Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Happenings


  • Please log in to reply
7 replies to this topic

#1 daplat

daplat

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 23 August 2006 - 07:03 PM

I just got rid of "winfixer" last week. now, everytime i open "my computer" then try to open one of my drives, i get a pop up for "windows data prevention" then it tells me its going to close explorer.
also, internet explorer opens up at random in my process list. is there a way to disable IE without risking system stability for updates and such? i use mozilla for the web.

heres my hijack


Logfile of HijackThis v1.99.1
Scan saved at 6:53:19 PM, on 8/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\geek\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...age=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.165.130.93:8080
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GearSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by daplat, 23 August 2006 - 08:20 PM.


BC AdBot (Login to Remove)

 


m

#2 daplat

daplat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 24 August 2006 - 04:58 PM

??

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:22 PM

Posted 03 September 2006 - 01:15 PM

Hello daplat and welcome to the BC HijackThis forum. I don't see any problems in the log. It shows as clean.

Let's try a different scanner and see what it shows us.

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • In the File Options group click the 'Select All' button and then in the AddOn-Options box click the checkboxes for
    • HKCU_IEDesktop.def
    • Jobs.def
    • Policies.def
    • Security.def
    to select them.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the information back here and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 daplat

daplat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 04 September 2006 - 08:50 AM

Thanks! I will do that right now. also, this has started just within the past few days. i get "windows data execution prevention will now close this program" everytime i open firefox. iexplorer opens in processes when this happens as well. it happens 5 or 6 times and then just disappears.

#5 daplat

daplat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 04 September 2006 - 09:05 AM

Thanks! I will do that right now. also, this has started just within the past few days. i get "windows data execution prevention will now close this program" everytime i open firefox. iexplorer opens in processes when this happens as well. it happens 5 or 6 times and then just disappears.

*edit, nice prog btw, heres the log.

Logfile created on: 09/04/2006 08:58
WinPFind2 by OldTimer - Version 1.0.8 Folder = C:\Documents and Settings\geek\Desktop\winpfind2\WinPFind2\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)


< Processes (Non-Microsoft Only) >
c:\program files\symantec\liveupdate\aluschedulersvc.exe - (Symantec Corporation )
c:\program files\common files\symantec shared\ccapp.exe - (Symantec Corporation )
c:\program files\common files\symantec shared\ccevtmgr.exe - (Symantec Corporation )
c:\program files\common files\symantec shared\ccsetmgr.exe - (Symantec Corporation )
c:\program files\mozilla firefox\firefox.exe - (Mozilla Corporation )
c:\windows\system32\gearsec.exe - (GEAR Software )
c:\program files\norton antivirus\navapsvc.exe - (Symantec Corporation )
c:\program files\norton antivirus\iwp\npfmntor.exe - (Symantec Corporation )
c:\windows\system32\nvsvc32.exe - (NVIDIA Corporation )
c:\program files\common files\symantec shared\sndsrvc.exe - (Symantec Corporation )
c:\program files\common files\symantec shared\spbbc\spbbcsvc.exe - (Symantec Corporation )
c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe - (Symantec Corporation )
c:\program files\alienguise\wbload.exe - (Stardock Systems, Inc )
c:\documents and settings\geek\desktop\winpfind2\winpfind2\winpfind2.exe - (OldTimer Tools )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
HKLM->Main\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKLM->Main\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKLM->Main\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKLM->Main\\Local Page - C:\windows\system32\blank.htm
HKCU->Main\\Start Page - http://go.microsoft.com/fwlink/?LinkId=566...age=about:blank
HKCU->Main\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )
HKCU->Internet Settings\\ProxyEnable - 0
HKCU->Internet Settings\\ProxyOverride -

[>> BHO's <<]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated )
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - IeCatch5 Class = C:\PROGRA~1\FlashGet\jccatch.dll (FlashGet )
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc. )
{BDF3E430-B101-42AD-A544-FADC6B084872} - CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation )
{F7CD4728-F73E-4269-873D-B19832C340C1} - = C:\WINDOWS\system32\awvvv.dll ( )

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )

[HKLM-> Internet Explorer ToolBars]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus = C:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation )
{E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet Bar = C:\PROGRA~1\FlashGet\fgiebar.dll (Amaze Soft )

[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus = C:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation )
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )

[HKCU-> Internet Explorer CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8195 - Sun Java Console
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - 8193 - Reg Data missing or invalid
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8192 - Reg Data missing or invalid
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - 8194 - &FlashGet
NextId - 8196

[HKLM-> Internet Explorer Extensions]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc. )
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (HKCU CLSID) - MenuText: Sun Java Console = C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc. )
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - ButtonText: FlashGet = C:\PROGRA~1\FlashGet\flashget.exe (FlashGet.com )

