Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus Infected Files W32/downloader.abdt


  • Please log in to reply
9 replies to this topic

#1 cuda

cuda

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 01 July 2006 - 06:31 PM

I have Cox Communications anti virus. It is telling me I have a couple of files that are infected.
It's showing the files W32/downloader.ABDT, and then another file called Eqn3d9.dll. I've run
Spybot, Ad-aware, Hijack-this, and the Stinger file. I tried starting in safe mode and deleting
the Eqn3d9.dll file using Hijack-This, but it just keeps coming back. Any ideas how to remove
this? Below is my Hijack-This log, thanks for the help

Logfile of HijackThis v1.99.1
Scan saved at 4:25:08 PM, on 7/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1143500349\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bluebabe\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5a6e3567-ad39-4530-aed7-65f5f5e701e6} - C:\WINDOWS\system32\Eqn3d9.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143500349\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.dot.pima.gov/gis/mapguide/viewe...65/mgaxctrl.cab
O20 - Winlogon Notify: Eqn3d9 - C:\WINDOWS\SYSTEM32\Eqn3d9.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: URLREWIN - {EB9BDABE-1BD2-445B-9A13-BA9C7D2E3CA9} - c:\windows\system32\netknl.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 02 July 2006 - 08:41 AM

Hi cuda and Welcome to the Bleeping Computer!


Did you install this Keylogger??

O21 - SSODL: URLREWIN - {EB9BDABE-1BD2-445B-9A13-BA9C7D2E3CA9} - c:\windows\system32\netknl.dll



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\Eqn3d9.dll

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



Reboot into SAFE MODE(Tap F8 when restarting)


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {5a6e3567-ad39-4530-aed7-65f5f5e701e6} - C:\WINDOWS\system32\Eqn3d9.dll

O20 - Winlogon Notify: Eqn3d9 - C:\WINDOWS\SYSTEM32\Eqn3d9.dll

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button



Restart Normal and Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Post back with a fresh HijackThis log and the report from F-Secure

#3 cuda

cuda
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 03 July 2006 - 01:12 AM

Here are my Hijack-This log, and F-Secure log. I no longer see that
Eqn3d9.dll file in the Hijack-This log so that's great, and my Cox Comm antivirus didn't find anything either. The F-Secure did also find a trojan
named "conhook". Lastly, when running Killbox I did get the prompt for
"PendingFileRenameOperations". Thanks for the help.

Logfile of HijackThis v1.99.1
Scan saved at 10:56:30 PM, on 7/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1143500349\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bluebabe\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143500349\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.dot.pima.gov/gis/mapguide/viewe...65/mgaxctrl.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Scanning Report
Sunday, July 02, 2006 21:34:35 - 22:50:41
Computer name: KELSIE
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 7 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
Trojan-Downloader.Win32.ConHook.ab (virus)
C:\WINDOWS\SYSTEM32\DDCCBCB.DLL (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP516\A0072908.EXE (Renamed)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 32034
System: 4691
Not scanned: 4
Actions:
Disinfected: 1
Renamed: 2
Deleted: 0
None: 4
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AUTHENTIUM\CURTAINS150\PRF\WVSPV3IIEGQ6\{CEFE73D0-6B4A-4870-81A8-360B9398B105}

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-07-01
F-Secure Libra: 2.4.1, 2006-06-30
F-Secure Orion: 1.2.37, 2006-06-30
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Draco: 1.0.35, 0259-24-212
F-Secure Pegasus: 1.19.0, 2006-05-13
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 03 July 2006 - 03:36 AM

You should be able to see and easily delete the renamed file now.

C:\WINDOWS\SYSTEM32\DDCCBCB.DLL

The extension will be different,similar to this DDCCBCB.0LL


Download WinPFind to your C Drive.
http://download.bleepingcomputer.com/oldtimer/winpfind2.zip

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)

From the WinPFind folder-> Doubleclick WinPFind.exe to launch the program.

Under Registry Options,Click the Remove All tab.

Under File Options,Click the Select All tab.

Now, Click "Run All Standard Scans"

The scan takes a bit to finish,please be patient.

Once Completed-> Click "Save Scans to Text File" and the log (WinPFind2.txt) will be automatically saved to the WinPFind folder.


Restart Normal and Post the results of the WinPFind scan.

