Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer Popup Problem


  • This topic is locked This topic is locked
14 replies to this topic

#1 misskittysmeow

misskittysmeow

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 15 April 2006 - 02:56 AM

Hi,

I am running Windows XP on a Dell Latitude D600. I also normally run (and update fairly regularly) Adaware 6.0, Spybot S&D, Windows Antispyware Beta and Norton Anti Virus. Sorry for the essay that follows but I wanted to be thorough!

I hit a webpage that threw me this lovely winfixer bug with all the popups telling me I need winfixer etc. Norton seemed to catch one of the attempts but not the other. After surfing the web I have tried and failed with the following:

AdAware, Spybot, Windows AntiSpyware and Norton/Symantec - all scan without spotting the problem.
I tried installing SpyCatcher Express which spotted that byxur.dll kept trying to launch. SpyCatcher successfully stopped it (and seemed to stop the winfixer popups by doing so) but then when I rebooted my system nothing would load.

Removed SpyCatcher Express in safe mode and finally my comp would load again, and winfixer problems are still there. Also Norton just caught trojan.download trying to get on my computer! Also for the record, I have not clicked to download any of the files winfixer has been trying to get me to accept.

I have tried Vundofix which removed files the first time but now says it detects no problem files. VirtumundoBeGone also doesn't spot anything. After watching my automatic updates have some trouble I also updated my microsoft update files.

I followed the prep stuff you listed in this forum. McAfee Stinger spotted nothing. I threw a HJT log into some diagnostic page which highlighted that the byxur.dll and possibly cbawu.dll files are the problem - however as I've had enough freak outs over the past 48 hours I would love it if someone could please check my HJT log and give me some advice before I break anything :thumbsup:

Many thanks, MKM =^o.o^=

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:41:36 PM, on 15/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\windows\DvzCommon\DvzMsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dell\My Documents\My Programs\HijackThis.exe
C:\WINDOWS\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = itproxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\System32\byxur.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\windows\DvzCommon\DvzMsgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145014272473
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145024255189
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: byxur - C:\WINDOWS\System32\byxur.dll
O20 - Winlogon Notify: cbawu - C:\WINDOWS\System32\cbawu.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 April 2006 - 01:37 PM

Hi misskittysmeow and Welcome to the Bleeping Computer!


Please read through all these instructions before proceeding,be sure you have all the necessary downloads before going to safe mode.


Please download the zip attached to this post to your desktop and unzip it,inside you will find Vun.reg which we will need in safe mode.


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\byxur.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\cbawu.dll
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\System32\byxur.dll

    O20 - Winlogon Notify: byxur - C:\WINDOWS\System32\byxur.dll

    O20 - Winlogon Notify: cbawu - C:\WINDOWS\System32\cbawu.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Open the unzipped attachment-> Locate and Double Click Vun.reg,when asked to merge into the registry,please click "Yes" and allow the reg file to merge.


Now loacate and run ATF just as described earlier in this post.

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.


Restart Normal.


Copy the text below to a blank notepad page-> Save it to the desktop as Find.bat


dir \rock.exe /a h /s > File.txt



Double Click Find.bat and wait for the Command Prompt window to close.

Now,locate File.txt on your desktop-> Copy&Paste those results in the next reply along with a fresh HijackThis log.

Attached Files

  • Attached File  Vun.zip   367bytes   17 downloads


#3 misskittysmeow

misskittysmeow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 15 April 2006 - 10:56 PM

Hi Cretemonster and thank you very much for taking the time to help me out.

I have done all that you outlined to do, please see below for the text you wanted.

I thought I'd better also mention that after I rebooted back into normal mode twice my Windows AntiSpyware Beta told me that something was trying to change my Security Zones. I clicked block both times, I hope this was right to do?

Internet Explorer Secutity Zones alert

Occurred on: 16/04/2006 at 1:43:43 PM

The user Dell, has decided to prevent the existing Internet Explorer Security Zone Internet level of 69632 from being changed to 65536.

Here is file.txt :

Volume in drive C has no label.
Volume Serial Number is 0CDF-723B

Directory of C:\windows\system32

11/04/2006 10:03 AM 7,151 rock.exe
1 File(s) 7,151 bytes



Latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:53:15 PM, on 16/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\windows\DvzCommon\DvzMsgr.exe
C:\Documents and Settings\Dell\My Documents\My Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = itproxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\windows\DvzCommon\DvzMsgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145014272473
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145024255189
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: byxur - C:\WINDOWS\System32\byxur.dll (file missing)
O20 - Winlogon Notify: cbawu - C:\WINDOWS\System32\cbawu.dll (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


I'm guessing there is a bit more to go if something is messing with security zones?

