Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.downloader/sysprotectionpage.com


  • This topic is locked This topic is locked
15 replies to this topic

#1 knh3553

knh3553

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 17 July 2006 - 10:49 PM

I was first in trouble when my browser page got stuck on sysprotectionpage.com but have been working on my own to try to get this resolved--my computer is functioning, but I'm getting lots of popups and each time I scan and remove malware/spyware or anything else found by adaware and reboot the computer it's back. I've followed all the directions as to what to do before posting a log but could never get my adaware scan completely clean. I also purchased and downloaded spyware doctor from PC tools and that deletes everything after every scan as well and then it all reinstalls on reboot. (not a good investment, apparently.)

The last housecall 6.5 scan identified Troj_agent.csv, and the adaware scan identified WIN32.TROJANDOWNLOADER.ZLOB and WINANTIVIRUSPRO.

Any help would be appreciated--thanks in advance.

My hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:47:03 PM, on 7/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.serv...3AA&LF=blue
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O21 - SSODL: furnariidae - {89e4aaba-3b21-49b3-b922-8ca35193c68e} - C:\WINDOWS\system32\zlara.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:46 AM

Posted 18 July 2006 - 01:19 PM

Welcome aboard. :thumbsup:

Lets get started.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
----

Once that is done..

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Check the Run VundoFix as a task box.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt in your next reply.
----

Please download SmitfraudFix © S!Ri
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply along with the the contents of C:\vundofix.txt aswell as a fresh HijackThis log. :flowers:

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Hi there, stranger!

#3 knh3553

knh3553
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 18 July 2006 - 05:35 PM

Thanks for getting back to me so quickly. I really appreciate the help.

first:

VundoFix V5.1.4

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 5:08:11 PM 7/18/2006

Listing files found while scanning....

C:\windows\system32\jkkjh.dll
C:\windows\system32\hjkkj.ini
C:\windows\system32\hjkkj.bak1
C:\windows\system32\hjkkj.bak2
C:\windows\system32\hjkkj.ini2
C:\windows\system32\hjkkj.tmp
C:\windows\system32\mljkigf.dll

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\jkkjh.dll
C:\windows\system32\jkkjh.dll Has been deleted!

Attempting to delete C:\windows\system32\hjkkj.ini
C:\windows\system32\hjkkj.ini Has been deleted!

Attempting to delete C:\windows\system32\hjkkj.bak1
C:\windows\system32\hjkkj.bak1 Has been deleted!

Attempting to delete C:\windows\system32\hjkkj.bak2
C:\windows\system32\hjkkj.bak2 Has been deleted!

Attempting to delete C:\windows\system32\hjkkj.ini2
C:\windows\system32\hjkkj.ini2 Has been deleted!

Attempting to delete C:\windows\system32\hjkkj.tmp
C:\windows\system32\hjkkj.tmp Has been deleted!

Attempting to delete C:\windows\system32\mljkigf.dll
C:\windows\system32\mljkigf.dll Could not be deleted.

Performing Repairs to the registry.
Done!

next:
SmitFraudFix v2.73

Scan done at 17:29:10.42, Tue 07/18/2006
Run from C:\Documents and Settings\HP_Owner\Desktop\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\1024\ FOUND !

C:\Documents and Settings\HP_Owner\Application Data


Start Menu


C:\DOCUME~1\HP_Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"


Scanning wininet.dll infection


End

finally: new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 5:34:41 PM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.serv...3AA&LF=blue
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26A85E8F-5F88-4C32-B39D-243B21403DDF} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\mljkigf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A3A3C46B-5BCF-4DAF-B727-DC4E8869788C} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmbj32 - C:\WINDOWS\
O21 - SSODL: furnariidae - {89e4aaba-3b21-49b3-b922-8ca35193c68e} - C:\WINDOWS\system32\zlara.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:46 AM

Posted 19 July 2006 - 02:56 AM

Lets continue.. :thumbsup:
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click Scan for Vundo button.
  • Once the scan is complete, right-click inside the listbox (white box) and click Add more files
  • Copy & paste the 2 entries below into the top 2 boxes:
    • C:\WINDOWS\system32\mljkigf.dll
    • C:\WINDOWS\system32\fgikjlm.*
  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt in your next reply.
----

Please print these instructions out, or write them down, as you can't read them during the fix.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode
5) Choose your usual account.


Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with the contents of C:\vundofix.txt aswell as a fresh HijackThis log. :flowers:
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
Hi there, stranger!

#5 knh3553

knh3553
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 19 July 2006 - 06:08 PM

Here are the next three logs--thanks again for your help. -Katrina

SmitFraudFix v2.73

Scan done at 17:52:38.73, Wed 07/19/2006
Run from C:\Documents and Settings\HP_Owner\Desktop\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\zlara.dll -> Missing File


Deleting infected files

C:\WINDOWS\system32\1024\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"



End


VundoFix V5.1.4

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 5:08:11 PM 7/18/2006

Listing files found while scanning....

C:\windows\system32\jkkjh.dll
C:\windows\system32\hjkkj.ini
C:\windows\system32\hjkkj.bak1
C:\windows\system32\hjkkj.bak2
C:\windows\system32\hjkkj.ini2
C:\windows\system32\hjkkj.tmp
C:\windows\system32\mljkigf.dll

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\jkkjh.dll
C:\windows\system32\jkkjh.dll Has been deleted!

Attempting to delete C:\windows\system32\hjkkj.ini
C:\windows\system32\hjkkj.ini Has been deleted!

Attempting to delete C:\windows\system32\hjkkj.bak1
C:\windows\system32\hjkkj.bak1 Has been deleted!

Attempting to delete C:\windows\system32\hjkkj.bak2
C:\windows\system32\hjkkj.bak2 Has been deleted!

Attempting to delete C:\windows\system32\hjkkj.ini2
C:\windows\system32\hjkkj.ini2 Has been deleted!

Attempting to delete C:\windows\system32\hjkkj.tmp
C:\windows\system32\hjkkj.tmp Has been deleted!

Attempting to delete C:\windows\system32\mljkigf.dll
C:\windows\system32\mljkigf.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V5.1.4

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 5:23:36 PM 7/19/2006

Listing files found while scanning....

C:\windows\system32\mljkigf.dll

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\mljkigf.dll
C:\windows\system32\mljkigf.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\mljkigf.dll
C:\WINDOWS\system32\mljkigf.dll Could not be deleted.

Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 6:06:39 PM, on 7/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.serv...3AA&LF=blue
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:46 AM

Posted 21 July 2006 - 04:35 AM

Alright.. Lets continue :thumbsup:

Go ahead and delete SmitFraudFix.

---

1. Please rename your HijackThis.exe to Scan.exe. After that, I'll be able to see your Vundo infection and possible other O2/O20 lines in your log.

---

2. Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"=-


Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.

---

3. Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
    • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
    • It will say "Java Plug-in" under the icon.
      Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
    • If you are unable to update you can manually update by going here:http://www.java.com/en/download/manual.jsp
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
---

4. Please run the renamed Scan.exe and post the fresh log here. :flowers:
Hi there, stranger!

#7 knh3553

knh3553
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 24 July 2006 - 09:28 PM

new log from scan.exe

Logfile of HijackThis v1.99.1
Scan saved at 9:26:56 PM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\scan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebReg.serv...3AA&LF=blue
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26A85E8F-5F88-4C32-B39D-243B21403DDF} - (no file)
O2 - BHO: (no name) - {3AFEC7C3-1804-414D-9612-6E1561D1C0F5} - C:\WINDOWS\system32\geeby.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\mljkigf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {913CCAED-7362-4E0D-9BF0-51877C162699} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {A3A3C46B-5BCF-4DAF-B727-DC4E8869788C} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:46 AM

Posted 25 July 2006 - 04:25 AM

Lets continue :thumbsup:

Go ahead and delete any of the following at this point... Vundofix, smitfraudfix, Fixit.reg

---

Please print these instructions out, or write them down, as you can't read them during the fix.

We need to disable the Real-Time Protection feature of Windows Defender because it might interfere with the HijackThis fixes.

To disable Real-Time Protection:
  • Go to "Tools" | "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on real-time protection (recommended)"
  • Remember to reactivate this feature when we have finished all our work.
---

Please run a scan with HijackThis and check the following objects for removal:

O2 - BHO: (no name) - {26A85E8F-5F88-4C32-B39D-243B21403DDF} - (no file)
O2 - BHO: (no name) - {3AFEC7C3-1804-414D-9612-6E1561D1C0F5} - C:\WINDOWS\system32\geeby.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\mljkigf.dll
O2 - BHO: (no name) - {913CCAED-7362-4E0D-9BF0-51877C162699} - C:\WINDOWS\system32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {A3A3C46B-5BCF-4DAF-B727-DC4E8869788C} - C:\WINDOWS\system32\jkkjh.dll (file missing)


Now close ALL other open windows except for HijackThis and hit FIX CHECKED.

---

Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you aren't able to finish the update within Ewido for a reason or another, you can install the manual updates here.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
  • IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
  • Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post back with the Ewido results. :flowers:

Hi there, stranger!

#9 knh3553

knh3553
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 31 July 2006 - 10:47 PM

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:37:58 PM 7/31/2006

+ Scan result:

Here is the Ewido scan results:

C:\Program Files\backups\backup-20060731-202325-181.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\mljkigf.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__m_l_j_k_i_g_f_._d_l_l_ -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pmnnn.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jludcwdm.dll -> Logger.VBStat.d : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__z_l_a_r_a_._d_l_l_ -> Not-A-Virus.Hoax.Win32.Renos.dw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\adtwcgrd.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bnqapqdf.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\DP.sys -> Trojan.Agent.ny : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gotggkry.exe -> Trojan.Agent.ny : Cleaned with backup (quarantined).


::Report end

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:46 AM

Posted 01 August 2006 - 10:49 AM

Then a fresh HijackThis log and hows the system running now :thumbsup:
Hi there, stranger!

#11 knh3553

knh3553
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 01 August 2006 - 06:06 PM

Here is the new hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 6:01:35 PM, on 8/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\scan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A47379E-97A3-4926-9609-737D441663C9} - C:\WINDOWS\system32\pmnnn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

The system is running better and this afternoon I've not noticed any pop-ups, but it's still running REALLY slow. Really dragging in opening documents and programs, etc. In my Windows task manager I still see multiple version of IEXPLORE.exe that seem to be using a lot of memory. Are those legitamate processes? I though explorer .exe was the correct one?

#12 knh3553

knh3553
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 01 August 2006 - 07:42 PM

Also still popups from

http://scanner.sysprotect.com/pages/scanne...2&lid=keyin

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:46 AM

Posted 02 August 2006 - 05:40 AM

Please download VirtumundoBegone and save it to your desktop. When you have done this, double-click on VirtumundoBeGone.exe and follow the instructions.

Post back with the results.

Also...

Please download WinPFind2 © OldTimer.
  • Unzip the files to their own folder, like C:\WinPFind2.
  • Double-click WinPFind2.exe to run the program.
  • Click Select All in the File Options menu under Configuration tab.
  • Click Run all Scans.
  • When the scan is ready, you'll see Scans Complete! message lower left.
  • Click Export to Text.
  • Notepad will open and the log is created in the folder where the tool was unzipped (C:\WinPFind2\WinPFind2.txt)
  • Post back with the log along with a fresh HijackThis log. You may need to post multiple replies to get it all posted, so it doesn't get cut off. :thumbsup:

Hi there, stranger!

#14 knh3553

knh3553
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 03 August 2006 - 05:40 PM