#5 cuda

cuda
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 04 July 2006 - 02:57 PM

Having a couple of problems. When running WinPFind in safe mode I was unable to see all the tabs that you referred to, the export to txt file being one of them. I tried adjust the text size, but windows wouldn't give me the option. I ran winPFind after starting regularly and found all the buttons you referred to. See the post below. I did notice that
C:\WINDOWS\SYSTEM32\DDCCBCB.0LL file. I couldn't find this file to delete it like you advised. I ran a search and also looked manually.

Logfile created on: 07/04/2006 12:54
WinPFind2 - PreRelease 1.3.1 Folder = C:\Documents and Settings\Dad\Desktop\winpfind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


Processes
Image Name ProcessID Thread Count Parent ID Base Priority Full Path Version Info
acsd.exe 001852 0008 000888 Normal c:\progra~1\common~1\aol\acs\acsd.exe (America Online, Inc. [Ver = 1,0,17,5 / Size = 1376360 bytes])
airpluscfg.exe 003256 0003 003292 Normal c:\program files\d-link\airplus xtremeg\airpluscfg.exe (D-Link [Ver = 3, 3, 0, 41027 / Size = 987136 bytes])
alg.exe 000128 0006 000888 Normal c:\windows\system32\alg.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 44544 bytes])
aolsoftware.exe 003696 0013 003292 Normal c:\program files\common files\aol\1143500349\ee\aolsoftware.exe (America Online, Inc. [Ver = 1.4.9.1 / Size = 50792 bytes])
csrss.exe 000820 0013 000772 Normal \??\c:\windows\system32\csrss.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 6144 bytes])
curtainssyssvcnt.exe 001900 0099 000888 Normal c:\program files\cox\applications\app\curtainssyssvcnt.exe (Authentium, Inc. [Ver = 1.0.0.3 / Size = 102400 bytes])
dsentry.exe 002360 0001 003292 Normal c:\windows\system32\dsentry.exe (Dell - Advanced Desktop Engineering [Ver = 1, 0, 5, 0 / Size = 28672 bytes])
dvpapi.exe 001924 0004 000888 Normal c:\program files\common files\command software\dvpapi.exe (Command Software Systems, Inc. [Ver = 4,93,0,50617 / Size = 142416 bytes])
explorer.exe 003292 0017 002564 Normal c:\windows\explorer.exe (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 1032192 bytes])
hkcmd.exe 003304 0002 003292 Normal c:\windows\system32\hkcmd.exe (Intel Corporation [Ver = 3.0.0.4342 / Size = 126976 bytes])
iexplore.exe 000648 0012 003292 Normal c:\program files\internet explorer\iexplore.exe (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 93184 bytes])
intelmem.exe 002112 0002 003292 Normal c:\program files\intel\modem event monitor\intelmem.exe (Intel Corporation [Ver = 0, 1, 0, 10 / Size = 221184 bytes])
ipodservice.exe 004024 0006 000888 Normal c:\program files\ipod\bin\ipodservice.exe (Apple Computer, Inc. [Ver = 6.0.4.2 / Size = 323584 bytes])
ituneshelper.exe 001640 0004 003292 Normal c:\program files\itunes\ituneshelper.exe (Apple Computer, Inc. [Ver = 6.0.4.2 / Size = 278528 bytes])
lsass.exe 000900 0019 000844 Normal c:\windows\system32\lsass.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 13312 bytes])
prism.exe 002564 0005 002548 Normal c:\program files\cox\applications\app\prism.exe (Cox Communications [Ver = 1.60.0582 / Size = 4337735 bytes])
qttask.exe 003608 0002 003292 Normal c:\program files\quicktime\qttask.exe (Apple Computer, Inc. [Ver = 7.0.4 / Size = 155648 bytes])
services.exe 000888 0015 000844 Normal c:\windows\system32\services.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 108032 bytes])
smss.exe 000772 0003 000004 Normal \systemroot\system32\smss.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 50688 bytes])
spoolsv.exe 001748 0013 000888 Normal c:\windows\system32\spoolsv.exe (Microsoft Corporation [Ver = 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) / Size = 57856 bytes])
svchost.exe 001272 0067 000888 Normal c:\windows\system32\svchost.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
svchost.exe 001312 0004 000888 Normal c:\windows\system32\svchost.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
svchost.exe 001364 0014 000888 Normal c:\windows\system32\svchost.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
svchost.exe 001072 0017 000888 Normal c:\windows\system32\svchost.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
svchost.exe 001128 0009 000888 Normal c:\windows\system32\svchost.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
tfswctrl.exe 003308 0003 003292 Normal c:\windows\system32\dla\tfswctrl.exe (Sonic Solutions [Ver = 1.04.05b / Size = 114741 bytes])
viewmgr.exe 002656 0004 003292 Normal c:\program files\viewpoint\viewpoint manager\viewmgr.exe (Viewpoint Corporation [Ver = 2, 0, 0, 42 / Size = 111816 bytes])
wanmpsvc.exe 000144 0007 000888 Normal c:\windows\wanmpsvc.exe (America Online, Inc. [Ver = 7, 0, 0, 2 / Size = 65536 bytes])
winlogon.exe 000844 0015 000772 High \??\c:\windows\system32\winlogon.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 502272 bytes])
winpfind2.exe 001020 0001 003292 Normal c:\documents and settings\dad\desktop\winpfind2\winpfind2.exe (OldTimer Tools [Ver = 1.3.1.0 / Size = 377856 bytes])
wzcsldr2.exe 000880 0004 003292 Normal c:\program files\ani\aniwzcs2 service\wzcsldr2.exe (Alpha Networks Inc. [Ver = 1, 0, 4, 40414 / Size = 45056 bytes])