[HKCU-> Internet Explorer Menu Extensions]
Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm ( )
Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm ( )
E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 (File not found))

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{00020000-0000-1011-8004-0000C06B5161} - WIBU-SYSTEMS Shell Extension = C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll (WIBU-SYSTEMS AG )
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - Autoplay for SlideShow = Reg Data missing or invalid (File not found))
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\system32\nvshell.dll ( )
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\system32\nvshell.dll ( )
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} - nView Desktop Context Menu = C:\WINDOWS\system32\nvshell.dll ( )
{2B3453E4-49DF-11D3-8229-0080BE509050} - GMail Drive = C:\WINDOWS\system32\ShellExt\GMailFS.dll (Bjarke Viksoe )
{2B3453E4-49DF-11D3-8229-0080BE509052} - GMailFS Property Sheet = C:\WINDOWS\system32\ShellExt\GMailFS.dll (Bjarke Viksoe )
{2B3453E4-49DF-11D3-8229-0080BE509054} - GMailFS Drop Handler = C:\WINDOWS\system32\ShellExt\GMailFS.dll (Bjarke Viksoe )
{2B3453E4-49DF-11D3-8229-0080BE509056} - GMailFS Context Menu = C:\WINDOWS\system32\ShellExt\GMailFS.dll (Bjarke Viksoe )
{30B581E1-E01A-4F8E-A121-233ED0ABC9BD} - Mediafour XPlay Explorer Namespace Extension = C:\Program Files\Mediafour\XPlay\XPNAMESP.DLL (Mediafour Corporation )
{32020A01-506E-484D-A2A8-BE3CF17601C3} - AlcoholShellEx = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll (Alcohol Soft Development Team )
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
{51131DA7-1D24-40e5-AE07-5E3750F5DE3C} - ContextMenuExt Extension = C:\WINDOWS\system32\CopyToSendTo.dll ( )
{65FD6790-9907-417A-BA42-4F76961DA990} - Mediafour XPlay Folder Protection = C:\Program Files\Mediafour\XPlay\XPFPROT.DLL ( )
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = Reg Data missing or invalid (File not found))
{A08FB30D-51C4-4E54-AA5E-FF18739802EA} - Mediafour Mac Volume Icons = C:\Program Files\Common Files\Mediafour\MACVICON.DLL (Mediafour Corporation )
{A100D2CC-1015-4986-9205-979EA27FCDDB} - Mediafour XPlay Autosync Context Menu = C:\Program Files\Mediafour\XPlay\XPSYNC.DLL (Mediafour Corporation )
{A37D10A6-3EE8-4b99-A400-8C71E5C7F1DE} - Mediafour XPlay Disconnect Menu = C:\Program Files\Mediafour\XPlay\XPUNPLUG.DLL (Mediafour Corporation )
{A454F2F5-BB5F-4ACE-AD9A-CC33353C7341} - Mediafour Mac file columns = C:\Program Files\Common Files\Mediafour\MACFPROP.DLL (Mediafour Corporation )
{A70C977A-BF00-412C-90B7-034C51DA2439} - NvCpl DesktopContext Class = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation )
{A87C79F7-4C0E-4ae8-A619-B9437BF9EA1F} - Mediafour XPlay Repair Database = C:\Program Files\Mediafour\XPlay\XPDBREPR.DLL (Mediafour Corporation )
{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ( )
{B8EC5F76-DF86-4996-B1F2-95DE50306AA3} - Mediafour XPlay Device Properties = C:\Program Files\Mediafour\XPlay\XPVPROPS.DLL (Mediafour Corporation )
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc. )
{C76B1B2D-37A2-4053-BC8E-D20AB1C0BCAD} - Mediafour XPlay Device Setup Context Menu = C:\Program Files\Mediafour\XPlay\XPDEVSTP.DLL (Mediafour Corporation )
{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} - UnlockerShellExtension = C:\Program Files\Unlocker\UnlockerCOM.dll ( )
{E452F45B-DD18-4ADC-9C9A-2B26F85DABC0} - Mediafour Mac file properties = C:\Program Files\Common Files\Mediafour\MACFPROP.DLL (Mediafour Corporation )
{EE1094C3-46CA-4BC4-AF0F-491FD1072154} - Mediafour XPlay Music Properties = C:\Program Files\Mediafour\XPlay\XPAPROPS.DLL ( )
{F3549E69-4422-4735-9199-2061860A422A} - Mediafour XPlay Restore iPod Context Menu = C:\Program Files\Mediafour\XPlay\XPRESTOR.DLL (Mediafour Corporation )
{FFB699E0-306A-11d3-8BD1-00104B6F7516} - Play on my TV helper = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation )

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - CopyMoveTo - {51131DA7-1D24-40e5-AE07-5E3750F5DE3C} = C:\WINDOWS\system32\CopyToSendTo.dll ( )
* - ewido - {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll (ewido networks )
* - Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation )
* - UnlockerShellExtension - {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Program Files\Unlocker\UnlockerCOM.dll ( )
* - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
Directory - CopyMoveTo - {51131DA7-1D24-40e5-AE07-5E3750F5DE3C} = C:\WINDOWS\system32\CopyToSendTo.dll ( )
Directory - ewido - {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll (ewido networks )
Directory - UnlockerShellExtension - {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Program Files\Unlocker\UnlockerCOM.dll ( )
Directory - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
Directory\Background - 00nView - {1E9B04FB-F9E5-4718-997B-B8DA88302A48} = C:\WINDOWS\system32\nvshell.dll ( )
Directory\Background - igfxcui - {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINDOWS\system32\igfxpph.dll (Intel Corporation )
Directory\Background - NvCplDesktopContext - {A70C977A-BF00-412C-90B7-034C51DA2439} = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation )
Folder - CopyMoveTo - {51131DA7-1D24-40e5-AE07-5E3750F5DE3C} = C:\WINDOWS\system32\CopyToSendTo.dll ( )
Folder - Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation )
Folder - UnlockerShellExtension - {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Program Files\Unlocker\UnlockerCOM.dll ( )
Folder - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]
Folder - {00020000-0000-1011-8004-0000C06B5161} - WIBU-SYSTEMS Shell Extension = C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll (WIBU-SYSTEMS AG )
Folder - {A454F2F5-BB5F-4ACE-AD9A-CC33353C7341} - Mediafour Mac file columns = C:\Program Files\Common Files\Mediafour\MACFPROP.DLL (Mediafour Corporation )
Folder - {F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )

[>> Registry Run Keys <<]
HKLM->Run\\ccApp - "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation )
HKLM->Run\\H2O - C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe (Team H2O )
HKLM->Run\\H2OWIBU - C:\Program Files\WIBUKEY\H2O\CXWibu.exe (H2O )
HKLM->Run\\IgfxTray - C:\WINDOWS\system32\igfxtray.exe (Intel Corporation )
HKLM->Run\\NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (File not found))
HKLM->Run\\NvMediaCenter - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (File not found))
HKLM->Run\\nwiz - nwiz.exe /install ( )
HKLM->Run\\Symantec NetDriver Monitor - C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer (Symantec Corporation )
HKLM->Run\\Windows Defender - "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation )
HKCU->Run\\ - (File not found))
HKCU->Run\\SetDefaultMIDI - MIDIDef.exe (Creative Technology Ltd )

[>> Startup Lnks <<]
HKLM->Common Startup - desktop.ini - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ( )
HKCU->Startup - desktop.ini - C:\Documents and Settings\geek\Start Menu\Programs\Startup\desktop.ini ( )

[>> Disabled MSConfig Items <<]

[>> User Agent Post Platform <<]
SV1 -

[>> AppInit DLLs <<]

[>> Image File Execution Options <<]
Your Image File Name Here without a path - Debugger = ntsd -d

[>> Shell Service Object Delay Load <<]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation )
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation )

[>> Shell Execute Hooks <<]
{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook = C:\PROGRA~1\WINDOW~4\MpShHook.dll (Microsoft Corporation )
{54D9498B-CF93-414F-8984-8CE7FDE0D391} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-malware\shellhook.dll ( )
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[>> Shared Task Scheduler <<]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )

[>> Winlogon <<]
UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
Shell - Explorer.exe (Microsoft Corporation )
System - (File not found))
Notify\awvvv - C:\WINDOWS\system32\awvvv.dll ( )
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\igfxcui - igfxsrvc.dll (Intel Corporation )
Notify\MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll (Mediafour Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\WB - C:\Program Files\AlienGUIse\fastload.dll (Stardock )
Notify\WgaLogon - WgaLogon.dll (Microsoft Corporation )
Notify\winghy32 - winghy32.dll (File not found))
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

[>> DNS Name Servers <<]
{F44B386C-5D66-4DBB-82F6-452B698C2214} - (Broadcom 440x 10/100 Integrated Controller)

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
msdaipp - (File not found))

[>> Protocol Filters (Non-Microsoft only) <<]

< Services (Non-Microsoft Only) >
Automatic LiveUpdate Scheduler (Automatic LiveUpdate Scheduler) - "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
Symantec Event Manager (ccEvtMgr) - "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
Symantec Settings Manager (ccSetMgr) - "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
gearsec (gearsec) - C:\WINDOWS\system32\gearsec.exe (GEAR Software ) [Automatic - Running - Win32, running in it's own process]
Norton AntiVirus Auto-Protect Service (navapsvc) - "C:\Program Files\Norton AntiVirus\navapsvc.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
Norton AntiVirus Firewall Monitor Service (NPFMntor) - "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
NVIDIA Display Driver Service (NVSvc) - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation ) [Automatic - Running - Win32, running in it's own process]
Symantec Network Drivers Service (SNDSrvc) - "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
Symantec SPBBCSvc (SPBBCSvc) - "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
Symantec Core LC (Symantec Core LC) - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]

