Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log - Dns Redirected May Be Trojan.flush.f


  • Please log in to reply
10 replies to this topic

#1 pacmanj

pacmanj

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 05 June 2006 - 06:36 PM

Hi,
Running XP Pro SP1a, my DNS queries are being re-directed to 85.255.. on searching I found reference to the Trojan.Flush.F malware on the symantec site. I tried running AVG and Ewido with latest updates but AVG doesn't detect anything and Ewido crashes after getting to about 22 viruss found !

Logfile of HijackThis v1.99.1
Scan saved at 8:33:42 AM, on 6/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe
C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe
D:\Data\Downloads\VolMouse\volumouse.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Xi\NetTransport 2\NetTransport.exe
C:\Documents and Settings\me\Start Menu\Programs\Startup\procexp.exe
C:\Documents and Settings\me\Start Menu\Programs\Startup\Tcpview.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\Explorer.EXE
D:\Data\Downloads\HijackThis\1.99\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [Copernic Desktop Search] "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [$Volumouse$] "D:\Data\Downloads\VolMouse\volumouse.exe" /nodlg
O4 - Startup: DialUP Speed.msc.lnk = C:\WINDOWS\system32\DialUP Speed.msc
O4 - Startup: Ethereal.lnk = C:\Program Files\Ethereal\ethereal.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: NetTransport.exe.lnk = C:\Program Files\Xi\NetTransport 2\NetTransport.exe
O4 - Startup: procexp.exe
O4 - Startup: RICOH Gate La.lnk = ?
O4 - Startup: Tcpview.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D334CC0-1658-4E70-8B55-60F4AB8F2BEF}: NameServer = 85.255.116.55,85.255.112.136
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F34373F-3932-4F27-93AE-0B1BB0712ACC}: NameServer = 202.125.168.171 61.0.8.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B0DD27-670F-4A84-A75C-1DBA9A518C95}: NameServer = 85.255.116.55,85.255.112.136
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA469B66-5110-4D5E-AB2B-4A77BFB6CFCC}: NameServer = 85.255.116.55,85.255.112.136
O17 - HKLM\System\CS1\Services\Tcpip\..\{5D334CC0-1658-4E70-8B55-60F4AB8F2BEF}: NameServer = 85.255.116.55,85.255.112.136
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


As a temp workaround I went into the registry and changed the malware DNS address to my DNS. But I don't want to have to keep editing the registry each time I dial in to the internet.

According to the symantec info the root of the process sould be found in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run but I don't see anything there ?

Appreciate any help you can give me.

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 06 June 2006 - 04:38 AM

Hi pacmanj and Welcome to the Bleeping Computer!


Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Please wait until Safe Mode to run Ewido!


Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
  • Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer,Reboot into SAFE MODE(Tap F8 when restarting)
    http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
  • Your system may take longer than usual to load; this is normal.
  • Once the desktop loads-> Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

    O17 - HKLM\System\CCS\Services\Tcpip\..\{5D334CC0-1658-4E70-8B55-60F4AB8F2BEF}: NameServer = 85.255.116.55,85.255.112.136

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B0DD27-670F-4A84-A75C-1DBA9A518C95}: NameServer = 85.255.116.55,85.255.112.136

    O17 - HKLM\System\CCS\Services\Tcpip\..\{FA469B66-5110-4D5E-AB2B-4A77BFB6CFCC}: NameServer = 85.255.116.55,85.255.112.136

    O17 - HKLM\System\CS1\Services\Tcpip\..\{5D334CC0-1658-4E70-8B55-60F4AB8F2BEF}: NameServer = 85.255.116.55,85.255.112.136

    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

    Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button
Once in safe mode Open Ewido Security Suite and do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.


Click Start, and then click Search.
Click All files and folders.
In the "All or part of the file name" box, type:

rasphone.pbk

Verify that "Look in" is set to "Local Hard Drives" or to (C:).
Click "More advanced options."
Check "Search system folders."
Check "Search subfolders."
Click Search.
Click Find Now or Search Now.

If you find rasphone.pbk file, right-click the file, and then click "Open With."
Deselect the "Always use this program to open this program" check box.
Scroll through the list of programs and double-click Notepad.
When the file opens, delete the entries below:

IpDnsAddress = 85.255.116.55
IpDns2Address = 85.255.112.136
IpNameAssign = 2



Now open the Control Panel-> In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems.


Restart Normal and Go Start--> Run--> type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


Have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from Ewido--> Panda and the report from FixWareOut

#3 pacmanj

pacmanj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 09 June 2006 - 07:14 PM

I downloaded FixWareOut and ran it, it downloaded some data and registered itself to run at next boot.

Restarted PC and XP in Safe Mode.

FixWareOut automatically ran. Here's the report.txt


Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xvjmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.161.7/user/john2002/web/ipvcx9x.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.161.7/user/john2002/web/mxbkup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.161.7/user/john2002/web/connmie.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.161.7/user/john2002/web/truettf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.161.7/user/john2002/web/dxconf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.161.7/user/john2002/web/iecustme.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.161.7/user/john2002/web/ctbasxt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.166.92/private/x/302.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
...

Microsoft Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

Search by size and names...
* csr.exe C:\WINDOWS\System32\CSHZF.EXE

Misc files

Checking for older varients covered by the Rem3 tool
C:\WINDOWS\System32\run_dos.dll


Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSHZF.EXE 51,261 2006-05-31
C:\WINDOWS\SYSTEM32\DMJVX.EXE 44,093 2002-08-29


Ran Ewido in Ignore All mode. Here's log file before cleaning.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:10:02 PM, 9/06/2006
+ Report-Checksum: 59B622E0

+ Scan result:

:mozilla.123:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies-2.txt ->

Zedo : Ignored
:mozilla.124:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies-2.txt ->

Zedo : Ignored
:mozilla.125:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies-2.txt ->

Zedo : Ignored
:mozilla.98:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies-3.txt -> Zedo

: Ignored
:mozilla.99:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies-3.txt -> Zedo

: Ignored
:mozilla.100:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies-3.txt ->

Zedo : Ignored
:mozilla.17:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies.txt ->

Tribalfusion : Ignored
:mozilla.23:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies.txt ->

Adbrite : Ignored
:mozilla.123:C:\Documents and Settings\me\Application

Data\Mozilla_old_030905\Firefox\Profiles\default.rdo\cookies-2.txt -> Zedo : Ignored
:mozilla.124:C:\Documents and Settings\me\Application

Data\Mozilla_old_030905\Firefox\Profiles\default.rdo\cookies-2.txt -> Zedo : Ignored
:mozilla.125:C:\Documents and Settings\me\Application

Data\Mozilla_old_030905\Firefox\Profiles\default.rdo\cookies-2.txt -> Zedo : Ignored
:mozilla.98:C:\Documents and Settings\me\Application

Data\Mozilla_old_030905\Firefox\Profiles\default.rdo\cookies-3.txt -> Zedo : Ignored
:mozilla.99:C:\Documents and Settings\me\Application

Data\Mozilla_old_030905\Firefox\Profiles\default.rdo\cookies-3.txt -> Zedo : Ignored
:mozilla.100:C:\Documents and Settings\me\Application

Data\Mozilla_old_030905\Firefox\Profiles\default.rdo\cookies-3.txt -> Zedo : Ignored
C:\Documents and Settings\me\Cookies\me@cs.sexcounter[2].txt -> Sexcounter : Ignored
C:\Documents and Settings\me\Cookies\me@sexlist[2].txt -> Sexlist : Ignored
C:\RECYCLER\S-1-5-21-2000478354-790525478-1801674531-1003\Dc30.exe -> Small.kg : Ignored
C:\RECYCLER\S-1-5-21-2000478354-790525478-1801674531-1003\Dc31.exe -> Trojan.Hoster : Ignored
C:\RECYCLER\S-1-5-21-2000478354-790525478-1801674531-1003\Dc32.exe -> Adware.Msnagent : Ignored
C:\RECYCLER\S-1-5-21-2000478354-790525478-1801674531-1003\Dc33.exe -> Adware.FindSpy : Ignored
C:\WINDOWS\system32\cshzf.exe -> TrojanDownloader.Agent.uj : Ignored
D:\Data\Downloads\Windows Packet Editor\wpeproalpha0_8a.zip/WpeSpy.dll -> Not-A-Virus.Sniffer.Win32.WpePro.a :