[08/03/2006, 17:21:29] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\HP_Owner\Desktop\VirtumundoBeGone.exe" )
[08/03/2006, 17:21:36] - Detected System Information:
[08/03/2006, 17:21:36] - Windows Version: 5.1.2600, Service Pack 2
[08/03/2006, 17:21:36] - Current Username: HP_Owner (Admin)
[08/03/2006, 17:21:36] - Windows is in NORMAL mode.
[08/03/2006, 17:21:36] - Searching for Browser Helper Objects:
[08/03/2006, 17:21:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/03/2006, 17:21:36] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/03/2006, 17:21:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/03/2006, 17:21:37] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/03/2006, 17:21:37] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/03/2006, 17:21:37] - BHO 3: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (UberButton Class)
[08/03/2006, 17:21:37] - BHO 4: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[08/03/2006, 17:21:37] - BHO 5: {65D886A2-7CA7-479B-BB95-14D1EFB7946A} (YahooTaggedBM Class)
[08/03/2006, 17:21:37] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/03/2006, 17:21:37] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/03/2006, 17:21:37] - BHO 8: {B1ACD92F-9461-47A7-88E6-7AC245F4101A} ()
[08/03/2006, 17:21:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/03/2006, 17:21:37] - Checking for HKLM\...\Winlogon\Notify\pmnnn
[08/03/2006, 17:21:37] - Found: HKLM\...\Winlogon\Notify\pmnnn - This is probably Virtumundo.
[08/03/2006, 17:21:37] - Assigning {B1ACD92F-9461-47A7-88E6-7AC245F4101A} MSEvents Object
[08/03/2006, 17:21:37] - BHO list has been changed! Starting over...
[08/03/2006, 17:21:37] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/03/2006, 17:21:37] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/03/2006, 17:21:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/03/2006, 17:21:37] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/03/2006, 17:21:37] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/03/2006, 17:21:37] - BHO 3: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (UberButton Class)
[08/03/2006, 17:21:37] - BHO 4: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[08/03/2006, 17:21:37] - BHO 5: {65D886A2-7CA7-479B-BB95-14D1EFB7946A} (YahooTaggedBM Class)
[08/03/2006, 17:21:37] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/03/2006, 17:21:37] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/03/2006, 17:21:37] - BHO 8: {B1ACD92F-9461-47A7-88E6-7AC245F4101A} (MSEvents Object)
[08/03/2006, 17:21:37] - ALERT: Found MSEvents Object!
[08/03/2006, 17:21:37] - BHO 9: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[08/03/2006, 17:21:37] - BHO 10: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[08/03/2006, 17:21:37] - BHO 11: {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} (SidebarAutoLaunch Class)
[08/03/2006, 17:21:37] - Finished Searching Browser Helper Objects
[08/03/2006, 17:21:37] - *** Detected MSEvents Object
[08/03/2006, 17:21:37] - Trying to remove MSEvents Object...
[08/03/2006, 17:21:38] - Terminating Process: IEXPLORE.EXE
[08/03/2006, 17:21:39] - Terminating Process: RUNDLL32.EXE
[08/03/2006, 17:21:39] - Disabling Automatic Shell Restart
[08/03/2006, 17:21:39] - Terminating Process: EXPLORER.EXE
[08/03/2006, 17:21:40] - Suspending the NT Session Manager System Service
[08/03/2006, 17:21:41] - Terminating Windows NT Logon/Logoff Manager
[08/03/2006, 17:21:42] - Re-enabling Automatic Shell Restart
[08/03/2006, 17:21:42] - File to disable: C:\WINDOWS\system32\pmnnn.dll
[08/03/2006, 17:21:42] - Renaming C:\WINDOWS\system32\pmnnn.dll -> C:\WINDOWS\system32\pmnnn.dll.vir
[08/03/2006, 17:21:42] - File successfully renamed!
[08/03/2006, 17:21:42] - Removing HKLM\...\Browser Helper Objects\{B1ACD92F-9461-47A7-88E6-7AC245F4101A}
[08/03/2006, 17:21:42] - Removing HKCR\CLSID\{B1ACD92F-9461-47A7-88E6-7AC245F4101A}
[08/03/2006, 17:21:42] - Adding Kill Bit for ActiveX for GUID: {B1ACD92F-9461-47A7-88E6-7AC245F4101A}
[08/03/2006, 17:21:42] - Deleting ATLEvents/MSEvents Registry entries
[08/03/2006, 17:21:42] - Removing HKLM\...\Winlogon\Notify\pmnnn
[08/03/2006, 17:21:42] - Searching for Browser Helper Objects:
[08/03/2006, 17:21:42] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/03/2006, 17:21:42] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/03/2006, 17:21:43] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/03/2006, 17:21:43] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/03/2006, 17:21:43] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/03/2006, 17:21:43] - BHO 3: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (UberButton Class)
[08/03/2006, 17:21:43] - BHO 4: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[08/03/2006, 17:21:43] - BHO 5: {65D886A2-7CA7-479B-BB95-14D1EFB7946A} (YahooTaggedBM Class)
[08/03/2006, 17:21:43] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/03/2006, 17:21:44] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[08/03/2006, 17:21:44] - BHO 8: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[08/03/2006, 17:21:44] - BHO 9: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[08/03/2006, 17:21:44] - BHO 10: {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} (SidebarAutoLaunch Class)
[08/03/2006, 17:21:44] - Finished Searching Browser Helper Objects
[08/03/2006, 17:21:44] - Finishing up...
[08/03/2006, 17:21:44] - A restart is needed.
[08/03/2006, 17:21:55] - Attempting to Restart via STOP error (Blue Screen!)



winpfind2log:
Logfile created on: 08/03/2006 17:37
WinPFind2 by OldTimer - Version 1.0.1 Folder = C:\winpfind2\WinPFind2\
Microsoft Windows XP (Version = Service Pack 2)
Internet Explorer (Version - 6.0.2900.2180)


[Start Post #1]

Processes
Image Name---------------ProcessID--Thread Count--Parent ID--Base Priority--
#Full Path
##(Version Info)

agrsmmsg.exe-------------003020-----0002----------001348-----Normal---------
#c:\windows\agrsmmsg.exe
##(Agere Systems [Ver = 2.1.51 2.1.51 03/04/2005 12:01:54 | Size = 88209 bytes | Date = 03/04/2005 13:01 | Attr = ])

alg.exe------------------002448-----0006----------000592-----Normal---------
#c:\windows\system32\alg.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 44544 bytes | Date = 08/04/2004 06:00 | Attr = ])

ccapp.exe----------------003164-----0042----------001348-----Normal---------
#c:\program files\common files\symantec shared\ccapp.exe
##(Symantec Corporation [Ver = 103.0.2.10 | Size = 58488 bytes | Date = 08/27/2004 18:22 | Attr = ])

ccevtmgr.exe-------------001532-----0018----------000592-----Normal---------
#c:\program files\common files\symantec shared\ccevtmgr.exe
##(Symantec Corporation [Ver = 103.0.2.10 | Size = 197752 bytes | Date = 08/27/2004 18:22 | Attr = ])

ccproxy.exe--------------001368-----0015----------000592-----Normal---------
#c:\program files\common files\symantec shared\ccproxy.exe
##(Symantec Corporation [Ver = 103.0.2.10 | Size = 234616 bytes | Date = 08/27/2004 18:22 | Attr = ])

ccsetmgr.exe-------------001412-----0008----------000592-----Normal---------
#c:\program files\common files\symantec shared\ccsetmgr.exe
##(Symantec Corporation [Ver = 103.0.2.10 | Size = 164984 bytes | Date = 08/27/2004 18:22 | Attr = ])

csrss.exe----------------000520-----0011----------000464-----Normal---------
#\??\c:\windows\system32\csrss.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 6144 bytes | Date = 08/04/2004 06:00 | Attr = ])

