Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something Messing With Ie And Adaware - Can't Seem To Get Rid. Smitfraud, Ishost Mentioned


  • Please log in to reply
8 replies to this topic

#1 Assir

Assir

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 20 September 2006 - 04:52 PM

Every time I open IE after rebooting it has set itself to Work Offline. I thought this had to do with my confirmed smitfraud/ishost infection, but Spybot apparently dealt with that and the symptom's still here. It's not a problem with the Internet connection as Firefox works fine, but I still need IE occasionally. Also, running a scan in AdAware crashes winlogon.exe and I have to reboot - it gets to a certain point in the scan and commits hara-kiri. Ideas?





Logfile of HijackThis v1.99.1
Scan saved at 22:48:16, on 20/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\b7cc2271.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\crunner\cproc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox 2 Beta 2\firefox.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Documents and Settings\Assir\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...oo.com/p/d.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [b7cc2271.exe] C:\WINDOWS\system32\b7cc2271.exe
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Broadband Help\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [loaddr] C:\Program Files\GamesforFree\Galactic Hacker\gffapp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [b7cc2271.exe] C:\Documents and Settings\Assir\Local Settings\Application Data\b7cc2271.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html...2986GB_ZSzeb029
O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Translate - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab27571.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {3C403675-B43C-410B-BF56-D4D1FB68356C} (ActiveXPortal Control) - http://72.29.80.113/OCX/gwnet.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/137749cd45d773...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125998113156
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB3C2BF6-A56C-45EA-AD2F-405D784DD97B}: NameServer = 194.74.65.68 194.72.9.34
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:25 PM

Posted 24 September 2006 - 10:31 AM

Hello Assir and welcome to the BC HijackThis forum. Let's start with the following.

Download ewido anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Launch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
    • IMake sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
    • At the bottom of the window click on the "Apply all actions" button
    Note: Don't save the report before you hit the Apply action button.
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode.
Now download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings.
  • In the AddOn-Options group click the checkboxes for
    • HKCU_IEDesktop.def
    • Policies.def
    • SID_Run_Policies.def
    to select them.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the information back here along with the report from Ewido and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Assir

Assir
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 02 October 2006 - 06:23 PM

I couldn't get into Safe Mode in any meaningful way - it turned up a black screen with "Safe Mode" in each corner and my Windows version at the top, but no icons/taskbar/etc. The mouse was able to scroll off bottom and right-hand side of the screen, but nothing useful happened. I ran both scans in Normal Mode.




---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:12:53 30/09/2006

+ Scan result:



C:\Documents and Settings\Mum\Local Settings\Temp\eltfuntarg.exe -> Backdoor.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Mum\Local Settings\Temp\eltterp2.exe -> Backdoor.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Katie\Local Settings\Temporary Internet Files\Content.IE5\2J1W1GXD\eltterp2[1].exe -> Backdoor.Small : Cleaned with backup (quarantined).
C:\FOUND.006\FILE0002.CHK -> Backdoor.Small : Cleaned with backup (quarantined).
C:\Program Files\BTopenworld ReInstall\btwebcontrol.dll -> Dialer.BT.b : Cleaned with backup (quarantined).
C:\Documents and Settings\Mum\Local Settings\Application Data\b7cc2271.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Katie\Local Settings\Application Data\b7cc2271.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Assir\Local Settings\Application Data\b7cc2271.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Assir\Local Settings\Temp\win15.tmp.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\WINDOWS\system32\b7cc2271.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\WINDOWS\system32\avifilev.dll -> Downloader.Small.ddp : Cleaned with backup (quarantined).
C:\WINDOWS\ticads.exe -> Downloader.Small.ddp : Cleaned with backup (quarantined).
C:\WINDOWS\tse.exe -> Downloader.Small.ddp : Cleaned with backup (quarantined).
C:\WINDOWS\url.exe -> Downloader.Small.ddp : Cleaned with backup (quarantined).
C:\Program Files\Common Files\misc002\141.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Mum\Local Settings\Temp\919_132.exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\Documents and Settings\Katie\Local Settings\Temp\919_132.exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\Documents and Settings\Mum\Local Settings\Temp\stdrun16.exe -> Dropper.MultiJoiner.13.h : Cleaned with backup (quarantined).
C:\Documents and Settings\Katie\Local Settings\Temporary Internet Files\Content.IE5\0BGT1MO8\srvgaq[1].exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\Documents and Settings\Katie\Local Settings\Temporary Internet Files\Content.IE5\BK5HBR2B\srvehh[1].exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\Documents and Settings\Katie\Local Settings\Temporary Internet Files\Content.IE5\BK5HBR2B\srvzov[1].exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\Documents and Settings\Katie\Local Settings\Temporary Internet Files\Content.IE5\SXUNWLQJ\srvjaf[1].exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\Documents and Settings\Assir\Local Settings\Temporary Internet Files\Content.IE5\N5IOJ43E\srvlyz[1].exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win111B.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win111D.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win11EA.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win121C.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win122E.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win1231.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win1306.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win1376.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win138F.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win1393.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win299.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win2A4.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win2BB.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win56.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win727.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win72B.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win73D.tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\Documents and Settings\Mum\Desktop\TagASaurus.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Katie\Desktop\TagASaurus.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Assir\Local Settings\Temp\wschtm35.dll -> Not-A-Virus.Hoax.Win32.Renos.di : Cleaned with backup (quarantined).