Ignored
D:\Data\Downloads\Protected Storage Password Viewer\pspv.zip/pspv.exe -> Not-A-Virus.PSWTool.Win32.PassView.a :

Ignored
D:\Data\Downloads\John the Ripper\john-16w.zip/john-16/run/john.exe -> Not-A-Virus.HackTool.Win32.John : Ignored
D:\Data\Downloads\John the Ripper\john-16w.zip/john-16/run/john-k6.zip/john.exe -> Not-A-Virus.HackTool.Win32.John :

Ignored
D:\Data\Downloads\John the Ripper\john-16w.zip/john-16/run/john-mmx.zip/john.exe -> Not-A-Virus.HackTool.Win32.John

: Ignored
D:\Documents and Settings\me\My Documents\My Music\LimeWire\Downloads\Acronis True Image 7.0 crack.rar/Acronis True

Image 7.0 crack.exe -> Dialer.Star : Ignored


::Report End

Ran HJT, without selecting any fixes, and saved HJT log, here it is.

Logfile of HijackThis v1.99.1
Scan saved at 5:59:48 PM, on 9/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Data\Downloads\HijackThis\1.99\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop

Search\CopernicDesktopSearchIntegration974.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [Copernic Desktop Search] "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [$Volumouse$] "D:\Data\Downloads\VolMouse\volumouse.exe" /nodlg
O4 - Startup: DialUP Speed.msc.lnk = C:\WINDOWS\system32\DialUP Speed.msc
O4 - Startup: Ethereal.lnk = C:\Program Files\Ethereal\ethereal.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: NetTransport.exe.lnk = C:\Program Files\Xi\NetTransport 2\NetTransport.exe
O4 - Startup: procexp.exe
O4 - Startup: RICOH Gate La.lnk = ?
O4 - Startup: Tcpview.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program

Files\WinHTTrack\WinHTTrackIEBar.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner -

%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ran HJT and selected fix all of the 85.255.x.x entries and rpcapd.ini. Here's the HJT log after the fixes.

Logfile of HijackThis v1.99.1
Scan saved at 5:59:48 PM, on 9/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Data\Downloads\HijackThis\1.99\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop

Search\CopernicDesktopSearchIntegration974.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [Copernic Desktop Search] "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [$Volumouse$] "D:\Data\Downloads\VolMouse\volumouse.exe" /nodlg
O4 - Startup: DialUP Speed.msc.lnk = C:\WINDOWS\system32\DialUP Speed.msc
O4 - Startup: Ethereal.lnk = C:\Program Files\Ethereal\ethereal.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: NetTransport.exe.lnk = C:\Program Files\Xi\NetTransport 2\NetTransport.exe
O4 - Startup: procexp.exe
O4 - Startup: RICOH Gate La.lnk = ?
O4 - Startup: Tcpview.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using Download &Express - C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program

Files\WinHTTrack\WinHTTrackIEBar.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner -

%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Ran Ewido in Remove All mode. Ewido finished, but prompted for confirmation of removal of a few files that are in Zip and RAR archives.
Not-A-Virus.Sniffer.Win32.WpePro.a
Not-A-Virus.PSWTool.Win32.PassView.a
Not-A-Virus.HackTool.Win32.John
I chose to remove Not-A-Virus.Sniffer.Win32.WpePro.a but chose to keep the other two, because I'm fairly confident they aren't causing any problems and I may want to use them in future.
Here's the Ewido results.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:33:36 PM, 9/06/2006
+ Report-Checksum: E7A92C1E

+ Scan result:

:mozilla.123:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies-2.txt ->

Zedo : Cleaned with backup
:mozilla.124:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies-2.txt ->

Zedo : Cleaned with backup
:mozilla.125:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies-2.txt ->

Zedo : Cleaned with backup
:mozilla.95:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies-3.txt -> Zedo

: Cleaned with backup
:mozilla.96:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies-3.txt -> Zedo

: Cleaned with backup
:mozilla.97:C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\default.rdo\cookies-3.txt -> Zedo

: Cleaned with backup
:mozilla.123:C:\Documents and Settings\me\Application

Data\Mozilla_old_030905\Firefox\Profiles\default.rdo\cookies-2.txt -> Zedo : Cleaned with backup
:mozilla.124:C:\Documents and Settings\me\Application

Data\Mozilla_old_030905\Firefox\Profiles\default.rdo\cookies-2.txt -> Zedo : Cleaned with backup
:mozilla.125:C:\Documents and Settings\me\Application

Data\Mozilla_old_030905\Firefox\Profiles\default.rdo\cookies-2.txt -> Zedo : Cleaned with backup
:mozilla.95:C:\Documents and Settings\me\Application

Data\Mozilla_old_030905\Firefox\Profiles\default.rdo\cookies-3.txt -> Zedo : Cleaned with backup
:mozilla.96:C:\Documents and Settings\me\Application

Data\Mozilla_old_030905\Firefox\Profiles\default.rdo\cookies-3.txt -> Zedo : Cleaned with backup
:mozilla.97:C:\Documents and Settings\me\Application

Data\Mozilla_old_030905\Firefox\Profiles\default.rdo\cookies-3.txt -> Zedo : Cleaned with backup
C:\RECYCLER\S-1-5-21-2000478354-790525478-1801674531-1003\Dc30.exe -> Small.kg : Cleaned with backup
C:\RECYCLER\S-1-5-21-2000478354-790525478-1801674531-1003\Dc31.exe -> Trojan.Hoster : Cleaned with backup
C:\RECYCLER\S-1-5-21-2000478354-790525478-1801674531-1003\Dc32.exe -> Adware.Msnagent : Cleaned with backup
C:\RECYCLER\S-1-5-21-2000478354-790525478-1801674531-1003\Dc33.exe -> Adware.FindSpy : Cleaned with backup
C:\WINDOWS\system32\cshzf.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
D:\Data\Downloads\Windows Packet Editor\wpeproalpha0_8a.zip/WpeSpy.dll -> Not-A-Virus.Sniffer.Win32.WpePro.a :

Cleaned with backup
D:\Data\Downloads\Protected Storage Password Viewer\pspv.zip/pspv.exe -> Not-A-Virus.PSWTool.Win32.PassView.a :

Error during cleaning
D:\Data\Downloads\John the Ripper\john-16w.zip/john-16/run/john.exe -> Not-A-Virus.HackTool.Win32.John : Error

during cleaning
D:\Data\Downloads\John the Ripper\john-16w.zip/john-16/run/john-k6.zip/john.exe -> Not-A-Virus.HackTool.Win32.John :

Error during cleaning
D:\Data\Downloads\John the Ripper\john-16w.zip/john-16/run/john-mmx.zip/john.exe -> Not-A-Virus.HackTool.Win32.John

: Error during cleaning
D:\Documents and Settings\me\My Documents\My Music\LimeWire\Downloads\Acronis True Image 7.0 crack.rar/Acronis True

Image 7.0 crack.exe -> Dialer.Star : Cleaned with backup


::Report End

Ran AVG. AVG did not find any infected files.

Searched for rasphone.pbk.
Found 1 instance in
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk which did contain
IpDnsAddress = 85.255.116.55
IpDns2Address = 85.255.112.136
IpNameAssign = 2

Deleted these 3 lines from the file.
IpDnsAddress = 85.255.116.55
IpDns2Address = 85.255.112.136
IpNameAssign = 2

Opened Control Panel\Network Connections\ but there were no entries. Assume this is a result of XP Safe Mode.