Again thanks for your help :thumbsup:

mkm

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 April 2006 - 03:58 AM

Im not so familiar with Rock.exe,can you shed any light on what that may be?

Either way,Id like you to get the file scanned Here please.

C:\windows\system32\Rock.exe

Jottis will run the file through multiple AV scanners and let you know what they find,would you please let me know those results?

Lets have a little deeper look at whats inside the system.


Download WinPFind to your C Drive.
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

Once you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with the reports from WinPFind and Panda.

#5 misskittysmeow

misskittysmeow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 16 April 2006 - 09:39 PM

Hi again,

It took some time to do all that but now it's done :thumbsup: There's a lot of stuff that follows. I think it may be mainly cleared up but have posted all that you asked for including another HJT log at the end. Windows is trying to automatically update some more security patches (mutter) but I haven't installed any of the latest today just in case it's better to wait until my system is cleaner.

For the record rock.exe seemed to be a virus in my windows system32 folder, and there was a file that had a matching icon that sadly I do remember accidentally double-clicking when I was looking through there - c:\ej.exe they seem to be part of the same virus.

I think Panda cleared rock.exe ej.exe and wvuvu.dll from my system, it only identifies two additional files. My HJT log seems to show remnants of the byxur and cbawu dll files (but says file missing) please let me know if I need to do anything further!

Again thank you for the help :flowers:

mkm

-----------------------------------------------------------------------------------------------
virusscan.jotti.org scan for rock.exe:

File: Rock.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 fa15afcd52f0bf515d8d89eef7937169
Packers detected: FSG
Scanner results
AntiVir Found Trojan/LowZones.DN
ArcaVir Found Trojan.Lowzones.Dn
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found BehavesLike:Trojan.LowZones (probable variant)
ClamAV Found Trojan.Lowzones-48
Dr.Web Found Trojan.LowZones.161
F-Prot Antivirus Found W32/Lowzones.EX
Fortinet Found W32/LowZones.2!tr
Kaspersky Anti-Virus Found Trojan.Win32.LowZones.dn
NOD32 Found nothing
Norman Virus Control Found W32/LowZones.YK
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Win32.LowZones.dn

-----------------------------------------------------------------------------------------------
virusscan.jotti.org for ej.exe:

File: ej.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 fa15afcd52f0bf515d8d89eef7937169
Packers detected: FSG
Scanner results
AntiVir Found Trojan/LowZones.DN
ArcaVir Found Trojan.Lowzones.Dn
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found BehavesLike:Trojan.LowZones (probable variant)
ClamAV Found Trojan.Lowzones-48
Dr.Web Found Trojan.LowZones.161
F-Prot Antivirus Found W32/Lowzones.EX
Fortinet Found W32/LowZones.2!tr
Kaspersky Anti-Virus Found Trojan.Win32.LowZones.dn
NOD32 Found Win32/Lowzones.DM
Norman Virus Control Found W32/LowZones.YK
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Win32.LowZones.dn

-----------------------------------------------------------------------------------------------

WinPFind Report (run before Panda):

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
FSG! 11/04/2006 10:03:20 AM 7151 C:\ej.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
FSG! 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
PEC2 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
PECompact2 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
Umonitor 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
qoologic 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
aspack 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
SAHAgent 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
abetterinternet.com 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
web-nex 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
ad-w-a-r-e.com 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP

