRENT_USER\Software\SearchToolbar not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls not found!
Parameter line : regvalue=HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser;{08BEC6AA-49FC-4379-3587-4B21E286C19E};;
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser found!
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{08BEC6AA-49FC-4379-3587-4B21E286C19E} not found!

Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/25/2006 12:18:55 PM

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:44 PM

Posted 25 February 2006 - 09:13 PM

Go to http://virusscan.jotti.org/
and check each of these files for infections. If they are infected, reboot to safe mode and delete them.

C:\WINNT\SYSTEM32\o1716ov0.tmp
C:\WINNT\SYSTEM32\o78kdov0.tmp
C:\WINNT\SYSTEM32\oleext.dll

Then come back and post an ew hjt log and tell me if there any difference now.

#8 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 26 February 2006 - 02:14 AM

Grinler! Still no difference! :thumbsup: At least my keyboard and mouse are still working, but the desktop is still one big gray wallpaper (that I can't change) and my icons are like "non-existent", because the icon next to "My Computer" and "My Network Places" is one big "X".

Anyway, I did what you said and found there were infections in the last two files, that is on
C:\WINNT\SYSTEM32\o78kdov0.tmp and on:
C:\WINNT\SYSTEM32\oleext.dll

The first one (C:\WINNT\SYSTEM32\o1716ov0.tmp) showed up as clean.

Here is my HJT log that I just ran. Thanks a lot for your help!

---------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:16:09 AM, on 2/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LxrJD31s.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Ares\Ares.exe
H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
H:\Program Files\Southwest\Ding\Ding.exe
C:\WINNT\system32\wuauclt.exe
G:\Software\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ASUS Probe] "C:\Program Files\ASUS\Probe\AsusProb.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroCheck] "C:\WINNT\System32\NeroCheck.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "H:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] "H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "H:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Acrobat Assistant.lnk = H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DING!.lnk = H:\Program Files\Southwest\Ding\Ding.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINNT\System32\blocker.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://myvpn.ford.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...74/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:44 PM

Posted 26 February 2006 - 01:45 PM

Lets see a new hijackthis log

#10 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 26 February 2006 - 03:46 PM

Okay... :thumbsup: I'm not sure what you meant by "Let's see a new hijackthis log" because THIS IS A NEW HIJACKTHIS LOG!!! I just ran this last night when I posted it (look at the date it ran!). Anyways, here it is again!

Thanks!


Hmm, sorry, here is the log! :flowers:
--------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:48:21 PM, on 2/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LxrJD31s.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Ares\Ares.exe
H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
H:\Program Files\Southwest\Ding\Ding.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\iTunes\iTunes.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
G:\Software\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ASUS Probe] "C:\Program Files\ASUS\Probe\AsusProb.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroCheck] "C:\WINNT\System32\NeroCheck.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "H:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] "H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "H:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Acrobat Assistant.lnk = H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DING!.lnk = H:\Program Files\Southwest\Ding\Ding.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINNT\System32\blocker.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://myvpn.ford.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...74/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:44 PM

Posted 26 February 2006 - 06:46 PM

My bad...comment was meant for someone else.

Click here to download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

Click here to download ewido security suite - it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Do NOT run a scan yet. Exit the program.

Click here to download Ad-Aware SE 1.06 and install' if you haven't already got it. Launch Ad-aware and click on "check for updates now" to make sure you have the latest reference file. Do NOT run a scan yet. Exit the program.

Next reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive (where your operating system is installed). You will need that log later.

Launch Ad-aware again:
  • Click "Start"
  • Select "Perform Full System scan"
  • Click "Next" to start the scan.
When the scan is finished, the screen will tell you if anything has been found.
  • Click "Next". The bad files will be listed.
  • Right click the pane and click "Select all objects" - this will put a check mark in the box at the side.
  • Click "Next" again
  • Click "OK" at the prompt "# objects will be removed. Continue?".
Exit the program.

Launch ewido again:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido.

Next click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.

Reboot back into Normal Mode and click here to run ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Paste the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log in your next reply.

#12 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 26 February 2006 - 10:39 PM

Ok. I did everything you told me to do except for this:
Next click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.

I think this is meant for somebody running XP and I have Win2000.

Other than that I followed everything else precisely and here are the logs:

-------------------------------------
Panda Scan Report
-------------------------------------

Incident Status Location

Adware:adware/msxmidi Not disinfected C:\WINNT\msxmidi.exe
Dialer:dialer.bny Not disinfected C:\WINNT\pcconfig.dat
Spyware:application/bestoffer Not disinfected C:\WINNT\smdat32a.sys
Adware:adware/alfacleaner Not disinfected C:\WINNT\uninstDsk.exe
Adware:adware/searchaid Not disinfected C:\iefeatslinstaller.log
Dialer:dialer generic Not disinfected C:\PROGRAM FILES\dialers
Potentially unwanted tool:application/myway Not disinfected C:\PROGRAM FILES\MyWay
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Windows SyncroAd
Adware:adware/cws.yexe Not disinfected C:\WINNT\SYSTEM32\services
Adware:adware/p2pnetworking Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Eddie Perez-Ruberte\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Eddie Perez-Ruberte\Desktop\smitRem.exe[Process.exe]
Adware:Adware/BrilliantDigital Not disinfected C:\Program Files\Kazaa\bdcore.dll.updpnd
Adware:Adware/WUpd Not disinfected G:\Software\HijackThis\backups\backup-20050803-193947-463.inf
------------------------------------------------------------------------------
HijackThis Log
------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:39:49 PM, on 2/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\LxrJD31s.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
H:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
H:\Program Files\Ares\Ares.exe
H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
H:\Program Files\Southwest\Ding\Ding.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
H:\Program Files\iPod\bin\iPodService.exe
G:\Software\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - h:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ASUS Probe] "C:\Program Files\ASUS\Probe\AsusProb.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroCheck] "C:\WINNT\System32\NeroCheck.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "H:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] "H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "H:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Acrobat Assistant.lnk = H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DING!.lnk = H:\Program Files\Southwest\Ding\Ding.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINNT\System32\blocker.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://myvpn.ford.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...74/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200310...llInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