< Files >

%SystemDrive%

%ProgramFilesDir%

%WinDir%
C:\WINDOWS\RootkitRevealer.exe - UPX! (Sysinternals - www.sysinternals.com [Ver = 1.55 | Size = 97792 bytes | Date = 01/12/2006 20:31 | Attr = ])
C:\WINDOWS\upx.exe - UPX! (The UPX Team http://upx.sf.net [Ver = 1.25 | Size = 126464 bytes | Date = 01/12/2006 20:45 | Attr = ])

%System%
C:\WINDOWS\SYSTEM32\d3dx9_25.dll - aspack (Microsoft Corporation [Ver = 9.06.168.0000 | Size = 2337488 bytes | Date = 03/18/2005 17:19 | Attr = ])
C:\WINDOWS\SYSTEM32\d3dx9_26.dll - aspack (Microsoft Corporation [Ver = 9.07.239.0000 | Size = 2297552 bytes | Date = 05/26/2005 09:34 | Attr = ])
C:\WINDOWS\SYSTEM32\d3dx9_27.dll - aspack (Microsoft Corporation [Ver = 9.08.299.0000 | Size = 2319568 bytes | Date = 07/22/2005 13:59 | Attr = ])
C:\WINDOWS\SYSTEM32\d3dx9_28.dll - aspack (Microsoft Corporation [Ver = 9.10.455.0000 | Size = 2323664 bytes | Date = 12/05/2005 12:09 | Attr = ])
C:\WINDOWS\SYSTEM32\dfrg.msc - PEC2 ( [Ver = | Size = 41397 bytes | Date = 01/12/2006 20:47 | Attr = ])
C:\WINDOWS\SYSTEM32\LegitCheckControl.dll - PTech (Microsoft Corporation [Ver = 1.5.0540.0 | Size = 571184 bytes | Date = 06/19/2006 16:19 | Attr = ])
C:\WINDOWS\SYSTEM32\MRT.exe - PECompact2 (Microsoft Corporation [Ver = 1.19.1567.0 | Size = 8325544 bytes | Date = 08/09/2006 14:03 | Attr = ])
C:\WINDOWS\SYSTEM32\MRT.exe - aspack (Microsoft Corporation [Ver = 1.19.1567.0 | Size = 8325544 bytes | Date = 08/09/2006 14:03 | Attr = ])
C:\WINDOWS\SYSTEM32\msnsc.exe - UPX! (dgelwin [Ver = 0. 0. 0. 0 | Size = 62054 bytes | Date = 01/12/2006 20:36 | Attr = ])
C:\WINDOWS\SYSTEM32\MSVirtualCD.cpl - UPX! ( [Ver = 1, 0, 0, 1 | Size = 55296 bytes | Date = 01/12/2006 20:43 | Attr = ])
C:\WINDOWS\SYSTEM32\ntbackup.exe - WSUD (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 1200128 bytes | Date = 01/12/2006 20:38 | Attr = ])
C:\WINDOWS\SYSTEM32\ntdll.dll - aspack (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 708096 bytes | Date = 01/12/2006 20:53 | Attr = ])
C:\WINDOWS\SYSTEM32\nusrmgr.cpl - WSUD (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 257024 bytes | Date = 01/12/2006 20:35 | Attr = ])
C:\WINDOWS\SYSTEM32\rasdlg.dll - Umonitor (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 657920 bytes | Date = 01/12/2006 20:36 | Attr = ])
C:\WINDOWS\SYSTEM32\TweakUI.cpl - UPX! ( [Ver = 1, 0, 0, 1 | Size = 55296 bytes | Date = 01/12/2006 20:11 | Attr = ])
C:\WINDOWS\SYSTEM32\VCdControlTool.exe - UPX! ( [Ver = 1, 0, 0, 1 | Size = 12288 bytes | Date = 01/12/2006 20:54 | Attr = ])
C:\WINDOWS\SYSTEM32\VSFilter.dll - UPX! (Gabest [Ver = 1, 0, 1, 2 | Size = 301056 bytes | Date = 01/12/2006 20:38 | Attr = ])
C:\WINDOWS\SYSTEM32\wbdbase.deu - winsync ( [Ver = | Size = 1309184 bytes | Date = 01/12/2006 20:54 | Attr = ])
C:\WINDOWS\SYSTEM32\WgaTray.exe - PTech (Microsoft Corporation [Ver = 1.5.0540.0 | Size = 304944 bytes | Date = 06/19/2006 16:19 | Attr = ])
C:\WINDOWS\SYSTEM32\wmploc.dll - WSUD (Microsoft Corporation [Ver = 11.0.5358.4827 (WMP_11.060509-2009) | Size = 7706112 bytes | Date = 05/09/2006 22:26 | Attr = ])