Checking %System% folder...
PEC2 23/08/2001 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 14/02/2006 9:20:14 AM 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 7/04/2006 5:48:38 AM 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/04/2006 5:48:38 AM 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 29/08/2002 1:41:10 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
FSG! 11/04/2006 10:03:20 AM 7151 C:\WINDOWS\SYSTEM32\rock.exe
winsync 23/08/2001 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
17/04/2006 3:05:48 AM S 2048 C:\WINDOWS\bootstat.dat
14/04/2006 8:50:32 PM H 54156 C:\WINDOWS\QTFont.qfn
14/04/2006 9:07:50 PM S 64 C:\WINDOWS\CSC\00000001
14/04/2006 2:49:18 PM S 64 C:\WINDOWS\CSC\00000002
17/04/2006 2:52:48 AM H 0 C:\WINDOWS\inf\oem14.inf
15/04/2006 12:18:26 AM H 0 C:\WINDOWS\inf\oem6.inf
17/04/2006 2:52:48 AM H 0 C:\WINDOWS\LastGood\INF\oem14.inf
17/04/2006 2:52:48 AM H 0 C:\WINDOWS\LastGood\INF\oem14.PNF
15/04/2006 9:38:10 AM H 341736 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b4024a04f4563990064b39c881c34cc8\BIT5.tmp
16/04/2006 12:54:26 PM HS 635921 C:\WINDOWS\system32\ruxyb.bak2
16/04/2006 1:27:24 PM HS 637577 C:\WINDOWS\system32\ruxyb.ini
13/04/2006 10:26:04 AM HS 336 C:\WINDOWS\system32\uwabc.ini
11/04/2006 2:45:58 PM HS 38925 C:\WINDOWS\system32\wvuvu.dll
23/03/2006 9:17:30 AM S 14054 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
13/03/2006 4:45:34 PM S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911565.cat
16/03/2006 5:03:06 PM S 13854 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911567-OE6SP1-20060316.165634.cat
22/03/2006 6:28:18 PM S 20273 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912812-IE6SP1-20060322.182418.cat
8/03/2006 5:59:38 PM S 9341 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914798.cat
17/04/2006 3:05:34 AM H 8192 C:\WINDOWS\system32\config\default.log
17/04/2006 3:05:58 AM H 1024 C:\WINDOWS\system32\config\sam.log
17/04/2006 3:05:50 AM H 16384 C:\WINDOWS\system32\config\security.log
17/04/2006 3:06:46 AM H 77824 C:\WINDOWS\system32\config\software.log
17/04/2006 3:06:54 AM H 1044480 C:\WINDOWS\system32\config\system.log
15/04/2006 2:36:28 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
11/03/2006 10:30:56 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\s-1-5-18\User\64085dbb-5c04-45ac-9523-045be538f1b8
11/03/2006 10:30:56 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\s-1-5-18\User\Preferred
17/04/2006 3:04:34 AM H 6 C:\WINDOWS\Tasks\sa.dat

Checking for CPL files...
Microsoft Corporation 19/04/2004 1:25:34 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Broadcom Corp. 14/02/2003 4:32:48 PM 126976 C:\WINDOWS\SYSTEM32\ASFConfig.cpl
Broadcom Corporation 14/05/2003 8:47:38 PM 815104 C:\WINDOWS\SYSTEM32\B57exp.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 14/01/2004 6:57:18 PM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 17/08/2001 9:37:02 PM 48128 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 19/04/2004 1:28:30 PM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 19/11/2003 7:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23/09/2004 6:57:44 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SigmaTel Inc. 10/04/2003 5:13:02 AM 81920 C:\WINDOWS\SYSTEM32\stac97.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 19/04/2004 1:25:34 PM 66048 C:\WINDOWS\SYSTEM32\DllCache\access.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 578560 C:\WINDOWS\SYSTEM32\DllCache\appwiz.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 129024 C:\WINDOWS\SYSTEM32\DllCache\desk.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\DllCache\hdwwiz.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 292352 C:\WINDOWS\SYSTEM32\DllCache\inetcpl.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 121856 C:\WINDOWS\SYSTEM32\DllCache\intl.cpl
Microsoft Corporation 29/08/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\DllCache\joy.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\DllCache\main.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\DllCache\mmsys.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\DllCache\ncpa.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\DllCache\nusrmgr.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\DllCache\nwc.cpl
Microsoft Corporation 20/02/2003 4:39:50 PM 32768 C:\WINDOWS\SYSTEM32\DllCache\odbccp32.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\DllCache\powercfg.cpl
Microsoft Corporation 19/04/2004 1:30:50 PM 147456 C:\WINDOWS\SYSTEM32\DllCache\sapi.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 268288 C:\WINDOWS\SYSTEM32\DllCache\sysdm.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\DllCache\telephon.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\DllCache\timedate.cpl
SigmaTel Inc. 10/04/2003 5:13:02 AM 81920 C:\WINDOWS\SYSTEM32\ReinstallBackups\0027\DriverFiles\STAC97.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
23/10/2004 2:52:56 PM 1865 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
22/11/2004 12:50:40 AM 1554 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
13/11/2004 9:24:04 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
13/11/2004 9:04:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
19/04/2004 1:32:34 PM HS 84 C:\Documents and Settings\Dell\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
17/12/2004 10:43:00 PM 38473 C:\Documents and Settings\Dell\Application Data\Comma Separated Values (Windows).ADR
24/10/2004 1:02:38 AM 12953 C:\Documents and Settings\Dell\Application Data\Comma Separated Values (Windows).CAL
19/04/2004 1:19:10 PM HS 62 C:\Documents and Settings\Dell\Application Data\desktop.ini
5/04/2005 11:56:38 PM 19944 C:\Documents and Settings\Dell\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Compress Menu
{3FBFD0B0-EB46-4797-9101-615610E87DA6} = C:\Program Files\Aladdin Systems\StuffIt\CompressMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NetWareUNCMenu
{e3f2bac0-099f-11cf-8daa-00aa004a5691} = nwprovau.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Compress Menu
{3FBFD0B0-EB46-4797-9101-615610E87DA6} = C:\Program Files\Aladdin Systems\StuffIt\CompressMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A87E45F-537A-40B4-B812-E2544C21A09F}
SpywareBlock Class = C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Apoint C:\Program Files\Apoint\Apoint.exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Dell QuickSet C:\Program Files\Dell\QuickSet\quickset.exe
bascstray BascsTray.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
CloneCDElbyCDFL "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
vptray C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
IntelWireless C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
{0228e555-4f9c-4e35-a3ec-b109a192b4c2} C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
MaxtorOneTouch C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
MXO Auto Loader C:\WINDOWS\MXOALDR.EXE
HPHmon04 C:\WINDOWS\System32\hphmon04.exe
HPHUPD04 "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Picasa Media Detector C:\Program Files\Picasa2\PicasaMediaDetector.exe
rock rock.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxur
= C:\WINDOWS\System32\byxur.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbawu
= C:\WINDOWS\System32\cbawu.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless
= C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\System32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 17/04/2006 10:07:03 AM