::Report end







Logfile created on: 30/09/2006 22:36:30
WinPFind2 by OldTimer - Version 1.0.10 Folder = C:\Documents and Settings\Assir\Desktop\WinPFind\WinPFind2\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5346.5)


< Processes (Non-Microsoft Only) >
c:\program files\avpersonal\avgnt.exe - (H+BEDV Datentechnik GmbH )
c:\program files\avpersonal\avguard.exe - (H+BEDV Datentechnik GmbH )
c:\program files\avpersonal\avwupsrv.exe - (H+BEDV Datentechnik GmbH, Germany )
c:\windows\system32\crunner\cproc.exe - ( )
c:\program files\google\googletoolbarnotifier\1.0.720.3640\googletoolbarnotifier.exe - (Google Inc. )
c:\program files\ipod\bin\ipodservice.exe - (Apple Computer, Inc. )
c:\program files\itunes\ituneshelper.exe - (Apple Computer, Inc. )
c:\program files\java\jre1.5.0_06\bin\jusched.exe - (Sun Microsystems, Inc. )
c:\program files\sunbelt software\personal firewall 4\kpf4gui.exe - (Sunbelt Software )
c:\program files\sunbelt software\personal firewall 4\kpf4gui.exe - (Sunbelt Software )
c:\program files\sunbelt software\personal firewall 4\kpf4ss.exe - (Sunbelt Software )
c:\windows\system32\nvsvc32.exe - (NVIDIA Corporation )
c:\program files\common files\real\update_ob\realsched.exe - (RealNetworks, Inc. )
c:\windows\system32\slserv.exe - ( )
c:\windows\sm1bg.exe - (Cypress Semiconductor )
c:\windows\sointgr.exe - ( )
c:\windows\vsnpstd.exe - ( )
c:\progra~1\webshots\webshots.scr - (Webshots.com )
c:\documents and settings\Assir\desktop\winpfind\winpfind2\winpfind2.exe - (OldTimer Tools )
c:\program files\winzip\wzqkpick.exe - (WinZip Computing, Inc. )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKLM->Internet Explorer\\Search - http://www.google.com
HKCU->Internet Explorer\\Search - http://www.google.com
HKCU->Internet Explorer\\SearchURL - http://www.google.com
HKLM->Main\\Start Page - http://go.microsoft.com/fwlink/?LinkId=566...cid={SUB_CLCID}
HKLM->Main\\Search Page - http://go.microsoft.com/fwlink/?LinkId=54896
HKLM->Main\\Default_Page_URL - http://go.microsoft.com/fwlink/?LinkId=54729
HKLM->Main\\Default_Search_URL - http://go.microsoft.com/fwlink/?LinkId=54896
HKLM->Main\\Local Page - %SystemRoot%\system32\blank.htm
HKCU->Main\\Start Page - http://go.microsoft.com/fwlink/?LinkId=566...oo.com/p/d.html
HKCU->Main\\Search Bar - http://www.google.com/ie
HKCU->Main\\Search Page - http://www.msn.com/access/allinone.asp
HKCU->Main\\Default_Page_URL - about:blank
HKCU->Main\\Default_Search_URL - about:blank
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU->Search\\CustomizeSearch - about:blank
HKCU->URLSearchHooks\\ - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation )
HKCU->Internet Settings\\ProxyEnable - 0