Registry Entries
Key Value Version Info
WinPFind2 - PreRelease 1.3.1
Microsoft Windows XP Version = Service Pack 2
Internet Explorer Version = 6.0.2900.2180

Services
Name Internal Name Startup Type State Service Type Path Version Info
Application Layer Gateway Service ALG On Demand Running Win32, running in it's own process C:\WINDOWS\System32\alg.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 44544 bytes])
AOL Connectivity Service AOL ACS Automatic Running Win32, running in it's own process C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (America Online, Inc. [Ver = 1,0,17,5 / Size = 1376360 bytes])
Windows Audio AudioSrv Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Computer Browser Browser Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Cryptographic Services CryptSvc Automatic Running Win32, running in a shared process C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Curtains for Windows System Service CurtainsSysSvc Automatic Running Win32, running in it's own process c:\program files\cox\applications\app\CurtainsSysSvcNt.exe (Authentium, Inc. [Ver = 1.0.0.3 / Size = 102400 bytes])
DCOM Server Process Launcher DcomLaunch Automatic Running Win32, running in a shared process C:\WINDOWS\system32\svchost -k DcomLaunch (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
DHCP Client Dhcp Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
DNS Client Dnscache Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k NetworkService (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
DvpApi dvpapi Automatic Running Win32, running in it's own process "C:\Program Files\Common Files\Command Software\dvpapi.exe" (Command Software Systems, Inc. [Ver = 4,93,0,50617 / Size = 142416 bytes])
Error Reporting Service ERSvc Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Event Log Eventlog Automatic Running Win32, running in a shared process C:\WINDOWS\system32\services.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 108032 bytes])
COM+ Event System EventSystem On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Fast User Switching Compatibility FastUserSwitchingCompatibilityOn Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Help and Support helpsvc Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
iPodService iPodService On Demand Running Win32, running in it's own process C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc. [Ver = 6.0.4.2 / Size = 323584 bytes])
Server lanmanserver Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Workstation lanmanworkstation Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
TCP/IP NetBIOS Helper LmHosts Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Network Connections Netman On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Network Location Awareness (NLA) Nla On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Plug and Play PlugPlay Automatic Running Win32, running in a shared process C:\WINDOWS\system32\services.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 108032 bytes])
IPSEC Services PolicyAgent Automatic Running Win32, running in a shared process C:\WINDOWS\System32\lsass.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 13312 bytes])
Protected Storage ProtectedStorage Automatic Running Win32, running in a shared process C:\WINDOWS\system32\lsass.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 13312 bytes])
Remote Access Connection Manager RasMan On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Remote Procedure Call (RPC) RpcSs Automatic Running Win32, running in a shared process C:\WINDOWS\system32\svchost -k rpcss (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Security Accounts Manager SamSs Automatic Running Win32, running in a shared process C:\WINDOWS\system32\lsass.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 13312 bytes])
Task Scheduler Schedule Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Secondary Logon seclogon Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
System Event Notification SENS Automatic Running Win32, running in a shared process C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Windows Firewall/Internet Connection Sharing (ICS) SharedAccess Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Shell Hardware Detection ShellHWDetection Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Print Spooler Spooler Automatic Running Win32, running in it's own process C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation [Ver = 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) / Size = 57856 bytes])
System Restore Service srservice Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
SSDP Discovery Service SSDPSRV On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Telephony TapiSrv On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Terminal Services TermService On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost -k DComLaunch (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Themes Themes Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Distributed Link Tracking Client TrkWks Automatic Running Win32, running in a shared process C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Windows Time w32time Automatic Running Win32, running in a shared process C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
WAN Miniport (ATW) Service WANMiniportService Automatic Running Win32, running in it's own process "C:\WINDOWS\wanmpsvc.exe" (America Online, Inc. [Ver = 7, 0, 0, 2 / Size = 65536 bytes])
WebClient WebClient Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Windows Management Instrumentation winmgmt Automatic Running Win32, running in a shared process C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Security Center wscsvc Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Automatic Updates wuauserv Automatic Running Win32, running in a shared process C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Wireless Zero Configuration WZCSVC Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])