ctfmon.exe---------------003572-----0001----------001348-----Normal---------
#c:\windows\system32\ctfmon.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 15360 bytes | Date = 08/04/2004 06:00 | Attr = ])

defwatch.exe-------------000192-----0003----------000592-----Normal---------
#c:\program files\symantec_client_security\symantec antivirus\defwatch.exe
##(Symantec Corporation [Ver = 8.00.00.9374 | Size = 32768 bytes | Date = 07/30/2002 12:36 | Attr = ])

explorer.exe-------------001348-----0016----------001256-----Normal---------
#c:\windows\explorer.exe
##(Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Date = 08/04/2004 06:00 | Attr = ])

guard.exe----------------000216-----0008----------000592-----Normal---------
#c:\program files\ewido anti-spyware 4.0\guard.exe
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 172032 bytes | Date = 06/16/2006 09:38 | Attr = ])

hkcmd.exe----------------002980-----0002----------001348-----Normal---------
#c:\windows\system32\hkcmd.exe
##(Intel Corporation [Ver = 3.0.0.3943 | Size = 126976 bytes | Date = 11/02/2004 10:59 | Attr = ])

hphmon06.exe-------------003148-----0002----------001348-----Normal---------
#c:\windows\system32\hphmon06.exe
##(Hewlett-Packard [Ver = 6,0,72 | Size = 659456 bytes | Date = 06/07/2004 13:42 | Attr = ])

hpqtra08.exe-------------003720-----0009----------001348-----Normal---------
#c:\program files\hp\digital imaging\bin\hpqtra08.exe
##(Hewlett-Packard Co. [Ver = 45.4.157.000 | Size = 258048 bytes | Date = 11/04/2004 22:28 | Attr = ])

hpsysdrv.exe-------------002892-----0001----------001348-----Normal---------
#c:\windows\system\hpsysdrv.exe
##(Hewlett-Packard Company [Ver = 1, 7, 0, 0 | Size = 52736 bytes | Date = 05/07/1998 11:04 | Attr = ])

hpzipm12.exe-------------003820-----0002----------000592-----Normal---------
#c:\windows\system32\hpzipm12.exe
##(HP [Ver = 8, 0, 0, 0 | Size = 65536 bytes | Date = 03/18/2004 19:55 | Attr = ])

iexplore.exe-------------001180-----0017----------001348-----Normal---------
#c:\program files\internet explorer\iexplore.exe
##(Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 93184 bytes | Date = 08/04/2004 06:00 | Attr = ])

ipodservice.exe----------003392-----0007----------000592-----Normal---------
#c:\program files\ipod\bin\ipodservice.exe
##(Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 323584 bytes | Date = 02/23/2006 16:45 | Attr = ])

issvc.exe----------------001424-----0011----------000592-----Normal---------
#c:\program files\norton internet security\issvc.exe
##(Symantec Corporation [Ver = 8.0.0.64 | Size = 78992 bytes | Date = 08/30/2004 21:29 | Attr = ])

ituneshelper.exe---------003352-----0005----------001348-----Normal---------
#c:\program files\itunes\ituneshelper.exe
##(Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 278528 bytes | Date = 02/23/2006 16:45 | Attr = ])

jusched.exe--------------003556-----0001----------001348-----Normal---------
#c:\program files\java\jre1.5.0_06\bin\jusched.exe
##(Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 36975 bytes | Date = 11/10/2005 13:03 | Attr = ])

lsass.exe----------------000604-----0020----------000544-----Normal---------
#c:\windows\system32\lsass.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 13312 bytes | Date = 08/04/2004 06:00 | Attr = ])

mdm.exe------------------000232-----0005----------000592-----Normal---------
#c:\program files\common files\microsoft shared\vs7debug\mdm.exe
##(Microsoft Corporation [Ver = 7.00.9466 | Size = 322120 bytes | Date = 06/20/2003 02:25 | Attr = ])

msascui.exe--------------003400-----0008----------001348-----Normal---------
#c:\program files\windows defender\msascui.exe
##(Microsoft Corporation [Ver = 1.1.1347.0 | Size = 777424 bytes | Date = 04/03/2006 18:12 | Attr = ])

msmpeng.exe--------------000872-----0012----------000592-----Normal---------
#c:\program files\windows defender\msmpeng.exe
##(Microsoft Corporation [Ver = 1.1.1347.0 | Size = 14032 bytes | Date = 04/03/2006 18:12 | Attr = ])

navapsvc.exe-------------001448-----0011----------000592-----Normal---------
#c:\program files\norton internet security\norton antivirus\navapsvc.exe
##(Symantec Corporation [Ver = 11.0.2.4 | Size = 176768 bytes | Date = 08/30/2004 13:34 | Attr = ])

notepad.exe--------------003468-----0001----------001348-----Normal---------
#c:\windows\system32\notepad.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 69120 bytes | Date = 08/04/2004 06:00 | Attr = ])

picasamediadetector.exe--003544-----0004----------001348-----Normal---------
#c:\program files\picasa2\picasamediadetector.exe
##(Google Inc. [Ver = 2.1.0 | Size = 421888 bytes | Date = 03/15/2006 18:07 | Attr = ])

ps2.exe------------------003216-----0003----------001348-----Normal---------
#c:\windows\system32\ps2.exe
##(Hewlett-Packard Company [Ver = 1.0.2.2.112404 | Size = 90112 bytes | Date = 10/25/2004 16:17 | Attr = ])

rtvscan.exe--------------000396-----0039----------000592-----Normal---------
#c:\program files\symantec_client_security\symantec antivirus\rtvscan.exe
##(Symantec Corporation [Ver = 8.00.00.9374 | Size = 573440 bytes | Date = 07/30/2002 12:40 | Attr = ])

sdhelp.exe---------------000416-----0006----------000592-----Normal---------
#c:\program files\spyware doctor\sdhelp.exe
##(PC Tools Research Pty Ltd [Ver = 3.6.0.2023 | Size = 871080 bytes | Date = 06/05/2006 12:32 | Attr = ])

services.exe-------------000592-----0016----------000544-----Normal---------
#c:\windows\system32\services.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 108032 bytes | Date = 08/04/2004 06:00 | Attr = ])

smss.exe-----------------000464-----0003----------000004-----Normal---------
#\systemroot\system32\smss.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 50688 bytes | Date = 08/04/2004 06:00 | Attr = ])