%System%\Drivers folder and sub-folders

%windir% + sub-dirs for System or Hidden files less than 60 days old
C:\WINDOWS\bootstat.dat - ( [Ver = | Size = 2048 bytes | Date = 09/04/2006 08:18 | Attr = S])
C:\WINDOWS\system32\vvvwa.bak1 - ( [Ver = | Size = 1338334 bytes | Date = 09/01/2006 15:45 | Attr = HS])
C:\WINDOWS\system32\vvvwa.bak2 - ( [Ver = | Size = 1338403 bytes | Date = 09/04/2006 08:26 | Attr = HS])
C:\WINDOWS\system32\vvvwa.ini2 - ( [Ver = | Size = 573560 bytes | Date = 09/04/2006 08:55 | Attr = HS])
C:\WINDOWS\system32\vvvwa.tmp - ( [Ver = | Size = 860918 bytes | Date = 08/04/2006 20:24 | Attr = HS])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918899.cat - ( [Ver = | Size = 23751 bytes | Date = 07/28/2006 07:16 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920670.cat - ( [Ver = | Size = 10925 bytes | Date = 07/21/2006 04:03 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921398.cat - ( [Ver = | Size = 13050 bytes | Date = 07/13/2006 09:24 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921883.cat - ( [Ver = | Size = 10925 bytes | Date = 07/14/2006 11:13 | Attr = S])
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922616.cat - ( [Ver = | Size = 10925 bytes | Date = 07/14/2006 10:53 | Attr = S])
C:\WINDOWS\system32\config\default.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/04/2006 08:24 | Attr = H ])
C:\WINDOWS\system32\config\SAM.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/04/2006 08:18 | Attr = H ])
C:\WINDOWS\system32\config\SECURITY.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/04/2006 08:19 | Attr = H ])
C:\WINDOWS\system32\config\software.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/04/2006 08:50 | Attr = H ])
C:\WINDOWS\system32\config\system.LOG - ( [Ver = | Size = 1024 bytes | Date = 09/04/2006 08:21 | Attr = H ])
C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG - ( [Ver = | Size = 1024 bytes | Date = 08/13/2006 12:10 | Attr = H ])
C:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf - ( [Ver = | Size = 0 bytes | Date = 08/28/2006 19:17 | Attr = H ])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\d5842670-200f-442c-8970-304bd9c060d5 - ( [Ver = | Size = 388 bytes | Date = 07/30/2006 20:57 | Attr = HS])
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred - ( [Ver = | Size = 24 bytes | Date = 07/30/2006 20:57 | Attr = HS])
C:\WINDOWS\Tasks\MP Scheduled Scan.job - ( [Ver = | Size = 330 bytes | Date = 09/04/2006 08:21 | Attr = H ])
C:\WINDOWS\Temp\SOFTWARE.LOG - ( [Ver = | Size = 0 bytes | Date = 08/28/2006 00:06 | Attr = H ])
C:\WINDOWS\Temp\SYSTEM.LOG - ( [Ver = | Size = 0 bytes | Date = 08/28/2006 00:06 | Attr = H ])
CPL files -
C:\WINDOWS\SYSTEM32\ac3filter.cpl - ( [Ver = 0.70b | Size = 180224 bytes | Date = 01/12/2006 20:31 | Attr = ])
C:\WINDOWS\SYSTEM32\AdvUninstCPL.cpl - ( [Ver = | Size = 41984 bytes | Date = 01/17/2004 17:09 | Attr = ])
C:\WINDOWS\SYSTEM32\appwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 549888 bytes | Date = 01/12/2006 20:56 | Attr = ])
C:\WINDOWS\SYSTEM32\bthprops.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 110592 bytes | Date = 01/12/2006 20:51 | Attr = ])
C:\WINDOWS\SYSTEM32\desk.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 135168 bytes | Date = 01/12/2006 20:20 | Attr = ])
C:\WINDOWS\SYSTEM32\DirectVobSub.cpl - ( [Ver = | Size = 4608 bytes | Date = 01/12/2006 20:41 | Attr = ])