Files
Full Path Details
%SystemDrive%
%ProgramFilesDir%
%WinDir%
C:\WINDOWS\imgurla.exe UPX! [Ver = / Size = 102340 bytes] 02/07/2005 20:41
%System%
C:\WINDOWS\SYSTEM32\DFRG.MSC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 [Ver = / Size = 41397 bytes] 08/29/2002 04:00
C:\WINDOWS\SYSTEM32\MRT.exe (PeCompact2) Microsoft Corporation [Ver = 1.17.1478.0 / Size = 5967776 bytes] 06/08/2006 18:19
C:\WINDOWS\SYSTEM32\MRT.exe (ASPack) Microsoft Corporation [Ver = 1.17.1478.0 / Size = 5967776 bytes] 06/08/2006 18:19
C:\WINDOWS\SYSTEM32\ntdll.dll .aspack Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 708096 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\rasdlg.dll \DuMonitor SendMessage(WM_RASEVENT) doneMicrosoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 657920 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\WBDBASE.DEU msubjsuchsullsupeswinsyncszens [Ver = / Size = 1309184 bytes] 08/29/2002 04:00
%System%\Drivers folder and sub-folders
C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys .aspack Command Software Systems, Inc. [Ver = 4,93,0,50512 / Size = 768712 bytes] 06/22/2005 17:07 R
C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys V90NEC, --------ERROR--------- occured in adaptechoSmart Link [Ver = 3.80.01MC15 / Size = 1309184 bytes] 08/03/2004 22:41
%windir% + sub-dirs for System or Hidden files less than 60 days old
C:\WINDOWS\BOOTSTAT.DAT [Ver = / Size = 2048 bytes] 07/04/2006 11:29 S
C:\WINDOWS\qmgmnt.for [Ver = / Size = 630 bytes] 06/13/2006 13:52 H
C:\WINDOWS\SYSTEM32\DDCCBCB.0LL [Ver = / Size = 13837 bytes] 06/08/2006 21:11 HS
C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat [Ver = / Size = 13309 bytes] 05/14/2006 03:21 S
C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat [Ver = / Size = 23751 bytes] 05/29/2006 09:16 S
C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat [Ver = / Size = 10925 bytes] 05/18/2006 00:15 S
C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat [Ver = / Size = 11043 bytes] 06/01/2006 13:28 S
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG [Ver = / Size = 1024 bytes] 07/04/2006 12:06 H
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG [Ver = / Size = 1024 bytes] 07/04/2006 12:28 H
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG [Ver = / Size = 1024 bytes] 07/04/2006 11:39 H
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG [Ver = / Size = 1024 bytes] 07/04/2006 12:48 H
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG [Ver = / Size = 1024 bytes] 07/04/2006 12:47 H
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG [Ver = / Size = 1024 bytes] 06/15/2006 00:06 H
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 [Ver = / Size = 688 bytes] 06/21/2006 19:11 S
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 [Ver = / Size = 32430 bytes] 06/21/2006 19:11 S
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 [Ver = / Size = 94 bytes] 06/21/2006 19:11 S
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 [Ver = / Size = 124 bytes] 06/21/2006 19:11 S
C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\da51f341-0326-45d7-a7c5-341ebe33a2eb [Ver = / Size = 388 bytes] 06/21/2006 23:44 HS
C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred [Ver = / Size = 24 bytes] 06/21/2006 23:44 HS
C:\WINDOWS\Tasks\SA.DAT [Ver = / Size = 6 bytes] 07/04/2006 11:29 H
CPL files
C:\WINDOWS\SYSTEM32\access.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 68608 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\appwiz.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 549888 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\B57exp.cpl Broadcom Corporation [Ver = 6, 12, 0, 0 / Size = 815104 bytes] 05/08/2003 18:25
C:\WINDOWS\SYSTEM32\bdeadmin.cpl [Ver = / Size = 183808 bytes] 05/10/2001 23:00
C:\WINDOWS\SYSTEM32\bthprops.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 110592 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\cpl_moh.cpl [Ver = / Size = 24576 bytes] 09/18/2003 02:18 R
C:\WINDOWS\SYSTEM32\desk.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 135168 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\firewall.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 80384 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\hdwwiz.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 155136 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\igfxcpl.cpl Intel Corporation [Ver = 3.0.0.4342 / Size = 94208 bytes] 10/19/2005 08:59