sndsrvc.exe--------------001472-----0008----------000592-----Normal---------
#c:\program files\common files\symantec shared\sndsrvc.exe
##(Symantec Corporation [Ver = 5.4.2.17 | Size = 206048 bytes | Date = 08/27/2004 17:02 | Attr = ])

spbbcsvc.exe-------------001508-----0010----------000592-----Normal---------
#c:\program files\common files\symantec shared\spbbc\spbbcsvc.exe
##(Symantec Corporation [Ver = 1,0,1,47 | Size = 173160 bytes | Date = 07/21/2004 11:24 | Attr = ])

spoolsv.exe--------------001912-----0012----------000592-----Normal---------
#c:\windows\system32\spoolsv.exe
##(Microsoft Corporation [Ver = 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) | Size = 57856 bytes | Date = 06/10/2005 18:53 | Attr = ])

svchost.exe--------------000748-----0018----------000592-----Normal---------
#c:\windows\system32\svchost.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

svchost.exe--------------000808-----0011----------000592-----Normal---------
#c:\windows\system32\svchost.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

svchost.exe--------------000916-----0063----------000592-----Normal---------
#c:\windows\system32\svchost.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

svchost.exe--------------001008-----0006----------000592-----Normal---------
#c:\windows\system32\svchost.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

svchost.exe--------------001104-----0013----------000592-----Normal---------
#c:\windows\system32\svchost.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

svchost.exe--------------000524-----0007----------000592-----Normal---------
#c:\windows\system32\svchost.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

swdoctor.exe-------------002032-----0039----------001180-----Normal---------
#c:\progra~1\spywar~2\swdoctor.exe
##(PC Tools Research Pty Ltd [Ver = 3.8.0.2582 | Size = 2078944 bytes | Date = 06/08/2006 09:11 | Attr = ])

symscui.exe--------------002760-----0007----------001164-----Normal---------
#c:\program files\common files\symantec shared\security center\symscui.exe
##(Symantec Corporation [Ver = 2005.1.00.111 | Size = 382080 bytes | Date = 08/05/2004 20:23 | Attr = ])

symwsc.exe---------------001164-----0022----------000592-----Normal---------
#c:\program files\common files\symantec shared\security center\symwsc.exe
##(Symantec Corporation [Ver = 2005.1.00.111 | Size = 308352 bytes | Date = 08/05/2004 20:23 | Attr = ])

vptray.exe---------------003272-----0002----------001348-----Normal---------
#c:\progra~1\symant~1\symant~1\vptray.exe
##(Symantec Corporation [Ver = 8.00.00.9374 | Size = 77824 bytes | Date = 07/30/2002 12:35 | Attr = ])

wdfmgr.exe---------------000972-----0004----------000592-----Normal---------
#c:\windows\system32\wdfmgr.exe
##(Microsoft Corporation [Ver = 5.2.3790.1230 built by: DNSRV(bld4act) | Size = 38912 bytes | Date = 08/11/2004 04:45 | Attr = ])

winlogon.exe-------------000544-----0016----------000464-----High-----------
#\??\c:\windows\system32\winlogon.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 502272 bytes | Date = 08/04/2004 06:00 | Attr = ])

winpfind2.exe------------003896-----0001----------001348-----Normal---------
#c:\winpfind2\winpfind2\winpfind2.exe
##(OldTimer Tools [Ver = 1.0.1.0 | Size = 382464 bytes | Date = 08/01/2006 16:25 | Attr = ])

wuauclt.exe--------------003952-----0004----------000916-----Normal---------
#c:\windows\system32\wuauclt.exe
##(Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 124184 bytes | Date = 05/26/2005 05:16 | Attr = ])

ybrwicon.exe-------------003280-----0005----------001348-----Normal---------
#c:\progra~1\yahoo!\browser\ybrwicon.exe
##(Yahoo!, Inc. [Ver = 2003, 12, 9, 1 | Size = 57344 bytes | Date = 12/09/2003 14:02 | Attr = ])

ycommon.exe--------------003368-----0009----------000748-----Normal---------
#c:\progra~1\yahoo!\browser\ycommon.exe
##(Yahoo!, Inc. [Ver = 2005, 2, 23, 1 | Size = 229376 bytes | Date = 03/31/2005 09:26 | Attr = ])


Registry Entries
Key
#Value
##(Version Info)

Version Info
#
##

WinPFind2 by OldTimer - Version 1.0.1
#
##

Microsoft Windows XP Version = Service Pack 2
#
##

Internet Explorer Version = 6.0.2900.2180
#
##

Internet Explorer Settings
#
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page
#http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default Page
#http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default Search
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page
#C:\windows\system32\blank.htm
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page
#http://www.cnn.com/
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page
#C:\windows\system32\blank.htm
##

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable
#0
##

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride
#
##

BHO's
#
##

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
#AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
##(Adobe Systems Incorporated [Ver = 6.0.1.2003110300 | Size = 54248 bytes | Date = 11/03/2003 17:17 | Attr = ])

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
# = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
##(Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Date = 05/31/2005 01:04 | Attr = ])

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
#UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll
##(Yahoo! [Ver = 2005, 5, 26, 1 | Size = 181352 bytes | Date = 05/26/2005 12:38 | Attr = ])

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
#PCTools Site Guard = C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
##(PC Tools [Ver = 3.6.0.2069 | Size = 803048 bytes | Date = 05/05/2006 13:55 | Attr = ])

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
#YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
##(Yahoo! Inc. [Ver = 2005, 1, 24, 1 | Size = 115832 bytes | Date = 01/24/2005 10:55 | Attr = ])

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
#SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
##(Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 184423 bytes | Date = 11/10/2005 13:22 | Attr = ])

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
#Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1191424 bytes | Date = 07/06/2006 22:09 | Attr = ])

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
#PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
##(PC Tools [Ver = 3.6.0.2281 | Size = 839920 bytes | Date = 05/05/2006 13:56 | Attr = ])

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
#CNavExtBho Class = c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
##(Symantec Corporation [Ver = 11.0.2.4 | Size = 218240 bytes | Date = 08/30/2004 13:34 | Attr = ])

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}
#SidebarAutoLaunch Class = C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
##(Yahoo! Inc. [Ver = 2004, 8, 3, 1 | Size = 124032 bytes | Date = 02/03/2005 17:07 | Attr = ])

Internet Explorer Bars, Toolbars and Extensions
#
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
# =
##(File not found)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
#&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2919 (xpsp_sp2_gdr.060529-0150) | Size = 1494016 bytes | Date = 05/29/2006 10:30 | Attr = ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\
#ScriptInocUI Class =
##(File not found)