Restarted PC and XP normally.

Opened a DOS window and ran ipconfig /flushdns.
DOS returned this message, "Could not flush the DNS Resolver Cache: Function failed during execution".
Any idea why this ipconfig command doesn't work, is it because I'm using a dialup connection ? I've tried this command a few times in the last 2 years but it's never worked, so I assume it's not because of malware ?

Opened Control Panel\Network Connections\.
Now I see Dial-Up, Lan or High-Speed Internet & Wizard.

Opened Control Panel\Network Connections\ Dial-Up properties \ TCP/IP \
Confirmed Obtain IP Address Automatically and Obtain DNS Server Address Automatically are both selected.

Shutdown and powered off pc.

Booted up PC and started XP normally.

Downloaded Panda.
Ran Panda on entire PC.
Panda finished, found 11 Spyware. Couldn't see how to save a log file.
Restrated Panda, Panda started scanning ok.
Panda crashed.

Restarted Panda on Local Disks.
Panda started scanning ok.
While Panda still scanning, Startup Monitor box popped up saying Palm Hotsync Manager was added to
C:\Documents and Settings\me\Start Menu\Programs\Startup.
I don't know why Palm Hotsync Manager ran at that time, I did not initiate it manually.

Panda scanned about 51,000 files, then crashed again.

Any idea why Panda is crashing every time it runs ? My IE is Ver. 6.0.2800.1106.xpsp1.020828-1920
don't know if IE is causing problems for Panda ?

Edited by pacmanj, 09 June 2006 - 07:50 PM.


#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 June 2006 - 08:45 PM

Go back to Safe Mode and be sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp

Search for and Delete if found

C:\WINDOWS\System32\CSHZF.EXE<-- File (Probably dealt with by Ewido)

C:\WINDOWS\System32\run_dos.dll<-- File

C:\WINDOWS\SYSTEM32\DMJVX.EXE<-- File


Now Search your entire system for a file named csr.exe

You can use the Search Assistant(Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by every box under Advanced Options

Enter csr.exe for a system search.

Dont do anything with it if found,just let me know exactly where its located at?


Restart the Machine and Please run the F-Secure Online Scanner
  • Follow the directions in the F-Secure page for proper Installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Custom Scan and be sure the following are checked.
    • Scan whole System
    • Scan all files
    • Scan whole system for rootkits
    • Scan whole system for spyware
    • Scan inside archives
    • Use advanced heuristics
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the I want to decide item by item button.
  • For each item found,Select Disinfect and Click Next
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#5 pacmanj

pacmanj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 11 June 2006 - 06:10 PM

Hi Cretemonster,

Downloaded F-Secure Online Scanner Next Generation Beta.

Booted to Safe Mode.

Checked explorer was set to show all "hidden files" and applied them from the desktop
down, as per instructions.

Deleted both these files
C:\WINDOWS\System32\run_dos.dll<-- File
C:\WINDOWS\SYSTEM32\DMJVX.EXE<-- File

Searched entire system for csr.exe.
Search found no instances of csr.exe file on entire system.

Restarted pc and XP in normal mode.

Ran F Secure Online Scanner.
Scan whole System
Scan all files
Scan whole system for rootkits
Scan whole system for spyware
Scan inside archives
Use advanced heuristics

Manually stopped F Secure whole system scan, decided it would take too many hours to complete.
Decided to just scan C: drive first and maybe D: drive after thet.

Restarted F Secure scan.
Scan c: drive only
Scan all files
Scan whole system for rootkits
Scan whole system for spyware
Scan inside archives
Use advanced heuristics

When scan completed clicked the I want to decide item by item button.
Selected disinfect.

Here's the F Secure C: drive report

Scanning Report
Sunday, June 11, 2006 07:14:56 - 08:50:18
Computer name: ME
Scanning type: Scan target for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 1 malware found
Possible Browser Hijack attempt (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 101293
System: 5801
Not scanned: 144
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
~˜Outlook\outlook.pst
C:\DOCUMENTS AND SETTINGS\ME\LOCAL SETTINGS\APPLICATION DATA\COPERNIC\DESKTOPSEARCH\INDEX\MAINCHUNK\DOCUMENTS.DDI
C:\DOCUMENTS AND SETTINGS\ME\LOCAL SETTINGS\APPLICATION DATA\COPERNIC\DESKTOPSEARCH\INDEX\MAINCHUNK\DOCUMENTS.DFD
C:\DOCUMENTS AND SETTINGS\ME\LOCAL SETTINGS\APPLICATION DATA\COPERNIC\DESKTOPSEARCH\INDEX\MAINCHUNK\DOCUMENTS.DSD
C:\DOCUMENTS AND SETTINGS\ME\LOCAL SETTINGS\APPLICATION DATA\COPERNIC\DESKTOPSEARCH\INDEX\MAINCHUNK\KEYWORDS.KDB
C:\DOCUMENTS AND SETTINGS\ME\LOCAL SETTINGS\APPLICATION DATA\COPERNIC\DESKTOPSEARCH\INDEX\MAINCHUNK\KEYWORDS.KPF
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_060305\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_060305\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_060305\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_060305\FIREFOX\PROFILES\DEFAULT.RDO\CACHE\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_060305\FIREFOX\PROFILES\DEFAULT.RDO\CACHE\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_060305\FIREFOX\PROFILES\DEFAULT.RDO\CACHE\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(5)\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(5)\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(5)\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(4)\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(4)\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(4)\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(5)\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(5)\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(5)\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(4)\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(4)\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\


--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-06-09
F-Secure Libra: 2.4.1, 2006-06-09
F-Secure Orion: 1.2.37, 2006-06-09
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-00-20
F-Secure Draco: 1.0.35, 2006-06-08
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

--------------------------------------------------------------------------------

Restarted F Secure scan.
Scan d: drive only
Scan all files
Scan whole system for rootkits
Scan whole system for spyware
Scan inside archives
Use advanced heuristics

When scan completed clicked the I want to decide item by item button.
Selected disinfect.

Here's the F Secure D: drive report

Scanning Report
Sunday, June 11, 2006 08:52:27 - 12:56:24
Computer name: ME
Scanning type: Scan target for viruses, rootkits, spyware
Target: D:\


--------------------------------------------------------------------------------

Result: 8 malware found
Email-Worm.Win32.Tanatos.a (virus)
D:\Data\Email\INBOX.PST\[From:DSMtuning@yahoogroups.com DSMtuning@yahoogroups.com][Subj:[DSMtuning] Digest Number 1464]
D:\Data\Email\INBOX.PST\[From:DSMtuning@yahoogroups.com DSMtuning@yahoogroups.com][Subj:[DSMtuning] Digest Number 1464]
HackTool.Win32.John (virus)
D:\Data\Downloads\John the Ripper\john-16w.zip\john-16\run\john.exe
D:\Data\Downloads\John the Ripper\john-16w.zip\john-16\run\john-k6.zip\john.exe
D:\Data\Downloads\John the Ripper\john-16w.zip\john-16\run\john-mmx.zip\john.exe
VBS/Netlog.P (virus)
D:\Documents and Settings\me\Application Data\Microsoft\Outlook\outlook.pst\[From:JudXXX, Alan \O=xxxxxxx\OU=VIC

MONASH\CN=RECIPIENTS\CN=xxxxxxx][Subj:network.vbs]
D:\Data\Email\INBOX.PST\[From:Judxxx, Alan \O=xxxxxxx\OU=VIC xxxxxx\CN=RECIPIENTS\CN=xxxxxxx][Subj:network.vbs]
D:\Data\Email\INBOX.PST\[From:Judxxx, Alan \O=xxxxxxx\OU=VIC xxxxxx\CN=RECIPIENTS\CN=xxxxxxx][Subj:network.vbs]