C:\WINDOWS\SYSTEM32\firewall.cpl - (Microsoft Corporation [Ver = 5.1.2600.2732 (xpsp.050803-1538) | Size = 80896 bytes | Date = 01/12/2006 21:05 | Attr = ])
C:\WINDOWS\SYSTEM32\hdwwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 155136 bytes | Date = 01/12/2006 20:33 | Attr = ])
C:\WINDOWS\SYSTEM32\igfxcpl.cpl - (Intel Corporation [Ver = 3.0.0.4020 | Size = 94208 bytes | Date = 01/23/2005 03:33 | Attr = ])
C:\WINDOWS\SYSTEM32\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 358400 bytes | Date = 01/12/2006 20:18 | Attr = ])
C:\WINDOWS\SYSTEM32\intl.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Date = 01/12/2006 20:50 | Attr = ])
C:\WINDOWS\SYSTEM32\irprops.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 380416 bytes | Date = 01/12/2006 21:01 | Attr = ])
C:\WINDOWS\SYSTEM32\javacpl.cpl - (Sun Microsystems, Inc. [Ver = 6.0.0.59g | Size = 34304 bytes | Date = 06/02/2006 21:50 | Attr = ])
C:\WINDOWS\SYSTEM32\joy.cpl - (Microsoft Corporation [Ver = 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 68608 bytes | Date = 01/12/2006 20:41 | Attr = ])
C:\WINDOWS\SYSTEM32\main.cpl - (Microsoft Corporation [Ver = 5.1.2403.1 | Size = 161792 bytes | Date = 01/12/2006 20:26 | Attr = ])
C:\WINDOWS\SYSTEM32\mmsys.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 618496 bytes | Date = 01/12/2006 20:12 | Attr = ])
C:\WINDOWS\SYSTEM32\MSVirtualCD.cpl - ( [Ver = 1, 0, 0, 1 | Size = 55296 bytes | Date = 01/12/2006 20:43 | Attr = ])
C:\WINDOWS\SYSTEM32\ncpa.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Date = 01/12/2006 20:23 | Attr = ])
C:\WINDOWS\SYSTEM32\netsetup.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 25600 bytes | Date = 01/12/2006 20:32 | Attr = ])
C:\WINDOWS\SYSTEM32\nusrmgr.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 257024 bytes | Date = 01/12/2006 20:35 | Attr = ])
C:\WINDOWS\SYSTEM32\nvcpl.cpl - (NVIDIA Corporation [Ver = 1.2.1.11 | Size = 69632 bytes | Date = 06/01/2006 17:22 | Attr = ])
C:\WINDOWS\SYSTEM32\nvtuicpl.cpl - ( [Ver = | Size = 73728 bytes | Date = 06/01/2006 17:22 | Attr = ])
C:\WINDOWS\SYSTEM32\nwc.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 36864 bytes | Date = 01/12/2006 20:35 | Attr = ])
C:\WINDOWS\SYSTEM32\odbccp32.cpl - (Microsoft Corporation [Ver = 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) | Size = 32768 bytes | Date = 01/12/2006 20:10 | Attr = ])
C:\WINDOWS\SYSTEM32\powercfg.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 114688 bytes | Date = 01/12/2006 20:54 | Attr = ])
C:\WINDOWS\SYSTEM32\sysdm.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 298496 bytes | Date = 01/12/2006 20:36 | Attr = ])
C:\WINDOWS\SYSTEM32\telephon.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 28160 bytes | Date = 01/12/2006 21:02 | Attr = ])
C:\WINDOWS\SYSTEM32\timedate.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 94208 bytes | Date = 01/12/2006 20:54 | Attr = ])
C:\WINDOWS\SYSTEM32\TweakUI.cpl - ( [Ver = 1, 0, 0, 1 | Size = 55296 bytes | Date = 01/12/2006 20:11 | Attr = ])
C:\WINDOWS\SYSTEM32\WibuKe32.cpl - (WIBU-SYSTEMS AG [Ver = Version 5.00a of 2005-May-10 | Size = 1228800 bytes | Date = 05/09/2005 23:00 | Attr = ])
C:\WINDOWS\SYSTEM32\wscui.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 148480 bytes | Date = 01/12/2006 20:47 | Attr = ])
C:\WINDOWS\SYSTEM32\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 174360 bytes | Date = 01/12/2006 20:51 | Attr = ])