HKLM\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{2318C2B1-4965-11d4-9B18-009027A5CD4F}
#&Google = c:\program files\google\googletoolbar1.dll
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1191424 bytes | Date = 07/06/2006 22:09 | Attr = ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
#Norton AntiVirus = c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
##(Symantec Corporation [Ver = 11.0.2.4 | Size = 218240 bytes | Date = 08/30/2004 13:34 | Attr = ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
#HP view = c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
##(Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Date = 11/21/2003 07:26 | Attr = ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
#MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
##(Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 69746 bytes | Date = 11/10/2005 13:22 | Attr = ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
#MenuText: = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
##(Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 184423 bytes | Date = 11/10/2005 13:22 | Attr = ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
#ButtonText: Spyware Doctor =
##(File not found)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
#ButtonText: AIM = C:\Program Files\AIM\aim.exe
##(America Online, Inc. [Ver = 5.9.3702 | Size = 67160 bytes | Date = 12/08/2004 17:50 | Attr = ])

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
# =
##(File not found)

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
#Favorites Band = %SystemRoot%\system32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2919 (xpsp_sp2_gdr.060529-0150) | Size = 1494016 bytes | Date = 05/29/2006 10:30 | Attr = ])

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
#History Band = %SystemRoot%\system32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2919 (xpsp_sp2_gdr.060529-0150) | Size = 1494016 bytes | Date = 05/29/2006 10:30 | Attr = ])

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
#Explorer Band = %SystemRoot%\system32\shdocvw.dll
##(Microsoft Corporation [Ver = 6.00.2900.2919 (xpsp_sp2_gdr.060529-0150) | Size = 1494016 bytes | Date = 05/29/2006 10:30 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
#&Address = %SystemRoot%\system32\browseui.dll
##(Microsoft Corporation [Ver = 6.00.2900.2904 (xpsp_sp2_gdr.060509-0218) | Size = 1022976 bytes | Date = 05/10/2006 00:23 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
#&Google = c:\program files\google\googletoolbar1.dll
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1191424 bytes | Date = 07/06/2006 22:09 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
#HP view = c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
##(Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Date = 11/21/2003 07:26 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
#&Address = %SystemRoot%\system32\browseui.dll
##(Microsoft Corporation [Ver = 6.00.2900.2904 (xpsp_sp2_gdr.060509-0218) | Size = 1022976 bytes | Date = 05/10/2006 00:23 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
#&Links = %SystemRoot%\system32\SHELL32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2869 (xpsp_sp2_gdr.060316-1512) | Size = 8452096 bytes | Date = 03/16/2006 23:03 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
#&Google = c:\program files\google\googletoolbar1.dll
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1191424 bytes | Date = 07/06/2006 22:09 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{40D41A8B-D79B-43D7-99A7-9EE0F344C385}
#AIM Search = C:\Program Files\AIM Toolbar\AIMBar.dll
##(America Online, Inc [Ver = 2004.00.003 | Size = 172032 bytes | Date = 05/31/2005 23:56 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
#Norton AntiVirus = c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
##(Symantec Corporation [Ver = 11.0.2.4 | Size = 218240 bytes | Date = 08/30/2004 13:34 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
#HP view = c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
##(Hewlett-Packard Company [Ver = 1.0.0.7 | Size = 98304 bytes | Date = 11/21/2003 07:26 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
#Yahoo! Toolbar = C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
##(Yahoo! Inc. [Ver = 2005, 8, 1, 1 | Size = 342600 bytes | Date = 08/01/2005 14:46 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\MenuExt\&AIM Search
#
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Google Search
#
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Translate English Word
#
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Yahoo! Search
#
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Backward Links
#
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Cached Snapshot of Page
#
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel
#res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
##(Microsoft Corporation [Ver = 11.0.5612 | Size = 10073144 bytes | Date = 08/13/2003 05:34 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Similar Pages
#
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Translate Page into English
#
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Yahoo! &Dictionary
#
##(File not found)

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Yahoo! &Maps
#
##(File not found)

Approved Shell Extensions (Non-Microsoft only)
#
##

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{42071714-76d4-11d1-8b24-00a0c9068ff3}
#Display Panning CPL Extension = deskpan.dll
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5464D816-CF16-4784-B9F3-75C0DB52B499}
#YMailShellExt Class = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
##(Yahoo! Inc. [Ver = 2004, 11, 23, 1 | Size = 180848 bytes | Date = 11/23/2004 10:59 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7F67036B-66F1-411A-AD85-759FB9C5B0DB}
#SampleView = C:\WINDOWS\system32\ShellvRTF.dll
##(XSS [Ver = 1, 0, 0, 1 | Size = 122880 bytes | Date = 09/20/2002 17:42 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{88895560-9AA2-1069-930E-00AA0030EBC8}
#HyperTerminal Icon Ext = C:\WINDOWS\system32\hticons.dll
##(Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
#iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll
##(Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 102400 bytes | Date = 02/23/2006 16:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BDA77241-42F6-11d0-85E2-00AA001FE28C}
#VpshellEx Class = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
##(Symantec Corporation [Ver = 8.00.00.9374 | Size = 40960 bytes | Date = 07/30/2002 12:35 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DEE12703-6333-4D4E-8F34-738C4DCC2E04}
#RecordNow! SendToExt = c:\Program Files\Sonic RecordNow!\shlext.dll
##( [Ver = 7.0.0.0 | Size = 73728 bytes | Date = 09/09/2004 10:02 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E0D79304-84BE-11CE-9641-444553540000}
#WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12/17/2004 10:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E0D79305-84BE-11CE-9641-444553540000}
#WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12/17/2004 10:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E0D79306-84BE-11CE-9641-444553540000}
#WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12/17/2004 10:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E0D79307-84BE-11CE-9641-444553540000}
#WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12/17/2004 10:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
#RealOne Player Context Menu Class = C:\Program Files\Real\RealPlayer\rpshell.dll
##(RealNetworks, Inc. [Ver = 1.0.1.1798 | Size = 49198 bytes | Date = 02/15/2005 09:02 | Attr = ])

ContextMenuHandlers (Non-Microsoft only)
#
##

HKCR\*\shellex\ContextMenuHandlers\ewido anti-spyware
#{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 94208 bytes | Date = 06/16/2006 09:38 | Attr = ])

HKCR\*\shellex\ContextMenuHandlers\LDVPMenu
#{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
##(Symantec Corporation [Ver = 8.00.00.9374 | Size = 40960 bytes | Date = 07/30/2002 12:35 | Attr = ])