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 112087
System: 5789
Not scanned: 163
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 8
Submitted: 0
Files not scanned:
COxNTS AND SETTINGS\ME\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\Documents and Settings\me\Local Settings\Application Data\Microsoft\Outlook\outlook.pst
C:\DOCUMENTS AND SETTINGS\ME\LOCAL SETTINGS\APPLICATION DATA\COPERNIC\DESKTOPSEARCH\INDEX\MAINCHUNK\DOCUMENTS.DDI
C:\DOCUMENTS AND SETTINGS\ME\LOCAL SETTINGS\APPLICATION DATA\COPERNIC\DESKTOPSEARCH\INDEX\MAINCHUNK\DOCUMENTS.DFD
C:\DOCUMENTS AND SETTINGS\ME\LOCAL SETTINGS\APPLICATION DATA\COPERNIC\DESKTOPSEARCH\INDEX\MAINCHUNK\DOCUMENTS.DSD
C:\DOCUMENTS AND SETTINGS\ME\LOCAL SETTINGS\APPLICATION DATA\COPERNIC\DESKTOPSEARCH\INDEX\MAINCHUNK\KEYWORDS.KDB
C:\DOCUMENTS AND SETTINGS\ME\LOCAL SETTINGS\APPLICATION DATA\COPERNIC\DESKTOPSEARCH\INDEX\MAINCHUNK\KEYWORDS.KPF
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_060305\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_060305\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_060305\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_060305\FIREFOX\PROFILES\DEFAULT.RDO\CACHE\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_060305\FIREFOX\PROFILES\DEFAULT.RDO\CACHE\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_060305\FIREFOX\PROFILES\DEFAULT.RDO\CACHE\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(5)\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(5)\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(5)\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(4)\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(4)\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(4)\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA_OLD_030905\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(5)\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(5)\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(5)\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(4)\_CACHE_001_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(4)\_CACHE_002_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(4)\_CACHE_003_
C:\DOCUMENTS AND SETTINGS\ME\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\DEFAULT.RDO\CACHE(2)\_CACHE_001_
--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-06-09
F-Secure Libra: 2.4.1, 2006-06-09
F-Secure Orion: 1.2.37, 2006-06-09
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-00-20
F-Secure Draco: 1.0.35, 2006-06-08
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

--------------------------------------------------------------------------------

Any idea why HJT didn't remove the %ProgramFiles%\WinPcap\rpcapd.exe file when I ticked the box
for HJT to remove it ?
I don't think rpcapd.exe is a virus, because I use Ethereal Protocol Analyser and I installed
WinPcap 3.1 so that Ethereal can monitor my dialup modem connection.

Any suggestions on how I can avoid getting these same problems again, on my PC ?
Would SP2 have prevented these specific infections you have helped me remove ?

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 June 2006 - 06:22 PM

Ahh,my bad on the service.

Thanks for that info,Im use to seeing this in logs for other uses! :thumbsup:



D:\Data\Email\INBOX.PST

D:\Data\Downloads\John the Ripper

D:\Documents and Settings\me\Application Data\Microsoft\Outlook\outlook.pst


Better get rid of these,the Mail files are either unread or deleted mail.


Download WinPFind to your C Drive.
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet


Reboot into SAFE MODE(Tap F8 when restarting)


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

Once you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and post a fresh HijackThis log and the results from WinPFind.

#7 pacmanj

pacmanj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 14 June 2006 - 09:56 PM

Hi Cretemonster,
Big thanks for all the help you've been so far.
What ever was causing the DNS hijacking on my PC has stopped now, which is great.

I looked in the D:\Data\Downloads\John the Ripper directory
and all the files have been deleted by one of the previous
procedures we did. The zip file is still there, I'm happy
to leave the zip file there for now. Is that OK ? Will it do any harm
just sitting there in zip form ?

Do I really have to completely delete these mail archives ?
D:\Data\Email\INBOX.PST
D:\Documents and Settings\me\Application Data\Microsoft\Outlook\outlook.pst

I don't want to just delete them. Copernic Desktop Search has
indexed these mail archives and I'd like to keep them on my hard
drive so they are easily accessed.

Had a bit of hassle running the WinPfind program, it seemed to get stuck, it ran CPU up to 98% due to
continous hardware interrupts. After about 40min I looked closer an saw it was examining an old system memory dump file 512Mbytes, so I stopped it, deleted the dump and restarted it and it finished in
about 2 minutes.

Here's the log from the WinPfind program.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 7/05/2005 6:57:58 AM 14877673 C:\WINDOWS\LPT$VPN.615
qoologic 7/05/2005 6:57:58 AM 14877673 C:\WINDOWS\LPT$VPN.615
SAHAgent 7/05/2005 6:57:58 AM 14877673 C:\WINDOWS\LPT$VPN.615
UPX! 7/05/2005 6:58:02 AM 170053 C:\WINDOWS\tsc.exe
PECompact2 7/05/2005 6:57:58 AM 14877673 C:\WINDOWS\VPTNFILE.615
qoologic 7/05/2005 6:57:58 AM 14877673 C:\WINDOWS\VPTNFILE.615
SAHAgent 7/05/2005 6:57:58 AM 14877673 C:\WINDOWS\VPTNFILE.615
UPX! 7/05/2005 6:58:00 AM 1044560 C:\WINDOWS\vsapi32.dll
aspack 7/05/2005 6:58:00 AM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 23/08/2001 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 27/10/2004 8:38:24 AM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 27/10/2004 8:38:24 AM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
Umonitor 29/08/2002 3:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 16/09/2003 1:19:48 AM 10240 C:\WINDOWS\SYSTEM32\virport.dll
winsync 23/08/2001 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 3/06/2006 12:33:34 AM 667744 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 3/06/2006 12:33:34 AM 667744 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 3/06/2006 12:33:34 AM 667744 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
15/06/2006 4:15:16 AM S 2048 C:\WINDOWS\bootstat.dat
8/06/2006 7:31:08 PM H 54156 C:\WINDOWS\QTFont.qfn
12/06/2006 8:08:30 AM H 1005 C:\WINDOWS\system32\vsconfig.xml
15/06/2006 4:15:08 AM H 8192 C:\WINDOWS\system32\config\default.LOG
15/06/2006 4:15:40 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
15/06/2006 4:15:18 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
15/06/2006 4:15:42 AM H 45056 C:\WINDOWS\system32\config\software.LOG
15/06/2006 4:15:16 AM H 933888 C:\WINDOWS\system32\config\system.LOG

Checking for CPL files...
Microsoft Corporation 23/08/2001 10:00:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 1/04/2003 7:47:50 PM 6652928 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 29/08/2002 3:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 3:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
29/05/2005 11:00:00 PM 187904 C:\WINDOWS\SYSTEM32\everest_cpl.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 11/03/2003 12:18:48 PM R 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Ahead Software AG 9/12/2003 6:16:02 PM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 29/08/2002 3:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 3:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 3:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 19/08/2003 5:23:34 PM 61547 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
24/10/2004 10:28:02 PM 126976 C:\WINDOWS\SYSTEM32\PixVue.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel® Corporation 11/03/2003 4:15:56 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
SiSoftware 12/08/2004 2:53:56 PM 53248 C:\WINDOWS\SYSTEM32\SanCpl.cpl
29/12/2002 12:14:38 AM 81920 C:\WINDOWS\SYSTEM32\Startup.cpl
Microsoft Corporation 29/08/2002 3:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Intel Corporation 11/03/2003 12:18:48 PM R 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0009\DriverFiles\igfxcpl.cpl
Intel Corporation 11/03/2003 12:18:48 PM R 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0012\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 1/04/2003 7:47:50 PM 6652928 C:\WINDOWS\SYSTEM32\ReinstallBackups\0013\DriverFiles\ALSNDMGR.CPL