-----------------------------------------------------------------------------------------------
Panda ActiveScan (most recent scan run):


Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Dell\Cookies\dell@112.2o7[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Dell\Desktop\VundoFix\VundoFix\process.exe
Virus:Trj/LowZones.RI Disinfected C:\ej.exe
Virus:Trj/LowZones.RI Disinfected C:\windows\system32\rock.exe
Virus:Trj/Keylog.GA Disinfected C:\windows\system32\wvuvu.dll

-----------------------------------------------------------------------------------------------
Another HJT log that I just ran in case you need it:

Logfile of HijackThis v1.99.1
Scan saved at 12:33:03 PM, on 17/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\windows\DvzCommon\DvzMsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dell\My Documents\My Programs\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = itproxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\windows\DvzCommon\DvzMsgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145014272473
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145024255189
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: byxur - C:\WINDOWS\System32\byxur.dll (file missing)
O20 - Winlogon Notify: cbawu - C:\WINDOWS\System32\cbawu.dll (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

-----------------------------------------------------------------------------------------------

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 April 2006 - 04:48 AM

Great Work! :thumbsup:

Right-Click Here and Click "Save As" to download DelDomains.inf to your desktop.

Right Click DelDomains.inf on your desktop and select "Install"

It will perform a silent process-> Give it a minute to run.


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [rock] rock.exe

O20 - Winlogon Notify: byxur - C:\WINDOWS\System32\byxur.dll (file missing)

O20 - Winlogon Notify: cbawu - C:\WINDOWS\System32\cbawu.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Reboot into SAFE MODE(Tap F8 when restarting)

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp

Lets be double sure Panda got rid of those files.


Locate and Delete any of these files that you find

C:\ej.exe

C:\WINDOWS\SYSTEM32\rock.exe

C:\WINDOWS\system32\wvuvu.dll

C:\WINDOWS\system32\ruxyb.bak2

C:\WINDOWS\system32\ruxyb.ini

C:\WINDOWS\system32\uwabc.ini


Once completed-> Scan the system once more with WinPFind.


Restart Normal and run one last Online Scan.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Post back with a fresh HijackThis log and the reports from WinPFind and Kaspersky.


One more question,do you have an Active Firewall installed and whats the state of your resident Antivirus,is the subscription still good?