HKCR\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
#{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
##(Symantec Corporation [Ver = 11.0.2.4 | Size = 218240 bytes | Date = 08/30/2004 13:34 | Attr = ])

HKCR\*\shellex\ContextMenuHandlers\WinZip
#{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12/17/2004 10:00 | Attr = ])

HKCR\*\shellex\ContextMenuHandlers\Yahoo! Mail
#{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
##(Yahoo! Inc. [Ver = 2004, 11, 23, 1 | Size = 180848 bytes | Date = 11/23/2004 10:59 | Attr = ])

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
#{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
##(Symantec Corporation [Ver = 8.00.00.9374 | Size = 40960 bytes | Date = 07/30/2002 12:35 | Attr = ])

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
#{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
##(Symantec Corporation [Ver = 11.0.2.4 | Size = 218240 bytes | Date = 08/30/2004 13:34 | Attr = ])

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
#{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12/17/2004 10:00 | Attr = ])

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
#{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 94208 bytes | Date = 06/16/2006 09:38 | Attr = ])

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
#{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
##(WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 5120 bytes | Date = 12/17/2004 10:00 | Attr = ])

ColumnHandlers (Non-Microsoft only)
#
##

Registry Run Keys
#
##

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AGRSMMSG
#AGRSMMSG.exe
##(Agere Systems [Ver = 2.1.51 2.1.51 03/04/2005 12:01:54 | Size = 88209 bytes | Date = 03/04/2005 13:01 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ccApp
#"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
##(Symantec Corporation [Ver = 103.0.2.10 | Size = 58488 bytes | Date = 08/27/2004 18:22 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\HotKeysCmds
#C:\WINDOWS\system32\hkcmd.exe
##(Intel Corporation [Ver = 3.0.0.3943 | Size = 126976 bytes | Date = 11/02/2004 10:59 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\HPHmon06
#C:\WINDOWS\system32\hphmon06.exe
##(Hewlett-Packard [Ver = 6,0,72 | Size = 659456 bytes | Date = 06/07/2004 13:42 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\HPHUPD06
#c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
##(Hewlett-Packard [Ver = 6,0,72 | Size = 49152 bytes | Date = 06/07/2004 13:53 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\hpsysdrv
#c:\windows\system\hpsysdrv.exe
##(Hewlett-Packard Company [Ver = 1, 7, 0, 0 | Size = 52736 bytes | Date = 05/07/1998 11:04 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\iTunesHelper
#"C:\Program Files\iTunes\iTunesHelper.exe"
##(Apple Computer, Inc. [Ver = 6.0.4.2 | Size = 278528 bytes | Date = 02/23/2006 16:45 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck
#%systemroot%\system32\dumprep 0 -k
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Picasa Media Detector
#C:\Program Files\Picasa2\PicasaMediaDetector.exe
##(Google Inc. [Ver = 2.1.0 | Size = 421888 bytes | Date = 03/15/2006 18:07 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PRISMSVR.EXE
#"C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PS2
#C:\WINDOWS\system32\ps2.exe
##(Hewlett-Packard Company [Ver = 1.0.2.2.112404 | Size = 90112 bytes | Date = 10/25/2004 16:17 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Recguard
#C:\WINDOWS\SMINST\RECGUARD.EXE
##( [Ver = 5, 0, 44, 2 | Size = 233472 bytes | Date = 04/14/2004 15:43 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\REGSHAVE
#C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
##(FUJI PHOTO FILM CO., LTD. [Ver = 3.0.0.4 | Size = 53248 bytes | Date = 02/04/2002 23:32 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched
#C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
##(Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 36975 bytes | Date = 11/10/2005 13:03 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\URLLSTCK.exe
#c:\Program Files\Norton Internet Security\UrlLstCk.exe
##(Symantec Corporation [Ver = 8.0.0.64 | Size = 33936 bytes | Date = 08/30/2004 21:29 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vptray
#C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
##(Symantec Corporation [Ver = 8.00.00.9374 | Size = 77824 bytes | Date = 07/30/2002 12:35 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Windows Defender
#"C:\Program Files\Windows Defender\MSASCui.exe" -hide
##(Microsoft Corporation [Ver = 1.1.1347.0 | Size = 777424 bytes | Date = 04/03/2006 18:12 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\YBrowser
#C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
##(Yahoo!, Inc. [Ver = 2003, 12, 9, 1 | Size = 57344 bytes | Date = 12/09/2003 14:02 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
#Installed = 1
##

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
#Installed = 1
##

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
#Installed = 1
##

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ctfmon.exe
#C:\WINDOWS\system32\ctfmon.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 15360 bytes | Date = 08/04/2004 06:00 | Attr = ])

Startup Lnks
#
##

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
#C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
##(Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 110592 bytes | Date = 01/07/2002 00:07 | Attr = ])

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
#C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
##( [Ver = | Size = 84 bytes | Date = 10/15/2004 05:38 | Attr = HS])

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
#C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
##(Hewlett-Packard Co. [Ver = 45.4.157.000 | Size = 258048 bytes | Date = 11/04/2004 22:28 | Attr = ])

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\desktop.ini
#C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\desktop.ini
##( [Ver = | Size = 84 bytes | Date = 10/15/2004 05:38 | Attr = HS])

Disabled MSConfig Items
#
##

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\ctfmon.exe
#ctfmon = C:\WINDOWS\system32\ctfmon.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 15360 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\MSMSGS
#msmsgs = "C:\Program Files\Messenger\msmsgs.exe" /background
##(Microsoft Corporation [Ver = 4.7.3001 | Size = 1694208 bytes | Date = 10/13/2004 11:24 | Attr = ])

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\Yahoo! Pager
#ypager = "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
##( [Ver = | Size = 3092480 bytes | Date = 08/15/2005 15:24 | Attr = ])

User Agent Post Platform
#
##

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\\SV1
#
##

AppInit DLLs
#
##

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
#
##(File not found)

Image File Execution Options
#
##

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
#Debugger = ntsd -d
##

Shell Service Object Delay Load
#
##

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\CDBurn
#{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2869 (xpsp_sp2_gdr.060316-1512) | Size = 8452096 bytes | Date = 03/16/2006 23:03 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\PostBootReminder
#{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2869 (xpsp_sp2_gdr.060316-1512) | Size = 8452096 bytes | Date = 03/16/2006 23:03 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\SysTray
#{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 121856 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck
#{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
##(Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 276480 bytes | Date = 08/04/2004 06:00 | Attr = ])