C:\WINDOWS\SYSTEM32\inetcpl.cpl Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 358400 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\intl.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 129536 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\irprops.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 380416 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\joy.cpl Microsoft Corporation [Ver = 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 68608 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\jpicpl32.cpl Sun Microsystems [Ver = 1, 4, 2, 0 / Size = 53352 bytes] 03/22/2004 22:05
C:\WINDOWS\SYSTEM32\MAIN.CPL Microsoft Corporation [Ver = 5.1.2403.1 / Size = 187904 bytes] 08/29/2002 04:00
C:\WINDOWS\SYSTEM32\mmsys.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 618496 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\NCPA.CPL Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) / Size = 35840 bytes] 08/29/2002 04:00
C:\WINDOWS\SYSTEM32\netsetup.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 25600 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\nusrmgr.cpl Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 257024 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\odbccp32.cpl Microsoft Corporation [Ver = 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) / Size = 32768 bytes] 08/04/2004 00:56
C:\WINDOWS\SYSTEM32\powercfg.cpl Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 114688 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\sysdm.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 298496 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\TELEPHON.CPL Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) / Size = 28160 bytes] 08/29/2002 04:00
C:\WINDOWS\SYSTEM32\timedate.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 94208 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\wscui.cpl Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 148480 bytes]08/04/2004 00:56
C:\WINDOWS\SYSTEM32\wuaucpl.cpl Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) / Size = 174360 bytes] 05/26/2005 04:16
C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl Intel Corporation [Ver = 3,0,0,2104 / Size = 94208 bytes] 04/06/2003 23:14
AllUsers Startup Folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI [Ver = / Size = 84 bytes] 09/03/2002 08:00 HS
AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\DESKTOP.INI [Ver = / Size = 62 bytes] 09/03/2002 07:50 HS
C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache [Ver = / Size = 2162 bytes] 04/16/2006 20:16
CurrentUser Startup Folder
C:\Documents and Settings\Dad\Start Menu\Programs\Startup\DESKTOP.INI [Ver = / Size = 84 bytes] 09/03/2002 08:00 HS
CurrentUser ApplicationData Folder
C:\Documents and Settings\Dad\Application Data\AdobeDLM.log [Ver = / Size = 871 bytes] 03/31/2006 18:52
C:\Documents and Settings\Dad\Application Data\DESKTOP.INI [Ver = / Size = 62 bytes] 09/03/2002 07:50 HS
C:\Documents and Settings\Dad\Application Data\dm.ini [Ver = / Size = 0 bytes] 03/31/2006 18:52
C:\Documents and Settings\Dad\Application Data\PFP110JCM.{PB [Ver = / Size = 12358 bytes] 03/30/2004 23:01
C:\Documents and Settings\Dad\Application Data\PFP110JPR.{PB [Ver = / Size = 61678 bytes] 03/30/2004 23:01
DPF files
{62789780-B744-11D0-986B-00609731A21D} Autodesk MapGuide ActiveX Control - CodeBase = http://www.dot.pima.gov/gis/mapguide/viewe...65/mgaxctrl.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} Java Plug-in 1.4.2 - CodeBase = http://java.sun.com/products/plugin/autodl...indows-i586.cab
{9D190AE6-C81E-4039-8061-978EBAD10073} F-Secure Online Scanner 3.0 - CodeBase = http://support.f-secure.com/ols3/fscax.cab
{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} Java Plug-in 1.4.2 - CodeBase = http://java.sun.com/products/plugin/autodl...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - CodeBase = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
Hosts file = 0 bytes. Reading all entries.