#7 misskittysmeow

misskittysmeow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 17 April 2006 - 09:39 PM

Hiya,

I did everything you said, in the order you said :thumbsup: Kaspersky found 3 viruses, 6 infected objects. :flowers: I realised after the Kaspersky scan that Norton was holding one trojan in quarantine - is it ok if I delete it from quarantine?

To answer your questions before I post the logs:

Firewall - I'm not sure if this will make sense terminology-wise or if I misunderstand something and have stuffed up. I couldn't find firewall settings on my laptop but I was wondering if that's because it's not my primary internet connection? I run my adsl connection through a wireless router that uses my desktop computer as the primary computer on there.

My laptop runs off the wireless connection (my cousin set all this up so I didn't get to learn as much as I would have liked to at the time). The desktop runs Windows Firewall, always on. I tried looking at network connection settings through the laptop and it kept saying I had to refer back to the computer it shares connection with which I assume is the desktop. Does this make sense? I was surprised as I thought I'd looked at firewall settings on my laptop before. Maybe I fiddled with something I shouldn't have at some stage... sigh.

Anti Virus - I run Symantec Anti Virus Corporate Edition version 8.1.0.021 on both my laptop and desktop with regular updates. For the record I think this stupid winfixer thing got on my comp when I hit "I'm feeling lucky" on google (really really NOT lucky) and it opened some random webpage. I think that page double-launched the bug (but this is my basic opinion) because my anti-virus noted two hits, the first one it missed and the second one it grabbed and quarantined. Plus I was in the middle of downloading more windows automatic update "security" patches (my nerd friends always yell at me for using IE etc but I've not got the time or knowledge to switch stuff over as yet).

As well as those I run Spybot and Adaware 6.0 with regular updates.

Okay now that I've bored you to sleep, onward with the logs!


----------------------------------------------------------------------------------------------------------------------------
New HJT Log 18.04.06

Logfile of HijackThis v1.99.1
Scan saved at 12:04:53 PM, on 18/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\basfipm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\windows\DvzCommon\DvzMsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dell\My Documents\My Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = itproxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\windows\DvzCommon\DvzMsgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145014272473
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145024255189
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

----------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, April 18, 2006 12:02:28 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 18/04/2006
Kaspersky Anti-Virus database records: 188608
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 58464
Number of viruses found: 3
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 02:30:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BB80000.VBN Infected: Trojan-Downloader.Win32.Tiny.bw skipped
C:\Documents and Settings\Dell\My Documents\My Programs\ccsetup128.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Dell\My Documents\My Programs\ccsetup128.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Dell\My Documents\My Programs\ccsetup128.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP514\A0047284.exe Infected: Trojan.Win32.LowZones.dn skipped
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP514\A0047285.exe Infected: Trojan.Win32.LowZones.dn skipped

Scan process completed.

----------------------------------------------------------------------------------------------------------------------------

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
FSG! 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
PEC2 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
PECompact2 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
Umonitor 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
qoologic 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
aspack 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
SAHAgent 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
abetterinternet.com 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
web-nex 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP
ad-w-a-r-e.com 15/04/2006 9:32:22 AM 536133632 C:\WINDOWS\MEMORY.DMP

Checking %System% folder...
PEC2 23/08/2001 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 14/02/2006 9:20:14 AM 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 7/04/2006 5:48:38 AM 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/04/2006 5:48:38 AM 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 29/08/2002 1:41:10 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 23/08/2001 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
17/04/2006 10:29:46 PM S 2048 C:\WINDOWS\bootstat.dat
14/04/2006 8:50:32 PM H 54156 C:\WINDOWS\QTFont.qfn
14/04/2006 9:07:50 PM S 64 C:\WINDOWS\CSC\00000001
14/04/2006 2:49:18 PM S 64 C:\WINDOWS\CSC\00000002
17/04/2006 2:52:48 AM H 0 C:\WINDOWS\inf\oem14.inf
15/04/2006 12:18:26 AM H 0 C:\WINDOWS\inf\oem6.inf
17/04/2006 10:56:44 AM H 0 C:\WINDOWS\LastGood\INF\oem15.inf
17/04/2006 10:56:44 AM H 0 C:\WINDOWS\LastGood\INF\oem15.PNF
15/04/2006 9:38:10 AM H 341736 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b4024a04f4563990064b39c881c34cc8\BIT5.tmp
23/03/2006 9:17:30 AM S 14054 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
13/03/2006 4:45:34 PM S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911565.cat
16/03/2006 5:03:06 PM S 13854 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911567-OE6SP1-20060316.165634.cat
22/03/2006 6:28:18 PM S 20273 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912812-IE6SP1-20060322.182418.cat
8/03/2006 5:59:38 PM S 9341 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914798.cat
17/04/2006 10:29:32 PM H 8192 C:\WINDOWS\system32\config\default.log
17/04/2006 10:29:54 PM H 1024 C:\WINDOWS\system32\config\sam.log
17/04/2006 10:29:48 PM H 16384 C:\WINDOWS\system32\config\security.log
18/04/2006 3:07:52 AM H 106496 C:\WINDOWS\system32\config\software.log
17/04/2006 10:29:52 PM H 1015808 C:\WINDOWS\system32\config\system.log
15/04/2006 2:36:28 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
11/03/2006 10:30:56 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\s-1-5-18\User\64085dbb-5c04-45ac-9523-045be538f1b8
11/03/2006 10:30:56 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\s-1-5-18\User\Preferred
17/04/2006 10:28:38 PM H 6 C:\WINDOWS\Tasks\sa.dat