AllUsers Startup Folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 06/02/2006 02:41 | Attr = HS])

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 06/02/2006 03:26 | Attr = HS])

CurrentUser Startup Folder
C:\Documents and Settings\geek\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 06/02/2006 02:41 | Attr = HS])

CurrentUser ApplicationData Folder
C:\Documents and Settings\geek\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 06/02/2006 03:26 | Attr = HS])
C:\Documents and Settings\geek\Application Data\iPod Access v2 Prefs - ( [Ver = | Size = 133 bytes | Date = 08/16/2006 02:54 | Attr = ])
C:\Documents and Settings\geek\Application Data\iPodAccess_OwnerName - ( [Ver = | Size = 42 bytes | Date = 06/16/2006 12:32 | Attr = H ])
C:\Documents and Settings\geek\Application Data\iPodAccess_Time - ( [Ver = | Size = 11 bytes | Date = 06/16/2006 12:29 | Attr = H ])

DPF files
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.6.0 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - Java Plug-in 1.6.0 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.6.0 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

Hosts file = 770 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright © 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -
127.0.0.1 serial.alcohol-soft.com -

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 1
Desktop\Components\0 -
Desktop\Components\0\\Source - About:Home
Desktop\Components\0\\SubscribedURL - About:Home
Desktop\Components\0\\FriendlyName - My Current Home Page
Desktop\Components\0\\Flags - 2
Desktop\Components\0\\Position - 2C 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 00 03 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 04 00 00 40
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 FF FF 00 00 FF FF 00 00 FF FF FF FF FF FF FF FF 04 00 00 00
Desktop\Components\0\\RestoredStateInfo - 18 00 00 00 6D 02 00 00 29 00 00 00 9E 00 00 00 94 00 00 00 01 00 00 00
Desktop\General -
Desktop\General\\BackupWallpaper - %SystemRoot%\ALX_1600x1200.bmp
Desktop\General\\WallpaperFileTime - 9A 52 DB B8 B7 86 C6 01
Desktop\General\\WallpaperLocalFileTime - 9A BA 9F 1A C0 86 C6 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 2
Desktop\General\\Wallpaper - %SystemRoot%\ALX_1600x1200.bmp
Desktop\General\\ComponentsPositioned - 1
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 00 05 00 00 00 03 00 00
Desktop\SafeMode -
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Jobs.def<<<<

DIR - C:\WINDOWS\tasks\*.* - Parameters = Include SubFolders
C:\WINDOWS\tasks\desktop.ini - ( [Ver = | Size = 65 bytes | Date = 01/12/2006 20:42 | Attr = RH ])
C:\WINDOWS\tasks\MP Scheduled Scan.job - ( [Ver = | Size = 330 bytes | Date = 09/04/2006 08:21 | Attr = H ])
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - geek.job - ( [Ver = | Size = 528 bytes | Date = 06/16/2006 14:05 | Attr = ])
C:\WINDOWS\tasks\SA.DAT - ( [Ver = | Size = 6 bytes | Date = 06/19/2006 23:51 | Attr = H ])

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Attachments -
policies\Attachments\\ScanWithAntiVirus - 2
policies\Explorer -
policies\Explorer\\NoRemoteRecursiveEvents - 1
policies\Explorer\run -
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 145
policies\Explorer\\NoInternetIcon - 0
policies\Explorer\\ClearRecentDocsOnExit - 1
policies\Explorer\\NoLowDiskSpaceChecks - 1
policies\Explorer\\NoSaveSettings - 0
policies\Explorer\Run -

>>>>Output for AddOn file Security.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Security Center -
Security Center\\FirstRunDisabled - 1
Security Center\\AntiVirusDisableNotify - 0
Security Center\\FirewallDisableNotify - 0
Security Center\\UpdatesDisableNotify - 0
Security Center\\AntiVirusOverride - 0
Security Center\\FirewallOverride - 0
Security Center\Monitoring -
Security Center\Monitoring\AhnlabAntiVirus -
Security Center\Monitoring\ComputerAssociatesAntiVirus -
Security Center\Monitoring\KasperskyAntiVirus -
Security Center\Monitoring\McAfeeAntiVirus -
Security Center\Monitoring\McAfeeFirewall -
Security Center\Monitoring\PandaAntiVirus -
Security Center\Monitoring\PandaFirewall -
Security Center\Monitoring\SophosAntiVirus -
Security Center\Monitoring\SymantecAntiVirus -
Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring - 1
Security Center\Monitoring\SymantecFirewall -
Security Center\Monitoring\SymantecFirewall\\DisableMonitoring - 1
Security Center\Monitoring\TinyFirewall -
Security Center\Monitoring\TrendAntiVirus -
Security Center\Monitoring\TrendFirewall -
Security Center\Monitoring\ZoneLabsFirewall -

KEY - HKLM\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\BITS -
BITS\\Type - 32
BITS\\Start - 3
BITS\\ErrorControl - 1
BITS\\ImagePath - %SystemRoot%\system32\svchost.exe -k netsvcs
BITS\\DisplayName - Background Intelligent Transfer Service
BITS\\DependOnService - RpcSs;
BITS\\DependOnGroup -
BITS\\ObjectName - LocalSystem
BITS\\Description - Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.
BITS\\FailureActions - 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 68 E3 0C 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00
BITS\Parameters -
BITS\Parameters\\ServiceDll - C:\WINDOWS\system32\qmgr.dll
BITS\Security -
BITS\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
BITS\Enum -
BITS\Enum\\0 - Root\LEGACY_BITS\0000
BITS\Enum\\Count - 1
BITS\Enum\\NextInstance - 1