[>> BHO's <<]
{02478D38-C3F9-4efb-9B51-7695ECA05670} - Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll (Yahoo! Inc. )
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated )
{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited )
{6782BA08-D2EC-4E41-AFFD-058B8985C2CC} - Reg Data missing or invalid = C:\WINDOWS\system32\awtss.dll ( )
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc. )
{9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - BHO = C:\Program Files\BHO Plugin\plugin1.dll ( )
{AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper = c:\program files\google\googletoolbar2.dll (Google Inc. )
{B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - Reg Data missing or invalid = C:\WINDOWS\system32\mjrsfyui.dll ( )

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer Bars]
{32683183-48a0-441b-a342-7c2a440a9478} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )

[HKLM-> Internet Explorer ToolBars]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar2.dll (Google Inc. )
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint = C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ( )
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll (Yahoo! Inc. )
{F8AD5AA5-D966-4667-9DAF-2561D68B2012} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))

[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar2.dll (Google Inc. )
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar2.dll (Google Inc. )
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
WebBrowser\\{4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll (Yahoo! Inc. )
WebBrowser\\{F2CF5485-4E02-4F68-819C-B92DE9277049} - &Links = C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation )

[HKCU-> Internet Explorer CmdMapping]
{000007C6-17DF-4438-92A4-DE5537471BA3} - 8195 - Reg Data missing or invalid
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8197 - Sun Java Console
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - 8199 - Reg Data missing or invalid
{85d1f590-48f4-11d9-9669-0800200c9a66} - 8200 - Uninstall BitDefender Online Scanner v8
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8196 - Reg Data missing or invalid
{A1100DDB-B277-4CAA-A640-B299D79FE25E} - 8194 - Reg Data missing or invalid
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8193 - Windows Messenger
NextId - 8201

[HKLM-> Internet Explorer Extensions]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc. )
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (HKCU CLSID) - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc. )
{85d1f590-48f4-11d9-9669-0800200c9a66} - MenuText: Uninstall BitDefender Online Scanner v8 = Reg Data missing or invalid (File not found))
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = Reg Data missing or invalid (File not found))
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )

[HKCU-> Internet Explorer Menu Extensions]
&Search - http://bar.mywebsearch.com/menusearch.html...2986GB_ZSzeb029 (File not found))
AltaVista Search - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm (File not found))
Download with GetRight - C:\Program Files\GetRight\GRdownload.htm (File not found))
E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation )
Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html ( )
Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html ( )
Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html ( )
Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html ( )
Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm (File not found))
Translate - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm (File not found))

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{08AB18D7-ACFB-4B59-93BA-81BBEE32D401} - Xentient.Thumbs = C:\Program Files\Xentient\Thumbnails\thumbs.dll (Xentient )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation )
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation )
{28710882-150A-48A6-A858-2FC774BA822E} - Viewpoint Photos Shell Extension = C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewpointPhotosShellExt.dll (Viewpoint Corporation )
{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} - dBpowerAMP Music Converter = C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll ( )
{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data missing or invalid (File not found))
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
{5464D816-CF16-4784-B9F3-75C0DB52B499} - Yahoo! Mail = C:\WINDOWS\Downloaded Program Files\ymmapi.dll ( )
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ( )
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc. )
{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{EFA24E61-B078-11d0-89E4-00C04FC9E26E} - Favorites Band = Reg Data missing or invalid (File not found))
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealOne Player\rpshell.dll (RealNetworks, Inc. )
{F17FC690-720A-4277-8B97-EA0B26B7D1C9} - Inedita Shell Extension = C:\Program Files\Inedita\ExContext.dll (Versoworks Pty Ltd )
{FED7043D-346A-414D-ACD7-550D052499A7} - dBpowerAMP Music Converter 1 = C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll ( )