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
21/08/2004 1:06:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
21/08/2004 12:54:22 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
30/07/2004 10:43:42 AM HS 84 C:\Documents and Settings\me\Start Menu\Programs\Startup\desktop.ini
2/01/2006 12:45:18 PM 658 C:\Documents and Settings\me\Start Menu\Programs\Startup\DialUP Speed.msc.lnk
10/06/2006 5:58:00 AM 311 C:\Documents and Settings\me\Start Menu\Programs\Startup\Downloads.lnk
2/01/2006 12:46:30 PM 702 C:\Documents and Settings\me\Start Menu\Programs\Startup\Ethereal.lnk
30/07/2004 2:34:36 PM 1467 C:\Documents and Settings\me\Start Menu\Programs\Startup\HotSync Manager.lnk
2/01/2006 12:43:44 PM 805 C:\Documents and Settings\me\Start Menu\Programs\Startup\NetTransport.exe.lnk
21/12/2004 3:06:28 PM 561207 C:\Documents and Settings\me\Start Menu\Programs\Startup\procexp.exe
30/07/2004 3:33:32 PM 503 C:\Documents and Settings\me\Start Menu\Programs\Startup\RICOH Gate La.lnk
5/01/2005 1:52:54 PM 94208 C:\Documents and Settings\me\Start Menu\Programs\Startup\Tcpview.exe

Checking files in %USERPROFILE%\Application Data folder...
30/07/2004 8:26:26 PM HS 62 C:\Documents and Settings\me\Application Data\desktop.ini
28/04/2006 12:02:46 AM 5 C:\Documents and Settings\me\Application Data\kc.tmp

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\GSplitMenu
{E2E223C0-5EE1-11D3-8528-FF3E959B4437} = C:\WINDOWS\System\GSplitExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinMerge
{4E716236-AA30-4C65-B225-D68BBA81E9C2} = C:\Program Files\WinMerge\ShellExtension.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PixVueContextMenu
{E376AE75-7C59-4487-B40C-082CCBB4ABDE} = C:\Program Files\PixVue.Com\PixVue\bin\PixVue.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinMerge
{4E716236-AA30-4C65-B225-D68BBA81E9C2} = C:\Program Files\WinMerge\ShellExtension.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{5D2257E7-CCBF-496F-A579-0E5625E2E15B}
= C:\Program Files\PixVue.Com\PixVue\bin\PixVue.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C56CB6B0-0D96-11D6-8C65-B2868B609932}
NTIECatcher Class = C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{92A40B0A-740A-4A11-9DDB-70460C6DA383}
Copernic Desktop Search = C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{C5F7A735-70F1-477F-8C36-6FF3C736017B}
Copernic Desktop Search = C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{C5F7A735-70F1-477F-8C36-6FF3C736017B} = Copernic Desktop Search : C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{36ECAF82-3300-8F84-092E-AFF36D6C7040}
ButtonText = Run WinHTTrack :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{200B4767-4E46-4A4F-B2A0-D23A0E30B592} = &PixVue Companion : C:\Program Files\PixVue.Com\PixVue\bin\PixVue.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IgfxTray C:\WINDOWS\System32\igfxtray.exe
PRONoMgr.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
Run StartupMonitor StartupMonitor.exe
LTMSG LTMSG.exe 7
Zone Labs Client "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
UIWatcher C:\Program Files\Ashampoo\Ashampoo UnInstaller Suite Plus\UnInstaller Suite\UIWatcher.exe
Copernic Desktop Search "C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
$Volumouse$ "D:\Data\Downloads\VolMouse\volumouse.exe" /nodlg
Pop-Up-Blocker
BlockAds

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoWelcomeScreen 1
NoCDBurning 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop
NoSaveSettings 1
ClearRecentDocsOnExit

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\System32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


<<<<<<<<<< Checking for AddOn Monitors.def information >>>>>>>>>>
Parameter line : regkey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors found!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\BJ Language Monitor
Driver cnbjmon.dll


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port
Driver localspl.dll


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Microsoft Shared Fax Monitor
Driver FXSMON.DLL


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\PJL Language Monitor
Driver pjlmon.dll
EOJTimeout 60000


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port
Driver tcpmon.dll


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports
StatusUpdateInterval 10
StatusUpdateEnabled 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\USB Monitor
Driver usbmon.dll


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\virprnt
Driver virport.dll



<<<<<<<<<< Checking for AddOn OpenCommand.def information >>>>>>>>>>
>>>>>>>>>> Exporting Shell Open\Command entries
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\batfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\batfile\shell\open\command found!
"%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\comfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\comfile\shell\open\command found!
"%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command found!
"%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\piffile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\piffile\shell\open\command found!
"%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\regfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\regfile\shell\open\command found!
regedit.exe "%1"

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command found!
"%1" /S

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\vbsfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\vbsfile\shell\open\command found!

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\htmlfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\htmlfile\shell\open\command found!
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\http\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\http\shell\open\command found!
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mp3file\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mp3file\shell\open\command found!
"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "%L"

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mpegfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mpegfile\shell\open\command found!
"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:9 /Open "%L"

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\jsfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\jsfile\shell\open\command found!


<<<<<<<<<< Checking for AddOn Policies.def information >>>>>>>>>>

<<<<<<<<<< Checking for AddOn Qoologic.def information >>>>>>>>>>
>>>>>>>>>> Search by size and name
>>>>>>>>>> Files found by this method are not necessarily bad
>>>>>>>>>> Example PNGFILT.DLL is a windows file
Parameter line : file=%sysdir%;*.exe;150;61952;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 61952 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;7680;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 7680 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;91648;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 91648 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;81920;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 81920 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;7168;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 7168 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;65536;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 65536 bytes was not found!
Parameter line : file=%sysdir%;redit.cpl;;;;;
File C:\WINDOWS\SYSTEM32\redit.cpl was not found!
Parameter line : file=%sysdir%;conres.cpl;;;;;
File C:\WINDOWS\SYSTEM32\conres.cpl was not found!
Parameter line : file=%sysdir%;datadx.dll;;;;;
File C:\WINDOWS\SYSTEM32\datadx.dll was not found!
Parameter line : file=%sysdir%;*.dll;150;10240;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 10240 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;46080;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 46080 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;34816;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 34816 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;16384;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 16384 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;29184;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 29184 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;26624;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 26624 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;9728;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 9728 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;10843;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 10843 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;18432;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 18432 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;23040;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 23040 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;17920;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 17920 bytes was not found!
Parameter line : file=%allusers%\start menu\programs\startup;*.exe;;;;;
File C:\Documents and Settings\All Users\start menu\programs\startup\*.exe was not found!
>>>>>>>>>> Misc Checks
Parameter line : file=%sysdir%;*.dat;150;81920;;;
File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 81920 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;61952;;;
File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 61952 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;65536;;;
File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 65536 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;7680;;;
File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 7680 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;91648;;;
File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 91648 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;7168;;;
File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 7168 bytes was not found!
Parameter line : file=%windir%;*.dll;150;10843;;;
File C:\WINDOWS\*.dll for today - 150 days with a size of 10843 bytes was not found!
Parameter line : file=%windir%;*.dll;150;3950;;;
File C:\WINDOWS\*.dll for today - 150 days with a size of 3950 bytes was not found!
Parameter line : file=%windir%;*.dll;150;3943;;;
File C:\WINDOWS\*.dll for today - 150 days with a size of 3943 bytes was not found!

<<<<<<<<<< Checking for AddOn RDriv.def information >>>>>>>>>>
Registry Entries
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Updates;;
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Updates not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center AntiVirus;;
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center AntiVirus not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Firewall;;
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Firewall not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\OLE;;
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE found!
EnableDCOM Y

HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\NONREDIST
System.EnterpriseServices.Thunk.dll


Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iTunesMusic;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iTunesMusic not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_ITUNESMUSIC;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_ITUNESMUSIC not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_RDRIV;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_RDRIV not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate;;
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall;;
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters;;
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters found!
autodisconnect 15
enableforcedlogoff 1
enablesecuritysignature 0
requiresecuritysignature 0
Lmannounce 0
Size 1
Guid ™y1,G0‘ƒ^B
CachedOpenLimit 0
Parameter line : RegKey=HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters;;
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters found!
enableplaintextpassword 0
enablesecuritysignature 1
requiresecuritysignature 0

Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions;;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions found!