Having a couple of problems. When running WinPFind in safe mode I was unable to see all the tabs that you referred to, the export to txt file being one of them. I tried adjust the text size, but windows wouldn't give me the option. I ran winPFind after starting regularly and found all the buttons you referred to. See the post below. I did notice that
C:\WINDOWS\SYSTEM32\DDCCBCB.0LL file. I couldn't find this file to delete it like you advised. I ran a search and also looked manually.

Logfile created on: 07/04/2006 12:54
WinPFind2 - PreRelease 1.3.1 Folder = C:\Documents and Settings\Dad\Desktop\winpfind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


Processes
Image Name ProcessID Thread Count Parent ID Base Priority Full Path Version Info
acsd.exe 001852 0008 000888 Normal c:\progra~1\common~1\aol\acs\acsd.exe (America Online, Inc. [Ver = 1,0,17,5 / Size = 1376360 bytes])
airpluscfg.exe 003256 0003 003292 Normal c:\program files\d-link\airplus xtremeg\airpluscfg.exe (D-Link [Ver = 3, 3, 0, 41027 / Size = 987136 bytes])
alg.exe 000128 0006 000888 Normal c:\windows\system32\alg.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 44544 bytes])
aolsoftware.exe 003696 0013 003292 Normal c:\program files\common files\aol\1143500349\ee\aolsoftware.exe (America Online, Inc. [Ver = 1.4.9.1 / Size = 50792 bytes])
csrss.exe 000820 0013 000772 Normal \??\c:\windows\system32\csrss.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 6144 bytes])
curtainssyssvcnt.exe 001900 0099 000888 Normal c:\program files\cox\applications\app\curtainssyssvcnt.exe (Authentium, Inc. [Ver = 1.0.0.3 / Size = 102400 bytes])
dsentry.exe 002360 0001 003292 Normal c:\windows\system32\dsentry.exe (Dell - Advanced Desktop Engineering [Ver = 1, 0, 5, 0 / Size = 28672 bytes])
dvpapi.exe 001924 0004 000888 Normal c:\program files\common files\command software\dvpapi.exe (Command Software Systems, Inc. [Ver = 4,93,0,50617 / Size = 142416 bytes])
explorer.exe 003292 0017 002564 Normal c:\windows\explorer.exe (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 1032192 bytes])
hkcmd.exe 003304 0002 003292 Normal c:\windows\system32\hkcmd.exe (Intel Corporation [Ver = 3.0.0.4342 / Size = 126976 bytes])
iexplore.exe 000648 0012 003292 Normal c:\program files\internet explorer\iexplore.exe (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) / Size = 93184 bytes])
intelmem.exe 002112 0002 003292 Normal c:\program files\intel\modem event monitor\intelmem.exe (Intel Corporation [Ver = 0, 1, 0, 10 / Size = 221184 bytes])
ipodservice.exe 004024 0006 000888 Normal c:\program files\ipod\bin\ipodservice.exe (Apple Computer, Inc. [Ver = 6.0.4.2 / Size = 323584 bytes])
ituneshelper.exe 001640 0004 003292 Normal c:\program files\itunes\ituneshelper.exe (Apple Computer, Inc. [Ver = 6.0.4.2 / Size = 278528 bytes])
lsass.exe 000900 0019 000844 Normal c:\windows\system32\lsass.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 13312 bytes])
prism.exe 002564 0005 002548 Normal c:\program files\cox\applications\app\prism.exe (Cox Communications [Ver = 1.60.0582 / Size = 4337735 bytes])
qttask.exe 003608 0002 003292 Normal c:\program files\quicktime\qttask.exe (Apple Computer, Inc. [Ver = 7.0.4 / Size = 155648 bytes])
services.exe 000888 0015 000844 Normal c:\windows\system32\services.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 108032 bytes])
smss.exe 000772 0003 000004 Normal \systemroot\system32\smss.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 50688 bytes])
spoolsv.exe 001748 0013 000888 Normal c:\windows\system32\spoolsv.exe (Microsoft Corporation [Ver = 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) / Size = 57856 bytes])
svchost.exe 001272 0067 000888 Normal c:\windows\system32\svchost.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
svchost.exe 001312 0004 000888 Normal c:\windows\system32\svchost.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
svchost.exe 001364 0014 000888 Normal c:\windows\system32\svchost.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
svchost.exe 001072 0017 000888 Normal c:\windows\system32\svchost.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
svchost.exe 001128 0009 000888 Normal c:\windows\system32\svchost.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
tfswctrl.exe 003308 0003 003292 Normal c:\windows\system32\dla\tfswctrl.exe (Sonic Solutions [Ver = 1.04.05b / Size = 114741 bytes])
viewmgr.exe 002656 0004 003292 Normal c:\program files\viewpoint\viewpoint manager\viewmgr.exe (Viewpoint Corporation [Ver = 2, 0, 0, 42 / Size = 111816 bytes])
wanmpsvc.exe 000144 0007 000888 Normal c:\windows\wanmpsvc.exe (America Online, Inc. [Ver = 7, 0, 0, 2 / Size = 65536 bytes])
winlogon.exe 000844 0015 000772 High \??\c:\windows\system32\winlogon.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 502272 bytes])
winpfind2.exe 001020 0001 003292 Normal c:\documents and settings\dad\desktop\winpfind2\winpfind2.exe (OldTimer Tools [Ver = 1.3.1.0 / Size = 377856 bytes])
wzcsldr2.exe 000880 0004 003292 Normal c:\program files\ani\aniwzcs2 service\wzcsldr2.exe (Alpha Networks Inc. [Ver = 1, 0, 4, 40414 / Size = 45056 bytes])