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - AntiVir/Win - {a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Program Files\AVPersonal\AVShlExt.DLL (H+BEDV Datentechnik GmbH )
* - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
* - Inedita - {F17FC690-720A-4277-8B97-EA0B26B7D1C9} = C:\Program Files\Inedita\ExContext.dll (Versoworks Pty Ltd )
* - ViewpointPhotosExt - {28710882-150A-48A6-A858-2FC774BA822E} = C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewpointPhotosShellExt.dll (Viewpoint Corporation )
* - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
* - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
* - Yahoo! Mail - {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\WINDOWS\Downloaded Program Files\ymmapi.dll ( )
Directory - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
Directory - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
Directory - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
Folder - AntiVir/Win - {a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Program Files\AVPersonal\AVShlExt.DLL (H+BEDV Datentechnik GmbH )
Folder - ViewpointPhotosExt - {28710882-150A-48A6-A858-2FC774BA822E} = C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewpointPhotosShellExt.dll (Viewpoint Corporation )
Folder - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
Folder - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]
Folder - {F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )
Folder - {FED7043D-346A-414D-ACD7-550D052499A7} - dBpShell Class = C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll ( )

[>> File Associations Keys <<]
HKLM->SOFTWARE\Classes\.bat\\'' - batfile
HKLM->SOFTWARE\Classes\batfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.cmd\\'' - cmdfile
HKLM->SOFTWARE\Classes\cmdfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.com\\'' - comfile
HKLM->SOFTWARE\Classes\comfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.exe\\'' - exefile
HKLM->SOFTWARE\Classes\exefile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.hta\\'' - htafile
HKLM->SOFTWARE\Classes\htafile\shell\open\command\\'' - C:\WINDOWS\system32\mshta.exe "%1" %*
HKLM->SOFTWARE\Classes\.js\\'' - JSFile
HKLM->SOFTWARE\Classes\jsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.jse\\'' - JSEFile
HKLM->SOFTWARE\Classes\jsefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.scr\\'' - scrfile
HKLM->SOFTWARE\Classes\scrfile\shell\open\command\\'' - "%1" /S
HKLM->SOFTWARE\Classes\.vbe\\'' - VBEFile
HKLM->SOFTWARE\Classes\vbefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.vbs\\'' - VBSFile
HKLM->SOFTWARE\Classes\vbsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsf\\'' - WSFFile
HKLM->SOFTWARE\Classes\wsffile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsh\\'' - WSHFile
HKLM->SOFTWARE\Classes\wshfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.txt\\'' - notepad
HKLM->SOFTWARE\Classes\txtfile\shell\open\command\\'' - C:\PROGRA~1\CETUSC~1\CNotePad.exe "%1"

[>> Registry Run Keys <<]
HKLM->Run\\AVGCtrl - "C:\Program Files\AVPersonal\AVGNT.EXE" /min (H+BEDV Datentechnik GmbH )
HKLM->Run\\BBDial - C:\Program Files\BT Broadband Help\BT Voyager 105 ADSL Modem\BT Broadband.exe (BT )
HKLM->Run\\DSLAGENTEXE - C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe (File not found))
HKLM->Run\\DSLSTATEXE - C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon (File not found))
HKLM->Run\\Easy-PrintToolBox - C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon (CANON INC. )
HKLM->Run\\HPDJ Taskbar Utility - C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe (HP )
HKLM->Run\\iTunesHelper - "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Computer, Inc. )
HKLM->Run\\loaddr - C:\DOCUME~1\Katie\LOCALS~1\Temp\aff_001.exe ( )
HKLM->Run\\NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (File not found))
HKLM->Run\\SM1BG - C:\WINDOWS\SM1BG.EXE (Cypress Semiconductor )
HKLM->Run\\snpstd - C:\WINDOWS\vsnpstd.exe ( )
HKLM->Run\\SO5 Integrator Pass Two - C:\WINDOWS\SOINTGR.EXE ( )
HKLM->Run\\SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc. )
HKLM->Run\\SUPASTATUS - C:\Program Files\Internet Explorer\Connection Wizard\Status.exe (File not found))
HKLM->Run\\TkBellExe - "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc. )
HKLM->Run\\Windows Defender - "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation )
HKLM->RunOnce\Setup\\Registrando Panda ActiveX - C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\as.dll (File not found))
HKLM->RunOnce\Setup\\Registrando Panda Almacen - C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\pavpz.dll (File not found))
HKLM->RunServices\\SystemTools - C:\WINDOWS\system32\kernels8.exe (File not found))
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\b7cc2271.exe - C:\Documents and Settings\Assir\Local Settings\Application Data\b7cc2271.exe (File not found))
HKCU->Run\\cprocsvc - C:\WINDOWS\system32\crunner\cproc.exe ( )
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
HKCU->Run\\MessengerPlus3 - "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart (File not found))
HKCU->Run\\MSMSGS - "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation )
HKCU->Run\\msnmsgr - "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (Microsoft Corporation )
HKCU->Run\\swg - C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (Google Inc. )
HKCU->Run\\updateMgr - "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_5 -reboot 1 (Adobe Systems Incorporated )