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{00022613-0000-0000-C000-000000000046} Multimedia File Property Sheet
{176d6597-26d3-11d1-b350-080036a75b03} ICM Scanner Management
{1F2E5C40-9550-11CE-99D2-00AA006E086C} NTFS Security Page
{3EA48300-8CF6-101B-84FB-666CCB9BCD32} OLE Docfile Property Page
{40dd6e20-7c17-11ce-a804-00aa003ca9f6} Shell extensions for sharing
{41E300E0-78B6-11ce-849B-444553540000} PlusPack CPL Extension
{42071712-76d4-11d1-8b24-00a0c9068ff3} Display Adapter CPL Extension
{42071713-76d4-11d1-8b24-00a0c9068ff3} Display Monitor CPL Extension
{42071714-76d4-11d1-8b24-00a0c9068ff3} Display Panning CPL Extension
{4E40F770-369C-11d0-8922-00A024AB2DBB} DS Security Page
{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} Compatibility Page
{56117100-C0CD-101B-81E2-00AA004AE837} Shell Scrap DataHandler
{59099400-57FF-11CE-BD94-0020AF85B590} Disk Copy Extension
{59be4990-f85c-11ce-aff7-00aa003ca9f6} Shell extensions for Microsoft Windows Network objects
{5DB2625A-54DF-11D0-B6C4-0800091AA605} ICM Monitor Management
{675F097E-4C4D-11D0-B6C1-0800091AA605} ICM Printer Management
{764BF0E1-F219-11ce-972D-00AA00A14F56} Shell extensions for file compression
{77597368-7b15-11d0-a0c2-080036af3f03} Web Printer Shell Extension
{7988B573-EC89-11cf-9C00-00AA00A14F56} Disk Quota UI
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Encryption Context Menu
{85BBD920-42A0-1069-A2E4-08002B30309D} Briefcase
{88895560-9AA2-1069-930E-00AA0030EBC8} HyperTerminal Icon Ext
{BD84B380-8CA2-1069-AB1D-08000948F534} Fonts
{DBCE2480-C732-101B-BE72-BA78E9AD5B27} ICC Profile
{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} Printers Security Page
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} Shell extensions for sharing
{f92e8c40-3d33-11d2-b1aa-080036a75b03} Display TroubleShoot CPL Extension
{7444C717-39BF-11D1-8CD9-00C04FC29D45} Crypto PKO Extension
{7444C719-39BF-11D1-8CD9-00C04FC29D45} Crypto Sign Extension
{7007ACC7-3202-11D1-AAD2-00805FC1270E} Network Connections
{992CFFA0-F557-101A-88EC-00DD010CCC48} Network Connections
{E211B736-43FD-11D1-9EFB-0000F8757FCD} Scanners & Cameras
{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} Scanners & Cameras
{905667aa-acd6-11d2-8080-00805f6596d2} Scanners & Cameras
{3F953603-1008-4f6e-A73A-04AAC7A992F1} Scanners & Cameras
{83bbcbf3-b28a-4919-a5aa-73027445d672} Scanners & Cameras
{F0152790-D56E-4445-850E-4F3117DB740C} Remote Sessions CPL Extension
{5F327514-6C5E-4d60-8F16-D07FA08A78ED} Auto Update Property Sheet Extension
{60254CA5-953B-11CF-8C96-00AA00B8708C} Shell extensions for Windows Script Host
{2206CDB2-19C1-11D1-89E0-00C04FD7A829} Microsoft Data Link
{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} Tasks Folder Icon Handler
{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} Tasks Folder Shell Extension
{D6277990-4C6A-11CF-8D87-00AA0060F5BF} Scheduled Tasks
{0DF44EAA-FF21-4412-828E-260A8728E7F1} Taskbar and Start Menu
{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} Search
{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} Help and Support
{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} Help and Support
{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} Run...
{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} Internet
{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} E-mail
{D20EA4E1-3957-11d2-A40B-0C5020524152} Fonts
{D20EA4E1-3957-11d2-A40B-0C5020524153} Administrative Tools
{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} Audio Media Properties Handler
{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} Video Media Properties Handler
{E4B29F9D-D390-480b-92FD-7DDB47101D71} Wav Properties Handler
{87D62D94-71B3-4b9a-9489-5FE6850DC73E} Avi Properties Handler
{A6FD9E45-6E44-43f9-8644-08598F5A74D9} Midi Properties Handler
{c5a40261-cd64-4ccf-84cb-c394da41d590} Video Thumbnail Extractor
{5E6AB780-7743-11CF-A12B-00AA004AE837} Microsoft Internet Toolbar
{22BF0C20-6DA7-11D0-B373-00A0C9034938} Download Status
{91EA3F8B-C99B-11d0-9815-00C04FD91972} Augmented Shell Folder
{6413BA2C-B461-11d1-A18A-080036B11A03} Augmented Shell Folder 2
{F61FFEC1-754F-11d0-80CA-00AA005B4383} BandProxy
{7BA4C742-9E81-11CF-99D3-00AA004AE837} Microsoft BrowserBand
{30D02401-6A81-11d0-8274-00C04FD5AE38} Search Band
{32683183-48a0-441b-a342-7c2a440a9478} Media Band
{169A0691-8DF9-11d1-A1C4-00C04FD75D13} In-pane search
{07798131-AF23-11d1-9111-00A0C98BA67D} Web Search
{AF4F6510-F982-11d0-8595-00AA004CD6D8} Registry Tree Options Utility
{01E04581-4EEE-11d0-BFE9-00AA005B4383} &Address
{A08C11D2-A228-11d0-825B-00AA005B4383} Address EditBox
{00BB2763-6A77-11D0-A535-00C04FD7D062} Microsoft AutoComplete
{7376D660-C583-11d0-A3A5-00C04FD706EC} TridentImageExtractor
{6756A641-DE71-11d0-831B-00AA005B4383} MRU AutoComplete List
{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} Custom MRU AutoCompleted List
{7e653215-fa25-46bd-a339-34a2790f3cb7} Accessible
{acf35015-526e-4230-9596-becbe19f0ac9} Track Popup Bar
{E0E11A09-5CB8-4B6C-8332-E00720A168F2} Address Bar Parser
{00BB2764-6A77-11D0-A535-00C04FD7D062} Microsoft History AutoComplete List
{03C036F1-A186-11D0-824A-00AA005B4383} Microsoft Shell Folder AutoComplete List
{00BB2765-6A77-11D0-A535-00C04FD7D062} Microsoft Multiple AutoComplete List Container
{ECD4FC4E-521C-11D0-B792-00A0C90312E1} Shell Band Site Menu
{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} Shell DeskBarApp
{ECD4FC4C-521C-11D0-B792-00A0C90312E1} Shell DeskBar
{ECD4FC4D-521C-11D0-B792-00A0C90312E1} Shell Rebar BandSite
{DD313E04-FEFF-11d1-8ECD-0000F87A470C} User Assist
{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} Global Folder Settings
{EFA24E61-B078-11d0-89E4-00C04FC9E26E} Favorites Band
{0A89A860-D7B1-11CE-8350-444553540000} Shell Automation Inproc Service
{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} Shell DocObject Viewer
{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} Microsoft Browser Architecture
{FBF23B40-E3F0-101B-8488-00AA003E56F8} InternetShortcut
{3C374A40-BAE4-11CF-BF7D-00AA006946EE} Microsoft Url History Service
{FF393560-C2A7-11CF-BFF4-444553540000} History
{7BD29E00-76C1-11CF-9DD0-00A0C9034933} Temporary Internet Files
{7BD29E01-76C1-11CF-9DD0-00A0C9034933} Temporary Internet Files
{CFBFAE00-17A6-11D0-99CB-00C04FD64497} Microsoft Url Search Hook
{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} IE4 Suite Splash Screen
{67EA19A0-CCEF-11d0-8024-00C04FD75D13} CDF Extension Copy Hook
{131A6951-7F78-11D0-A979-00C04FD705A2} ISFBand OC