KEY - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess -
SharedAccess\\DependOnGroup -
SharedAccess\\DependOnService - Netman;WinMgmt;
SharedAccess\\Description - Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
SharedAccess\\DisplayName - Windows Firewall/Internet Connection Sharing (ICS)
SharedAccess\\ErrorControl - 1
SharedAccess\\ImagePath - %SystemRoot%\system32\svchost.exe -k netsvcs
SharedAccess\\ObjectName - LocalSystem
SharedAccess\\Start - 4
SharedAccess\\Type - 32
SharedAccess\Epoch -
SharedAccess\Epoch\\Epoch - 6506
SharedAccess\Parameters -
SharedAccess\Parameters\\ServiceDll - %SystemRoot%\System32\ipnathlp.dll
SharedAccess\Parameters\FirewallPolicy -
SharedAccess\Parameters\FirewallPolicy\DomainProfile -
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications -
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe - C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5
SharedAccess\Parameters\FirewallPolicy\StandardProfile -
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications -
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe - C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Azureus\Azureus.exe - C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\LimeWire\LimeWire.exe - C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\Loader\aolload.exe - C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1149705978\ee\aolsoftware.exe - C:\Program Files\Common Files\AOL\1149705978\ee\aolsoftware.exe:*:Enabled:AOL Services
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1149705978\ee\aim6.exe - C:\Program Files\Common Files\AOL\1149705978\ee\aim6.exe:*:Enabled:AIM
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\iTunes\iTunes.exe - C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1150782039\ee\aolsoftware.exe - C:\Program Files\Common Files\AOL\1150782039\ee\aolsoftware.exe:*:Enabled:AOL Services
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Common Files\AOL\1150782039\ee\aim6.exe - C:\Program Files\Common Files\AOL\1150782039\ee\aim6.exe:*:Enabled:AIM
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\EA GAMES\Battlefield 2\BF2.exe - C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2
SharedAccess\Setup -
SharedAccess\Setup\\ServiceUpgrade - 1
SharedAccess\Setup\InterfacesUnfirewalledAtUpdate -
SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\All - 1
SharedAccess\Enum -
SharedAccess\Enum\\0 - Root\LEGACY_SHAREDACCESS\0000
SharedAccess\Enum\\Count - 1
SharedAccess\Enum\\NextInstance - 1

KEY - HKLM\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv -
wuauserv\\Type - 32
wuauserv\\Start - 2
wuauserv\\ErrorControl - 1
wuauserv\\ImagePath - %systemroot%\system32\svchost.exe -k netsvcs
wuauserv\\DisplayName - Automatic Updates
wuauserv\\ObjectName - LocalSystem
wuauserv\\Description - Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
wuauserv\Parameters -
wuauserv\Parameters\\ServiceDll - C:\WINDOWS\system32\wuauserv.dll
wuauserv\Security -
wuauserv\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
wuauserv\Enum -
wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
wuauserv\Enum\\Count - 1
wuauserv\Enum\\NextInstance - 1

< End of report >

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:22 PM

Posted 04 September 2006 - 10:32 AM

Hi daplat. That showed us what we were looking for. Please do the following:

Download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click YES, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
OK. Start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with the log file from VundoFix and details of any problems you encountered performing the above steps and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 daplat

daplat
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 04 September 2006 - 07:17 PM

Ok, seems to be working fine. no IE opening at random when i started mozilla. VF never gave the option to run as a task, but i ran thru anyways. I really appreciate your help OT and I will keep you posted if anything
"pops up".

heres my hi-jack.

Logfile of HijackThis v1.99.1
Scan saved at 7:09:26 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\geek\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...age=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.165.130.93:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F7CD4728-F73E-4269-873D-B19832C340C1} - C:\WINDOWS\system32\awvvv.dll (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [H2OWIBU] C:\Program Files\WIBUKEY\H2O\CXWibu.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GearSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ozone Installer (OzoneInstallerService) - Nemesis - C:\Program Files\M-Audio Ozone\Install\Ozinst.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:22 PM

Posted 05 September 2006 - 05:17 PM

Hi daplat. Yes, it looks like this is a newer version for VundoFix and it doesn't have that option anymore.

Let's clean out some leftover entires from the infection.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O2 - BHO: (no name) - {F7CD4728-F73E-4269-873D-B19832C340C1} - C:\WINDOWS\system32\awvvv.dll (file missing)
O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

I see that you have Ewido installed. Let's run a scan with that also just to see if anything is left.
  • Start ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Launch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
    • IMake sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
    • At the bottom of the window click on the "Apply all actions" button
    Note: Don't save the report before you hit the Apply action button.
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode.
Post the Ewido log back here along with a new HijakThis log and I will review the information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users