Shell Execute Hooks
#
##

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}
#Microsoft AntiMalware ShellExecuteHook = C:\PROGRA~1\WINDOW~4\MpShHook.dll
##(Microsoft Corporation [Ver = 1.1.1347.0 | Size = 81616 bytes | Date = 04/03/2006 18:12 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8}
#CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll
##(Anti-Malware Development a.s. [Ver = 4, 0, 0, 172 | Size = 73728 bytes | Date = 06/16/2006 09:38 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
# =
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972}
#URL Exec Hook = shell32.dll
##(Microsoft Corporation [Ver = 6.00.2900.2869 (xpsp_sp2_gdr.060316-1512) | Size = 8452096 bytes | Date = 03/16/2006 23:03 | Attr = ])

Shared Task Scheduler
#
##

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{438755C2-A8BA-11D1-B96B-00A0C90312E1}
#Browseui preloader = %SystemRoot%\system32\browseui.dll
##(Microsoft Corporation [Ver = 6.00.2900.2904 (xpsp_sp2_gdr.060509-0218) | Size = 1022976 bytes | Date = 05/10/2006 00:23 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{8C7461EF-2B13-11d2-BE35-3078302C2030}
#Component Categories cache daemon = %SystemRoot%\system32\browseui.dll
##(Microsoft Corporation [Ver = 6.00.2900.2904 (xpsp_sp2_gdr.060509-0218) | Size = 1022976 bytes | Date = 05/10/2006 00:23 | Attr = ])

Winlogon
#
##

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
#C:\WINDOWS\system32\userinit.exe,
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 24576 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
#Explorer.exe
##(Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1032192 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\System
#
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
#crypt32.dll
##(Microsoft Corporation [Ver = 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 597504 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
#cryptnet.dll
##(Microsoft Corporation [Ver = 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 63488 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
#cscdll.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 101888 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
#igfxsrvc.dll
##(Intel Corporation [Ver = 3.0.0.3943 | Size = 348160 bytes | Date = 11/02/2004 10:59 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
#C:\WINDOWS\system32\NavLogon.dll
##( [Ver = | Size = 45056 bytes | Date = 07/30/2002 12:33 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
#wlnotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
#wlnotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
#sclgntfy.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 20992 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
#WlNotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
#wlnotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08/04/2004 06:00 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
#WgaLogon.dll
##(Microsoft Corporation [Ver = 1.5.0540.0 | Size = 702768 bytes | Date = 06/19/2006 16:20 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
#wlnotify.dll
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 92672 bytes | Date = 08/04/2004 06:00 | Attr = ])

DNS Name Servers
#
##

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5895494B-44C3-4B5F-8D9F-D613F84E3E47}
# (1394 Net Adapter)
##

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9BBC6F92-11B7-4E30-99FE-2B39006BF236}
# (Realtek RTL8139/810x Family Fast Ethernet NIC)
##

Winsock2 Catalogs (Non-Microsoft only)
#
##

Protocol Handlers (Non-Microsoft only)
#
##

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\ipp
#
##(File not found)

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp
#
##(File not found)

Protocol Filters (Non-Microsoft only)
#
##



[Start Post #2]

Services
Name--Internal Name--Startup Type--State--Service Type--
#Path
##(Version Info)

Application Layer Gateway Service--ALG--On Demand--Running--Win32, running in it's own process--
#C:\WINDOWS\System32\alg.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 44544 bytes | Date = 08/04/2004 06:00 | Attr = ])

Windows Audio--AudioSrv--Automatic--Running--Win32, running in a shared process--
#C:\WINDOWS\System32\svchost.exe -k netsvcs
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

Computer Browser--Browser--Automatic--Running--Win32, running in a shared process--
#C:\WINDOWS\system32\svchost.exe -k netsvcs
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

Symantec Event Manager--ccEvtMgr--Automatic--Running--Win32, running in it's own process--
#"c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
##(Symantec Corporation [Ver = 103.0.2.10 | Size = 197752 bytes | Date = 08/27/2004 18:22 | Attr = ])

Symantec Network Proxy--ccProxy--Automatic--Running--Win32, running in it's own process--
#"c:\Program Files\Common Files\Symantec Shared\ccProxy.exe"
##(Symantec Corporation [Ver = 103.0.2.10 | Size = 234616 bytes | Date = 08/27/2004 18:22 | Attr = ])

Symantec Settings Manager--ccSetMgr--Automatic--Running--Win32, running in it's own process--
#"c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
##(Symantec Corporation [Ver = 103.0.2.10 | Size = 164984 bytes | Date = 08/27/2004 18:22 | Attr = ])

Cryptographic Services--CryptSvc--Automatic--Running--Win32, running in a shared process--
#C:\WINDOWS\system32\svchost.exe -k netsvcs
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

DCOM Server Process Launcher--DcomLaunch--Automatic--Running--Win32, running in a shared process--
#C:\WINDOWS\system32\svchost -k DcomLaunch
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

DefWatch--DefWatch--Automatic--Running--Win32, running in it's own process--
#"C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe"
##(Symantec Corporation [Ver = 8.00.00.9374 | Size = 32768 bytes | Date = 07/30/2002 12:36 | Attr = ])

DHCP Client--Dhcp--Automatic--Running--Win32, running in a shared process--
#C:\WINDOWS\system32\svchost.exe -k netsvcs
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

DNS Client--Dnscache--Automatic--Running--Win32, running in a shared process--
#C:\WINDOWS\system32\svchost.exe -k NetworkService
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

Error Reporting Service--ERSvc--Automatic--Running--Win32, running in a shared process--
#C:\WINDOWS\System32\svchost.exe -k netsvcs
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 | Attr = ])

Event Log--Eventlog--Automatic--Running--Win32, running in a shared process--
#C:\WINDOWS\system32\services.exe
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 108032 bytes | Date = 08/04/2004 06:00 | Attr = ])

COM+ Event System--EventSystem--On Demand--Running--Win32, running in a shared process--
#C:\WINDOWS\system32\svchost.exe -k netsvcs
##(Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 14336 bytes | Date = 08/04/2004 06:00 |

#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:46 AM

Posted 04 August 2006 - 05:09 AM

Looks like your WinPFind2 log got cut off. Can you please paste the rest of it starting where it left off :thumbsup:

---

Go to Start Run type in: regedit OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File Export
    Make sure in that window there is a tick next to "All" under Export Branch.
    Leave the "Save As Type" as "Registration Files".
    Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click Save and then go to File Exit.
This is so the registry can be restored to this point if we need it. It may take a minute.

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]


Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users