{9461b922-3c5a-11d2-bf8b-00c04fb93661} Search Assistant OC
{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} The Internet
{871C5380-42A0-1069-A2EA-08002B30309D} Internet Name Space
{EFA24E64-B078-11d0-89E4-00C04FC9E26E} Explorer Band
{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} Sendmail service
{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} Sendmail service
{88C6C381-2E85-11D0-94DE-444553540000} ActiveX Cache Folder
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} WebCheck
{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} Subscription Mgr
{F5175861-2688-11d0-9C5E-00AA00A45957} Subscription Folder
{08165EA0-E946-11CF-9C87-00AA005127ED} WebCheckWebCrawler
{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} WebCheckChannelAgent
{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} TrayAgent
{7D559C10-9FE9-11d0-93F7-00AA0059CE02} Code Download Agent
{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} ConnectionAgent
{D8BD2030-6FC9-11D0-864F-00AA006809D9} PostAgent
{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} WebCheck SyncMgr Handler
{352EC2B7-8B9A-11D1-B8AE-006008059382} Shell Application Manager
{0B124F8F-91F0-11D1-B8B5-006008059382} Installed Apps Enumerator
{CFCCC7A0-A282-11D1-9082-006008059382} Darwin App Publisher
{e84fda7c-1d6a-45f6-b725-cb260c236066} Shell Image Verbs
{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} Shell Image Data Factory
{3F30C968-480A-4C6C-862D-EFC0897BB84B} GDI+ file thumbnail extractor
{9DBD2C50-62AD-11d0-B806-00C04FD706EC} Summary Info Thumbnail handler (DOCFILES)
{EAB841A0-9550-11cf-8C16-00805F1408F3} HTML Thumbnail Extractor
{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} Shell Image Property Handler
{CC6EEFFB-43F6-46c5-9619-51D571967F7D} Web Publishing Wizard
{add36aa8-751a-4579-a266-d66f5202ccbb} Print Ordering via the Web
{6b33163c-76a5-4b6c-bf21-45de9cd503a1} Shell Publishing Wizard Object
{58f1f272-9240-4f51-b6d4-fd63d1618591} Get a Passport Wizard
{7A9D77BD-5403-11d2-8785-2E0420524153} User Accounts
{63da6ec0-2e98-11cf-8d82-444553540000} FTP Folders Webview
{883373C3-BF89-11D1-BE35-080036B11A03} Microsoft DocProp Shell Ext
{A9CF0EAE-901A-4739-A481-E35B73E47F6D} Microsoft DocProp Inplace Edit Box Control
{8EE97210-FD1F-4B19-91DA-67914005F020} Microsoft DocProp Inplace ML Edit Box Control
{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} Microsoft DocProp Inplace Droplist Combo Control
{6A205B57-2567-4A2C-B881-F787FAB579A3} Microsoft DocProp Inplace Calendar Control
{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} Microsoft DocProp Inplace Time Control
{8A23E65E-31C2-11d0-891C-00A024AB2DBB} Directory Query UI
{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} Shell properties for a DS object
{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} Directory Object Find
{F020E586-5264-11d1-A532-0000F8757D7E} Directory Start/Search Find
{0D45D530-764B-11d0-A1CA-00AA00C16E65} Directory Property UI
{62AE1F9A-126A-11D0-A14B-0800361B1103} Directory Context Menu Verbs
{ECF03A33-103D-11d2-854D-006008059367} MyDocs Copy Hook
{ECF03A32-103D-11d2-854D-006008059367} MyDocs Drop Target
{4a7ded0a-ad25-11d0-98a8-0800361b1103} MyDocs Properties
{750fdf0e-2a26-11d1-a3ea-080036587f03} Offline Files Menu
{10CFC467-4392-11d2-8DB4-00C04FA31A66} Offline Files Folder Options
{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} Offline Files Folder
{143A62C8-C33B-11D1-84FE-00C04FA34A14} Microsoft Agent Character Property Sheet Handler
{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} DfsShell
{60fd46de-f830-4894-a628-6fa81bc0190d} %DESC_PublishDropTarget%
{7A80E4A8-8005-11D2-BCF8-00C04F72C717} MMC Icon Handler
{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} .CAB file viewer
{32714800-2E5F-11d0-8B85-00AA0044F941} For &People...
{8DD448E6-C188-4aed-AF92-44956194EB1F} Windows Media Player Play as Playlist Context Menu Handler
{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} Windows Media Player Burn Audio CD Context Menu Handler
{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} Windows Media Player Add to Playlist Context Menu Handler
{1D2680C9-0E2A-469d-B787-065558BC7D43} Fusion Cache
{0006F045-0000-0000-C000-000000000046} Microsoft Outlook Custom Icon Handler
{E0D79304-84BE-11CE-9641-444553540000} WinZip
{E0D79305-84BE-11CE-9641-444553540000} WinZip
{E0D79306-84BE-11CE-9641-444553540000} WinZip
{E0D79307-84BE-11CE-9641-444553540000} WinZip
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} Shell Extensions for RealOne Player
{e57ce731-33e8-4c51-8354-bb4de9d215d1} Universal Plug and Play Devices
{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} Compressed (zipped) Folder
{BD472F60-27FA-11cf-B8B4-444553540000} Compressed (zipped) Folder Right Drag Handler
{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} Compressed (zipped) Folder SendTo Target
{f39a0dc0-9cc8-11d0-a599-00c04fd64433} Channel File
{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} Channel Shortcut
{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} Channel Handler Object
{f3da0dc0-9cc8-11d0-a599-00c04fd64437} Channel Menu
{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} Channel Properties
{58670320-13EC-11D0-BF8E-F7B4D9CD8E4A} Folder Size Shell Extension v3.2
{0DF49261-F891-4A12-9092-EC3566EADCCC} PixVuePropertySheet Class
{E376AE75-7C59-4487-B40C-082CCBB4ABDE} PixVueContextMenu Class
{F36B4023-B4F2-4C40-9CDC-0E1B0C66F1FC} PixVueInfoTip Class
{5D2257E7-CCBF-496F-A579-0E5625E2E15B} PixVueColumnProvider Class
{89434BB7-16EA-4562-8372-5AD47F18F97B} PixVueNamespace Class
{0117FFFB-91FD-414E-AC34-A00531032006} PixVueShellIconOverlayIdentifier Class
{3E57A8B6-849B-476E-A3E9-CFCE49E3662A} PixVueExifShellIconOverlayIdentifier Class
{F0C13C81-FB8D-464e-873F-F8FF999E3EEC} PixVueXmpShellIconOverlayIdentifier Class
{BCA5FB3A-9FC1-4465-ACE3-8C2072449164} PixVueIptcShellIconOverlayIdentifier Class
{E1C1BE26-35A8-4999-A3A6-235CB7BD558B} PixVueExifXmpShellIconOverlayIdentifier Class
{E3F36090-0540-418f-8136-074D5B255B59} PixVueExifIptcShellIconOverlayIdentifier Class
{2E9BD3CA-A57F-450b-B1BA-A6A58C0C1D51} PixVueExifBothShellIconOverlayIdentifier Class
{E2E223C0-5EE1-11D3-8528-FF3E959B4437} GSplit Context Menu Shell Extension.
{4E716236-AA30-4C65-B225-D68BBA81E9C2} WinMerge_Shell Extension
{5a61f7a0-cde1-11cf-9113-00aa00425c62} IIS Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} AVG7 Shell Extension
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} AVG7 Find Extension