[>> Miscellaneous Startup Keys <<]

[AppInit DLLs]
AppInit_DLL - (File not found))

[Image File Execution Options]
Your Image File Name Here without a path - Debugger = ntsd -d

[Shell Service Object Delay Load]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation )
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation )

[Shell Execute Hooks]
{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook = C:\PROGRA~1\WIFD1F~1\MpShHook.dll (Microsoft Corporation )
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s. )
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[Shared Task Scheduler]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{553858A7-4922-4e7e-B1C1-97140C1C16EF} - IE Component Categories cache daemon = C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

[SafeBoot Option]

[HKLM Command Processor AutoRun]
HKLM->Command Processor\\AutoRun -

[HKCU Command Processor AutoRun]

[Security Providers]
SecurityProviders\\SecurityProviders - msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[BootExecute]
Session Manager\\BootExecute - autocheck autochk *;

[PendingFileRenameOperations]
Session Manager\\PendingFileRenameOperations - \??\c:\windows\system32\__delete_on_reboot__b_7_c_c_2_2_7_1_._e_x_e_;

[FileRenameOperations]

[ExcludeFromKnownDlls]
Session Manager\\ExcludeFromKnownDlls -

[>> Disabled MSConfig Items <<]
Services - MultiSeti
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - Adobe Reader Speed Launch = C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE (Adobe Systems Incorporated )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Help.lnk - BT Broadband Help = C:\PROGRA~1\BTBROA~1\bin\matcli.exe -boot (File not found))
StartUpFolder\C:^Documents and Settings^Assir^Start Menu^Programs^Startup^SETI@home.lnk - SETI@home = C:\PROGRA~1\SETI@H~1\SETI@H~1.EXE (File not found))
StartUpFolder\C:^Documents and Settings^Assir^Start Menu^Programs^Startup^Update WinBMD.lnk - Update WinBMD = C:\PROGRA~1\WinBMD\WiseUpdt.exe /C (File not found))
StartUpReg\BTopenworld - DialBTYahoo = "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial (British Telecommunications plc )
StartUpReg\IndexSearch - IndexSearch = C:\Program Files\Scansoft\PaperPort\IndexSearch.exe ( )
StartUpReg\InstantAccess - INSTAN~1 = C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h (File not found))
StartUpReg\Motive SmartBridge - BTHelpNotifier = C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe (File not found))
StartUpReg\PaperPort PTD - pptd40nt = C:\Program Files\Scansoft\PaperPort\pptd40nt.exe (ScanSoft, Inc. )
StartUpReg\QuickTime Task - qttask = "C:\Program Files\QuickTime\qttask.exe" -atboottime (File not found))
StartUpReg\RegisterDropHandler - REGIST~1 = C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE (File not found))
StartUpReg\saap - saap = c:\program files\180searchassistant\saap.exe (File not found))
StartUpReg\seticlient - SETI@home = C:\Program Files\SETI@home\SETI@home.exe -min (File not found))
StartUpReg\SoundMan - SOUNDMAN = SOUNDMAN.EXE (Realtek Semiconductor Corp. )
StartUpReg\TkBellExe - realsched = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc. )
StartUpReg\Top - SETI@home = C:\Documents and Settings\Assir\Desktop\SETI JuiceMaker.exe C:\Program Files\SETI@home\SETI@home.exe (File not found))
StartUpReg\WinampAgent - winampa = C:\Program Files\Winamp\winampa.exe ( )
StartUpReg\WinMX - WinMX = C:\Program Files\WinMX\WinMX.exe -m (File not found))
StartUpReg\WMC_AutoUpdate - = (File not found))