Checking for CPL files...
Microsoft Corporation 19/04/2004 1:25:34 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Broadcom Corp. 14/02/2003 4:32:48 PM 126976 C:\WINDOWS\SYSTEM32\ASFConfig.cpl
Broadcom Corporation 14/05/2003 8:47:38 PM 815104 C:\WINDOWS\SYSTEM32\B57exp.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 14/01/2004 6:57:18 PM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 17/08/2001 9:37:02 PM 48128 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 19/04/2004 1:28:30 PM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 19/11/2003 7:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23/09/2004 6:57:44 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SigmaTel Inc. 10/04/2003 5:13:02 AM 81920 C:\WINDOWS\SYSTEM32\stac97.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 19/04/2004 1:25:34 PM 66048 C:\WINDOWS\SYSTEM32\DllCache\access.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 578560 C:\WINDOWS\SYSTEM32\DllCache\appwiz.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 129024 C:\WINDOWS\SYSTEM32\DllCache\desk.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\DllCache\hdwwiz.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 292352 C:\WINDOWS\SYSTEM32\DllCache\inetcpl.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 121856 C:\WINDOWS\SYSTEM32\DllCache\intl.cpl
Microsoft Corporation 29/08/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\DllCache\joy.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\DllCache\main.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\DllCache\mmsys.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\DllCache\ncpa.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\DllCache\nusrmgr.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\DllCache\nwc.cpl
Microsoft Corporation 20/02/2003 4:39:50 PM 32768 C:\WINDOWS\SYSTEM32\DllCache\odbccp32.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\DllCache\powercfg.cpl
Microsoft Corporation 19/04/2004 1:30:50 PM 147456 C:\WINDOWS\SYSTEM32\DllCache\sapi.cpl
Microsoft Corporation 29/08/2002 1:41:28 PM 268288 C:\WINDOWS\SYSTEM32\DllCache\sysdm.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\DllCache\telephon.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\DllCache\timedate.cpl
SigmaTel Inc. 10/04/2003 5:13:02 AM 81920 C:\WINDOWS\SYSTEM32\ReinstallBackups\0027\DriverFiles\STAC97.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
23/10/2004 2:52:56 PM 1865 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
22/11/2004 12:50:40 AM 1554 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
13/11/2004 9:24:04 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
13/11/2004 9:04:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
19/04/2004 1:32:34 PM HS 84 C:\Documents and Settings\Dell\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
17/12/2004 10:43:00 PM 38473 C:\Documents and Settings\Dell\Application Data\Comma Separated Values (Windows).ADR
24/10/2004 1:02:38 AM 12953 C:\Documents and Settings\Dell\Application Data\Comma Separated Values (Windows).CAL
19/04/2004 1:19:10 PM HS 62 C:\Documents and Settings\Dell\Application Data\desktop.ini
5/04/2005 11:56:38 PM 19944 C:\Documents and Settings\Dell\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Compress Menu
{3FBFD0B0-EB46-4797-9101-615610E87DA6} = C:\Program Files\Aladdin Systems\StuffIt\CompressMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NetWareUNCMenu
{e3f2bac0-099f-11cf-8daa-00aa004a5691} = nwprovau.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Compress Menu
{3FBFD0B0-EB46-4797-9101-615610E87DA6} = C:\Program Files\Aladdin Systems\StuffIt\CompressMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A87E45F-537A-40B4-B812-E2544C21A09F}
SpywareBlock Class = C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Apoint C:\Program Files\Apoint\Apoint.exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Dell QuickSet C:\Program Files\Dell\QuickSet\quickset.exe
bascstray BascsTray.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
CloneCDElbyCDFL "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
vptray C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
IntelWireless C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
{0228e555-4f9c-4e35-a3ec-b109a192b4c2} C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
MaxtorOneTouch C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
MXO Auto Loader C:\WINDOWS\MXOALDR.EXE
HPHmon04 C:\WINDOWS\System32\hphmon04.exe
HPHUPD04 "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Picasa Media Detector C:\Program Files\Picasa2\PicasaMediaDetector.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless
= C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\System32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 18/04/2006 5:54:43 AM