Registry Entries
Key Value Version Info
WinPFind2 - PreRelease 1.3.1
Microsoft Windows XP Version = Service Pack 2
Internet Explorer Version = 6.0.2900.2180

Services
Name Internal Name Startup Type State Service Type Path Version Info
Application Layer Gateway Service ALG On Demand Running Win32, running in it's own process C:\WINDOWS\System32\alg.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 44544 bytes])
AOL Connectivity Service AOL ACS Automatic Running Win32, running in it's own process C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (America Online, Inc. [Ver = 1,0,17,5 / Size = 1376360 bytes])
Windows Audio AudioSrv Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Computer Browser Browser Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Cryptographic Services CryptSvc Automatic Running Win32, running in a shared process C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Curtains for Windows System Service CurtainsSysSvc Automatic Running Win32, running in it's own process c:\program files\cox\applications\app\CurtainsSysSvcNt.exe (Authentium, Inc. [Ver = 1.0.0.3 / Size = 102400 bytes])
DCOM Server Process Launcher DcomLaunch Automatic Running Win32, running in a shared process C:\WINDOWS\system32\svchost -k DcomLaunch (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
DHCP Client Dhcp Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
DNS Client Dnscache Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k NetworkService (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
DvpApi dvpapi Automatic Running Win32, running in it's own process "C:\Program Files\Common Files\Command Software\dvpapi.exe" (Command Software Systems, Inc. [Ver = 4,93,0,50617 / Size = 142416 bytes])
Error Reporting Service ERSvc Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Event Log Eventlog Automatic Running Win32, running in a shared process C:\WINDOWS\system32\services.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 108032 bytes])
COM+ Event System EventSystem On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Fast User Switching Compatibility FastUserSwitchingCompatibilityOn Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Help and Support helpsvc Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
iPodService iPodService On Demand Running Win32, running in it's own process C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc. [Ver = 6.0.4.2 / Size = 323584 bytes])
Server lanmanserver Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Workstation lanmanworkstation Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
TCP/IP NetBIOS Helper LmHosts Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Network Connections Netman On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Network Location Awareness (NLA) Nla On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Plug and Play PlugPlay Automatic Running Win32, running in a shared process C:\WINDOWS\system32\services.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 108032 bytes])
IPSEC Services PolicyAgent Automatic Running Win32, running in a shared process C:\WINDOWS\System32\lsass.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 13312 bytes])
Protected Storage ProtectedStorage Automatic Running Win32, running in a shared process C:\WINDOWS\system32\lsass.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 13312 bytes])
Remote Access Connection Manager RasMan On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Remote Procedure Call (RPC) RpcSs Automatic Running Win32, running in a shared process C:\WINDOWS\system32\svchost -k rpcss (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Security Accounts Manager SamSs Automatic Running Win32, running in a shared process C:\WINDOWS\system32\lsass.exe (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 13312 bytes])
Task Scheduler Schedule Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Secondary Logon seclogon Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
System Event Notification SENS Automatic Running Win32, running in a shared process C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Windows Firewall/Internet Connection Sharing (ICS) SharedAccess Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Shell Hardware Detection ShellHWDetection Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Print Spooler Spooler Automatic Running Win32, running in it's own process C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation [Ver = 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) / Size = 57856 bytes])
System Restore Service srservice Automatic Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
SSDP Discovery Service SSDPSRV On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Telephony TapiSrv On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Terminal Services TermService On Demand Running Win32, running in a shared process C:\WINDOWS\System32\svchost -k DComLaunch (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) / Size = 14336 bytes])
Themes

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 04 July 2006 - 07:32 PM

Use Killbox just as before and delete the 2 files below.