[>> User Agent Post Platform <<]
SV1 -

[>> Winlogon <<]
HMLM->UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
HKLM->Shell - Explorer.exe (Microsoft Corporation )
HKLM->System - (File not found))
HKLM->VMApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"
Notify\awtss - C:\WINDOWS\system32\awtss.dll ( )
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\WgaLogon - WgaLogon.dll (Microsoft Corporation )
Notify\winrkp32 - winrkp32.dll ( )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

[>> DNS Name Servers <<]
{40B9839C-06D4-481E-AA31-4DA9BE3360CA} - (VIA Compatable Fast Ethernet Adapter)
{61661B31-A857-471B-81A1-DBD453B64FD1} - ()

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found))
msdaipp - (File not found))

[>> Protocol Filters (Non-Microsoft only) <<]

< Services (Non-Microsoft Only) >
AntiVir Service (AntiVirService) - "C:\Program Files\AVPersonal\AVGUARD.EXE" (H+BEDV Datentechnik GmbH ) [Automatic - Running - Win32, running in it's own process]
AntiVir Update (AVWUpSrv) - "C:\Program Files\AVPersonal\AVWUPSRV.EXE" (H+BEDV Datentechnik GmbH, Germany ) [Automatic - Running - Win32, running in it's own process]
iPodService (iPodService) - C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc. ) [On Demand - Running - Win32, running in it's own process]
Sunbelt Kerio Personal Firewall 4 (KPF4) - "C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe" (Sunbelt Software ) [Automatic - Running - Win32, running in it's own process]
NVIDIA Driver Helper Service (NVSvc) - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation ) [Automatic - Running - Win32, running in it's own process]
SmartLinkService (SLService) - slserv.exe ( ) [Automatic - Running - Win32, running in it's own process]

< Files >

Auto-Start Folders

HKLM->Explorer\Shell Folders\\Common Startup = C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Date = 09/24/2005 07:05 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 03/04/2003 16:16 | Attr = HS])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 106560 bytes | Date = 02/11/2003 08:10 | Attr = ])

HKLM->Explorer\User Shell Folders\\Common Startup = %ALLUSERSPROFILE%\Start Menu\Programs\Startup

HKLM->Explorer\Shell Folders\\Startup = C:\Documents and Settings\Assir\Start Menu\Programs\Startup
C:\Documents and Settings\Assir\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 03/04/2003 16:16 | Attr = HS])
C:\Documents and Settings\Assir\Start Menu\Programs\Startup\Webshots.lnk - C:\Program Files\Webshots\Launcher.exe ( [Ver = | Size = 45056 bytes | Date = 09/16/2004 09:46 | Attr = ])

HKCU->Explorer\User Shell Folders\\Startup = %USERPROFILE%\Start Menu\Programs\Startup

Miscellaneous Auto-Start Files
System.ini->[Boot]\\Shell - Explorer.exe
Wininit.ini: Line 1 - [Rename]
Wininit.ini: Line 2 - NUL=C:\PROGRA~1\Labtec\LABTEC~1\Keyboard.exe
Wininit.ini: Line 3 - NUL=C:\DOCUME~1\Katie\LOCALS~1\Temp\nstmp\uninstall.exe
Wininit.ini: Line 4 - NUL=C:\DOCUME~1\Katie\LOCALS~1\Temp\nstmp\uninstall.ini
Wininit.ini: Line 5 - NUL=C:\DOCUME~1\Katie\LOCALS~1\Temp\nstmp
WinStart.bat: Line 1 - @C:\WINDOWS\tmpcpyis.bat