----------------------------------------------------------------------------------------------------------------------------

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 April 2006 - 04:51 AM

Everything is looking just peachy! :thumbsup:

Ask Cuz if he can assist you in the idea of a free firewall from either Sunbelt Kerio or Zone Alarm.

Theory is,routers are firewalled and another firewall on the PC itself may be considered overkill,so Im not gonna push that issue.

You can sure delete all quaratined items in Norton.


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and remove any of the tools downloaded that are of no use anymore

Post back and let me know how things are?

#9 misskittysmeow

misskittysmeow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 18 April 2006 - 10:39 AM

Well I'm quietly hopeful we (you!) have cleared everything up. I'll run some final scans of the system and post the results when they're done.

One final query that I'm not sure if you can help me with - when I finally had the guts to open MS Outlook (2002) again, it gave me about 3 of the same error message: "CiceroUIWndFrame: OUTLOOK.EXE - Entry point not found" as the error title and then it says "The procedure entry point GetIUMS could not be located in the dynamic link library MSDART.DLL"

I guess maybe I killed some file when trying to fix things maybe. Do you know any way of fixing it as it wasn't happening before I messed with my computer :thumbsup: (and when I say that, I mean, I was messing with it before I got your proper help!!!).

If you could give me an idea of what to do that would be great. It seems to work ok after I click OK a few times but it's just a bit annoying :flowers:

Will post the logs once I finish letting the online scans go through my system again etc.

Cheers, mkm :huh:

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 April 2006 - 05:58 PM

Go and get every possible update Windows has to offer,even the optional ones.

This will take some time since your still only SP1 but without all these patches for the system,its wide open to attack,not to mention,I believe it will also cure the outlook problem as well.


Post back once your done and let me know about the error?

#11 misskittysmeow

misskittysmeow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 18 April 2006 - 06:10 PM

Ok will do... I vaguely remember when I put SP2 on it locked up my system or stopped my internet access or something which is a whole other issue. Think cousin did some selective patches instead. But I will give it a go or harass him and let you know when it goes (this could take some time) lol

In other news, Kaspersky and Panda scans only picked up 3 CCleaner setup files and a Vundofix process file as "potential" problem files so I think I could be safe! *crosses fingers*

Are there any other logs you want to see to confirm this or is that cool?

mkm :thumbsup:

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 April 2006 - 06:18 PM

I dont think so but I would like to keep this post open until I know you have safely and successfully downloaded all updates.

If you will,go ahead and Renable System Restore if you have allready disabled it and then go try the updates.

Let me know how it goes?

#13 misskittysmeow

misskittysmeow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 18 April 2006 - 06:31 PM

Ok cool will do and let you know.

By the way, thank you, :thumbsup: I really really appreciate that you spent time helping me.

You're an angel :flowers:

#14 misskittysmeow

misskittysmeow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 06 May 2006 - 07:29 PM

Cretemonster, you rock! :thumbsup:

I have run my laptop for a while and all seems to be okay. Hopefully my luck doesn't run out after I post this!

At some stage I'll probably have to clear up my desktop as well but for now, main thing is my laptop has been running smoothly.

I appreciate both your help and the the fact that this forum exists!! :flowers:

Thanks a million!

misskittysmeow =^o.o^=

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 May 2006 - 06:27 PM

Thats some of the best news I have heard all day.

Lets keep our fingers crossed.

If you need the post reopened,just PM me or a Moderator at any time.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users