C:\WINDOWS\imgurla.exe
C:\WINDOWS\SYSTEM32\DDCCBCB.0LL



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Edited by Cretemonster, 04 July 2006 - 07:32 PM.


#7 cuda

cuda
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 06 July 2006 - 01:33 AM

Here is the kaspersky txt file. I see a reference to that conhook trojan.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 05, 2006 7:28:45 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/07/2006
Kaspersky Anti-Virus database records: 205001
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 79485
Number of viruses found: 12
Number of infected objects: 18 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:29:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\log\FireWall.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\WVsPV3IIEGQ6\MiscData.bst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\WVsPV3IIEGQ6\R3Vlc3Q=.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\WVsPV3IIEGQ6\{CEFE73D0-6B4A-4870-81A8-360B9398B105} Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\prf\WVsPV3IIEGQ6\{D2F5620D-8DB3-427d-9356-04AB08B907CB} Object is locked skipped
C:\Documents and Settings\Bluebabe\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Bluebabe\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Bluebabe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bluebabe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bluebabe\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Bluebabe\Local Settings\History\History.IE5\MSHist012006070520060706\index.dat Object is locked skipped
C:\Documents and Settings\Bluebabe\Local Settings\Temp\hotfix.exe Infected: not-a-virus:AdWare.Win32.WebSearch.ax skipped
C:\Documents and Settings\Bluebabe\Local Settings\Temp\i18F.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.a skipped
C:\Documents and Settings\Bluebabe\Local Settings\Temp\STB141.tmp Infected: not-a-virus:AdWare.Win32.Quick.a skipped
C:\Documents and Settings\Bluebabe\Local Settings\Temp\~DF98F2.tmp Object is locked skipped
C:\Documents and Settings\Bluebabe\Local Settings\Temp\~DFE4A.tmp Object is locked skipped
C:\Documents and Settings\Bluebabe\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bluebabe\ntuser.dat Object is locked skipped
C:\Documents and Settings\Bluebabe\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\stlst\StatListDb.dat Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\stlst\StatListDb.idx Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\urlcache\domainNames.dat Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\urlcache\domainNames.idx Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\urlcache\domainNameTokens.dat Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\urlcache\domainNameTokens.idx Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\urlcache\namesRefCount.dat Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\urlcache\namesRefCount.idx Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\urlcache\tokensRefCount.dat Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\urlcache\tokensRefCount.idx Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\urlcache\urlCacheDb.dat Object is locked skipped
C:\Program Files\Common Files\Authentium Shared\Filter\urlcache\urlCacheDb.idx Object is locked skipped
C:\Program Files\FileSubmit\Sailormoon Screen Saver\NNEZTA388.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Program Files\FileSubmit\Sailormoon Screen Saver\TBEZA127Q.exe Infected: not-a-virus:AdWare.Win32.Quick.a skipped
C:\Program Files\Zango Programs\Zango Toolbar\ZangoTBUninstaller.exe Infected: not-a-virus:AdWare.Win32.180Solutions.an skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP507\A0069073.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP512\A0072027.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP516\A0072434.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP516\A0072434.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP516\A0072434.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.EZula.u skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP516\A0072434.exe/WISE0022.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP516\A0072434.exe WiseSFX: infected - 4 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP516\A0072908.0XE Infected: Trojan-Downloader.Win32.ConHook.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP516\A0072927.dll Infected: Trojan-Downloader.Win32.ConHook.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP517\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{017FF18F-1D27-4EB4-8F72-CD86C7D2982E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\InstaFinder_inst245.exe/stream Infected: not-a-virus:AdWare.Win32.InstaFinder.a skipped
C:\WINDOWS\SYSTEM32\InstaFinder_inst245.exe NSIS: infected - 1 skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\TBuninst.exe Infected: not-a-virus:AdWare.Win32.WebSearch.as skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 06 July 2006 - 05:48 AM

The conhook reference is inside the System Restore folder which will be cleened up in the ending of this post.

Locate and Delete this file--> C:\WINDOWS\SYSTEM32\InstaFinder_inst245.exe


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup

Go ahead and remove any of the tools downloaded that are of no use anymore

Post back and let me know how things are?

#9 cuda

cuda
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 06 July 2006 - 09:41 PM

Thanks for all the help. I re ran my antivirus and it is clean. Thanks again.

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 07 July 2006 - 06:12 AM

Go ahead and Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
It is suggested that you go and change all your passwords since some of these may have been compromised during the infection.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Please remember to check your AntiVirus and any Spyware Apps for updates atleast twice a week


Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users