-------------------------------------------------------
Smitfiles.txt Contents
-------------------------------------------------------

smitRem log file
version 2.8

by noahdfear


Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Sun 02/26/2006
The current time is: 18:41:08.73

Running from
C:\Documents and Settings\Eddie Perez-Ruberte\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 516 'explorer.exe'
Killing PID 516 'explorer.exe'
Error 0x5 : Access is denied.


Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:
-----------------------------------------------
Ewido Log
-----------------------------------------------
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:51:01 PM, 2/26/2006
+ Report-Checksum: C23FA46

+ Scan result:

HKLM\SOFTWARE\Classes\YSBactivex.Installer.1 -> Adware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup
C:\Documents and Settings\Default User\Application Data\Hotbar -> Adware.HotBar : Cleaned with backup
C:\Documents and Settings\Default User\Application Data\Hotbar\eskin -> Adware.HotBar : Cleaned with backup
C:\Documents and Settings\Default User\Application Data\Hotbar\v3.0 -> Adware.HotBar : Cleaned with backup
C:\Documents and Settings\Default User\Application Data\Hotbar\v3.0\HostOI -> Adware.HotBar : Cleaned with backup
C:\Documents and Settings\Default User\Application Data\Hotbar\v3.0\HostOI\static -> Adware.HotBar : Cleaned with backup
C:\Documents and Settings\Default User\Application Data\Hotbar\v3.0\HostOL -> Adware.HotBar : Cleaned with backup
C:\Documents and Settings\Default User\Application Data\Hotbar\v3.0\HostOL\static -> Adware.HotBar : Cleaned with backup
C:\Documents and Settings\Default User\Application Data\Hotbar\v3.0\Hotbar -> Adware.HotBar : Cleaned with backup
C:\Documents and Settings\Default User\Application Data\Hotbar\v3.0\Hotbar\static -> Adware.HotBar : Cleaned with backup
C:\Documents and Settings\Eddie Perez-Ruberte\Cookies\eddie perez-ruberte@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Eddie Perez-Ruberte\Cookies\eddie perez-ruberte@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup


::Report End
---------------------------------------------------------

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:44 PM

Posted 27 February 2006 - 07:27 AM

To use RootKit Revealer please make sure you are logged in as an Administrator to the computer.
  • Please download and unzip Rootkit Revealer to your desktop.
  • Please leave the defaults set as they are to:
    • Hide NTFS Metadata Files: this option is on by default
    • Scan Registry: this option is on by default.
  • Launch rootkit revealer on the system and press the Scan button.
    RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
  • The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
  • Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)]
Then Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log along with the rootkit revealer log.

#14 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 28 February 2006 - 12:09 AM

Well, I *tried* to do everything you told me but I encounter several barriers.

A. Rootkit Revealer
After running Rootkit Revealer (with internet disconnected), I could not figure out where this "log" was and all I could do was go to the "File" menu and select "Save", which I did and I saved the file as a txt file. This is all that was on that file.

----------------------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 2/27/2006 7:47 PM 80 bytes Data mismatch between Windows API and raw hive data.
----------------------------------------------

So, I don't know if this is what you needed. So, I went and did a search for all the files that had been modified about the time I ran Rootkit Revealer and found this file called "setupapi.log", which was created about the time Rootkit finished running. This was a large file, and so I thought this may have been what you wanted to see. Please, let me know so I know if I did this right. You may want to write a note that this was not very user-friendly :thumbsup: . Here are the contents of that file:

(Just found out that it was too big for one post) :flowers: I am going to split this in a bunch of posts. I did not find the items you mentioned (C:\RECYCLER\NPROTECT or C:\System Volume Information), and it is still 100 pages long!!! :huh:

#15 eperezruberte

eperezruberte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 28 February 2006 - 12:46 AM

B. Blacklight
I went and downloaded blacklight, but when I started it, I didn't see any option to check "Scan through Windows Explorer" like you said there would be. So I scanned it anyways. It ran very quickly and said there were "No hidden items found". And here is the log for that.

------------------------------------------------------------------------
02/27/06 21:39:48 [Info]: BlackLight Engine 1.0.32 initialized
02/27/06 21:39:48 [Info]: OS: 5.0 build 2195 (Service Pack 4)
02/27/06 21:39:49 [Note]: 7019 4
02/27/06 21:39:49 [Note]: 7005 0
02/27/06 21:40:01 [Note]: 7006 0
02/27/06 21:40:01 [Note]: 7011 1236
02/27/06 21:40:01 [Note]: FSRAW library version 1.7.1015
02/27/06 21:41:26 [Note]: 7007 0
------------------------------------------------------------------------

Forgive me if I sound a little impatient, but, are we getting *anywhere* close to a solution? :thumbsup:
This was very labor intensive!!!

I do thank you a lot for your time. :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users