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\AutorunsDisabled
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} AVG7 Find Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} AVG7 Shell Extension

Files
Parameter line : File=%sysdir%;rdriv.sys;;;;;
File C:\WINDOWS\SYSTEM32\rdriv.sys was not found!
Parameter line : File=%sysdir%;ItunesMusic.exe;;;;;
File C:\WINDOWS\SYSTEM32\ItunesMusic.exe was not found!
Parameter line : File=%sysdir%;wkssvc.exe;;;;;
File C:\WINDOWS\SYSTEM32\wkssvc.exe was not found!
Parameter line : File=%windir%;ItunesMusic.exe;;;;;
File C:\WINDOWS\ItunesMusic.exe was not found!
Parameter line : File=%windir%;wkssvc.exe;;;;;
File C:\WINDOWS\wkssvc.exe was not found!

<<<<<<<<<< Checking for AddOn SharedTaskScheduler.def information >>>>>>>>>>
>>>>>>>>>> Exporting Policies from HKLM
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler found!
{438755C2-A8BA-11D1-B96B-00A0C90312E1} Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} Component Categories cache daemon


<<<<<<<<<< Checking for AddOn WareOut.def information >>>>>>>>>>
>>>>>>>>>> PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Parameter line : file=%sysdir%;*.exe;300;55304;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 300 days with a size of 55304 bytes was not found!
Parameter line : file=%sysdir%;*.exe;;43528;;;
File C:\WINDOWS\SYSTEM32\*.exe with a size of 43528 bytes was not found!
Parameter line : file=%sysdir%;*.exe;300;4096;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 300 days with a size of 4096 bytes was not found!
Parameter line : file=%sysdir%;*.exe;;43528;;;
File C:\WINDOWS\SYSTEM32\*.exe with a size of 43528 bytes was not found!
Parameter line : file=%sysdir%;*.exe;300;28680;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 300 days with a size of 28680 bytes was not found!
Parameter line : file=%sysdir%;*.exe;;11264;;;
23/08/2001 10:00:00 PM 11264 C:\WINDOWS\SYSTEM32\attrib.exe found!
23/08/2001 10:00:00 PM 11264 C:\WINDOWS\SYSTEM32\chkntfs.exe found!
23/08/2001 10:00:00 PM 11264 C:\WINDOWS\SYSTEM32\fxssend.exe found!
23/08/2001 10:00:00 PM 11264 C:\WINDOWS\SYSTEM32\rasdial.exe found!
Parameter line : file=%sysdir%;*.ren;300;43528;;;
File C:\WINDOWS\SYSTEM32\*.ren for today - 300 days with a size of 43528 bytes was not found!
Parameter line : file=%sysdir%;ntfsnlpa.exe;;;;;
File C:\WINDOWS\SYSTEM32\ntfsnlpa.exe was not found!
Parameter line : file=%sysdir%;cisvvc.exe;;;;;
File C:\WINDOWS\SYSTEM32\cisvvc.exe was not found!
Parameter line : file=%sysdir%;drv2cltr.dll;;;;;
File C:\WINDOWS\SYSTEM32\drv2cltr.dll was not found!
Parameter line : file=%sysdir%;hybsys32.dll;;;;;
File C:\WINDOWS\SYSTEM32\hybsys32.dll was not found!
Parameter line : file=%sysdir%;loadctr.exe;;;;;
File C:\WINDOWS\SYSTEM32\loadctr.exe was not found!
Parameter line : file=%sysdir%;rdsndin.exe;;;;;
File C:\WINDOWS\SYSTEM32\rdsndin.exe was not found!
Parameter line : file=%sysdir%;pxpcya64.exe;;;;;
File C:\WINDOWS\SYSTEM32\pxpcya64.exe was not found!
Parameter line : file=%windir%;*.exe;300;55304;;;
File C:\WINDOWS\*.exe for today - 300 days with a size of 55304 bytes was not found!
Parameter line : file=%windir%;*.exe;300;43528;;;
File C:\WINDOWS\*.exe for today - 300 days with a size of 43528 bytes was not found!
Parameter line : file=%windir%;*.exe;300;4096;;;
File C:\WINDOWS\*.exe for today - 300 days with a size of 4096 bytes was not found!
Parameter line : file=%windir%;rdt.ini;;;;;
File C:\WINDOWS\rdt.ini was not found!
Parameter line : file=%windir%;baloon.wav;;;;;
File C:\WINDOWS\baloon.wav was not found!
Parameter line : file=%allusers%\start menu\programs\startup;*.exe;;;;;
File C:\Documents and Settings\All Users\start menu\programs\startup\*.exe was not found!
>>>>>>>>>>Registry keys to look for
Parameter line : regvalue=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon;system;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon found!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\system found!
system
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\WareOut;;
HKEY_LOCAL_MACHINE\SOFTWARE\WareOut not found!
Parameter line : regkey=HKEY_CURRENT_USER\Software\WareOut;;
HKEY_CURRENT_USER\Software\WareOut not found!
Parameter line : regvalue=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer;NoBandCustomize;;
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer found!
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoBandCustomize not found!
Parameter line : regvalue=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion;Disabled;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion found!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\\Disabled not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar;;
HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar not found!
Parameter line : regkey=HKEY_CURRENT_USER\Software\SearchToolbar;;
HKEY_CURRENT_USER\Software\SearchToolbar not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls not found!
Parameter line : regvalue=HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser;{08BEC6AA-49FC-4379-3587-4B21E286C19E};;
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser found!
HKEY_CURRENT_USER\Software\Microsoft\Int

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 June 2006 - 03:36 AM

Have you made any registry tweaks on this machine?

As far as the zip and the mails,thats your call as long as you know the risks involved.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#9 pacmanj

pacmanj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 24 June 2006 - 06:20 PM

Cretemonster,
I ran Kaspersky Online Scanner, the first time it ran, I went to have a coffee, when I came back, WinXP had
restarted and was displaying the login screen. After I logged back in I checked the Event log for Application
error messages but there weren't any. At the time of the crash my PC was running at 95% cpu usage due to me having lots of tabs open in Opera browser, I think the high cpu % was the main cause of WinXP crashing while KOS was running, I don't think it was due to some evil malware effect ?

Approx. 10 days later when I re-ran Kaspersky Online Scanner, it gives me an error message telling me the trial has ended, and it will not run.
I don't think I'd like to keep trying to run Kaspersky, if it's not absolutely necessary ?

I was able to use Outlook to successfully manually delete one of the 2 infected email messages. I intend to
delete the 2nd infected email message when I can.


As for the Registry, I'm not sure what you mean by tweek? I think at one time I tried out
one or two options using a program called TweekUI, but I don't think I
ended up choosing to keep the changes.
Browsing through my hard drive, I see I have a program called tweekXP on my disk but I don't
think I ever actually went through with using any of the tweeks it offers.

In Aug 2005 I manually added the TcpTimedWaitDelay parameter to the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\\TcpTimedWaitDelay
so that I could set it to its minimal value of 30, so that I might speed up
my web browsing.

That's all I can recall as far as tweeking (manually editing) the registry goes.

Why do you ask ? Are you concerned about specific registry keys ?

Cretemonster, at this time I'm happy to consider my original malware problem has been
successfully fixed, unless there is any other specific things that you have seen in the logs I have posted
I'd like to declare this thread successfully resolved. :thumbsup:

Edited by pacmanj, 24 June 2006 - 06:27 PM.


#10 pacmanj

pacmanj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 24 June 2006 - 06:23 PM

duplicate post

Edited by pacmanj, 24 June 2006 - 06:25 PM.


#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 June 2006 - 06:29 PM

That works for me,here are some suggestions to help you stay secure in the future.


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup

Go ahead and remove any of the tools downloaded that are of no use anymore


Go ahead and Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
It is suggested that you go and change all your passwords since some of these may have been compromised during the infection.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Please remember to check your AntiVirus and any Spyware Apps for updates atleast twice a week


Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users