Miscellaneous Folders

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 03/04/2003 16:09 | Attr = HS])
C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache - ( [Ver = | Size = 1759 bytes | Date = 07/21/2006 21:19 | Attr = ])
C:\Documents and Settings\All Users\Application Data\AutoSearch.dll - ( [Ver = 1, 0, 0, 1 | Size = 118784 bytes | Date = 09/13/2006 15:13 | Attr = ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\Assir\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 03/04/2003 16:09 | Attr = HS])
C:\Documents and Settings\Assir\Application Data\dm.ini - ( [Ver = | Size = 0 bytes | Date = 01/09/2004 22:09 | Attr = ])
C:\Documents and Settings\Assir\Application Data\user52.rdb - ( [Ver = | Size = 8192 bytes | Date = 03/10/2004 16:25 | Attr = ])
C:\Documents and Settings\Assir\Application Data\iPodAccess_Time - ( [Ver = | Size = 10 bytes | Date = 01/14/2006 10:30 | Attr = H ])
C:\Documents and Settings\Assir\Application Data\iPod Access v2 Prefs - ( [Ver = | Size = 117 bytes | Date = 01/14/2006 10:30 | Attr = ])
C:\Documents and Settings\Assir\Application Data\iScrobbler.ini - ( [Ver = | Size = 126 bytes | Date = 01/28/2006 05:58 | Attr = ])
C:\Documents and Settings\Assir\Application Data\.iScrobbler - ( [Ver = | Size = 2358 bytes | Date = 01/28/2006 05:58 | Attr = ])
C:\Documents and Settings\Assir\Application Data\BonsaiErrorLog.txt - ( [Ver = | Size = 139 bytes | Date = 04/01/2006 14:42 | Attr = ])

Program Files Folder

Common Files Folder
C:\Program Files\Common Files\SM1updtr.dll - (Cypress Semiconductor [Ver = 6.01.1000.0 | Size = 36963 bytes | Date = 08/27/2003 14:19 | Attr = R ])
C:\Program Files\Common Files\Yazzle1438OinAdmin.exe - ( [Ver = | Size = 157184 bytes | Date = 09/07/2006 19:03 | Attr = HS])
C:\Program Files\Common Files\Yazzle1438OinUninstaller.exe - ( [Ver = | Size = 32179 bytes | Date = 09/27/2006 21:43 | Attr = HS])
C:\Program Files\Common Files\Yazzle1452OinAdmin.exe - ( [Ver = | Size = 157184 bytes | Date = 09/15/2006 20:47 | Attr = HS])
C:\Program Files\Common Files\Yazzle1452OinUninstaller.exe - ( [Ver = | Size = 32179 bytes | Date = 09/25/2006 21:38 | Attr = HS])

DPF files
{00B71CFB-6864-4346-A978-C0A14556272C} - Checkers Class - CodeBase = http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab
{1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - Musicnotes Viewer - CodeBase = http://www.musicnotes.com/download/mnviewer.cab
{14B87622-7E19-4EA8-93B3-97215F77A6BC} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...ector/swdir.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - MSSecurityAdvisor Class - CodeBase = http://download.microsoft.com/download/0/5...b?1093685803562
{2917297F-F02B-4B9D-81DF-494B6333150B} - Minesweeper Flags Class - CodeBase = http://messenger.zone.msn.com/binary/MineS...er.cab27571.cab
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - YInstStarter Class - CodeBase = http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
{3C403675-B43C-410B-BF56-D4D1FB68356C} - ActiveXPortal Control - CodeBase = http://72.29.80.113/OCX/gwnet.cab
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc3.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} - MSN Photo Upload Tool - CodeBase = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} - - CodeBase = http://software-dl.real.com/137749cd45d773...ip/RdxIE601.cab
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab
{644E432F-49D3-41A1-8DD5-E099162EEEC5} - Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
{665585FD-2068-4C5E-A6D3-53AC3270ECD4} - FileSharingCtrl Class - CodeBase = http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdat...b?1125998113156
{74D05D43-3236-11D4-BDCD-00C04F9A3B61} - HouseCall Control - CodeBase = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://www.pandasoftware.com/activescan/as5free/asinst.cab
{9AA73F41-EC64-489E-9A73-9CD52E528BC4} - ZoneAxRcMgr Class - CodeBase = http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
{A8658086-E6AC-4957-BC8E-8D54A7E8A790} - GDIChk Object - CodeBase = http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
{A8F2B9BD-A6A0-486A-9744-18920D898429} - ScorchPlugin Class - CodeBase = http://www.sibelius.com/download/software/...tiveXPlugin.cab
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - MsnMessengerSetupDownloadControl Class - CodeBase = http://messenger.msn.com/download/MsnMesse...pDownloader.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} - ZoneIntro Class - CodeBase = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
{C81B5180-AFD1-41A3-97E1-99E8D254DB98} - CSS Web Installer Class - CodeBase = http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - - CodeBase =
{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - - CodeBase =
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - - CodeBase =
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - PopCapLoader Object - CodeBase = http://www.popcap.com/games/popcaploader_v6.cab
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - Solitaire Showdown Class - CodeBase = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab
Yahoo! Klondike Solitaire - - CodeBase = http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab

Hosts file = 196 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
# Start of entries inserted by Spybot - Search & Destroy -
# End of entries inserted by Spybot - Search & Destroy -

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 1
Desktop\Components\0 -
Desktop\Components\0\\Source - About:Home
Desktop\Components\0\\SubscribedURL - About:Home
Desktop\Components\0\\FriendlyName - My Current Home Page
Desktop\Components\0\\Flags - 2
Desktop\Components\0\\Position - 2C 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 E2 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 04 00 00 40
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 E2 02 00 00 04 00 00 40
Desktop\Components\0\\RestoredStateInfo - 18 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 E2 02 00 00 01 00 00 00
Desktop\General -
Desktop\General\\BackupWallpaper - %APPDATA%\Webshots\The Webshots Desktop\Wallpaper.bmp
Desktop\General\\WallpaperFileTime - 00 05 76 0E 38 68 C5 01
Desktop\General\\WallpaperLocalFileTime - 00 6D 3A 70 40 68 C5 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 0
Desktop\General\\Wallpaper - %APPDATA%\Webshots\The Webshots Desktop\Wallpaper.bmp
Desktop\General\\ComponentsPositioned - 1
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 00 04 00 00 E2 02 00 00
Desktop\SafeMode -
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Attachments -
policies\Attachments\\ScanWithAntiVirus - 2
policies\Explorer -
policies\Explorer\\NoBrowserOptions - 0
policies\Explorer\\NoSetHomePage - 0
policies\Explorer\\NoWindowsUpdate - 0
policies\Explorer\run -
policies\Ext -
policies\Ext\CLSID -
policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} - 1
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 145
policies\Explorer\\NoBrowserOptions - 0
policies\Explorer\\NoSetHomePage - 0
policies\Explorer\\NoWindowsUpdate - 0
policies\Explorer\Run -
policies\System -
policies\System\\DisableRegistryTools - 0
policies\System\\ -
policies\System\\NoAdminPage - 1
policies\System\\DisableTaskMgr - 1

>>>>Output for AddOn file SID_Run_Policies.def<<<<

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\CTFMON.EXE - C:\WINDOWS\System32\CTFMON.EXE

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\CTFMON.EXE - C:\WINDOWS\System32\CTFMON.EXE

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145

< End of report >

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:25 PM

Posted 03 October 2006 - 05:52 PM

Hi Assir. Wow, looks like alot of bad things on here. Next let's go after a vundo infection.

Download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click YES, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
OK. Start WinPFind2 and perform a new scan. Use the Add Reply button to post your new log file back here along with the log file from VundoFix (c:\vundofix.txt) and details of any problems you encountered performing the above steps and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Assir

Assir
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 12 October 2006 - 04:55 PM

Done it! There didn't seem to be an option to run VundoFix as a task, just the "Scan" and "Remove" buttons, but it scanned and removed pretty well. Here's the WinPFind:


Logfile created on: 10/12/2006 22:50
WinPFind2 by OldTimer - Version 1.0.10 Folder = C:\Documents and Settings\Assir\Desktop\WinPFind2\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5346.5)


< Processes (Non-Microsoft Only) >
c:\program files\antivir personaledition classic\avgnt.exe - (Avira GmbH )
c:\program files\antivir personaledition classic\avguard.exe - (AVIRA GmbH )
c:\program files\softwin\bitdefender8\bdmcon.exe - (SOFTWIN S.R.L. )
c:\program files\softwin\bitdefender8\bdnagent.exe - ( )
c:\program files\common files\softwin\bitdefender scan server\bdss.exe - ( )
c:\program files\bt voyager 105 adsl modem\dslagent.exe - ( )
c:\program files\bt voyager 105 adsl modem\dslstat.exe - (GlobespanVirata, Inc. )
c:\program files\mozilla firefox 2 beta 2\firefox.exe - (Mozilla Corporation )
c:\program files\google\googletoolbarnotifier\1.0.720.3640\googletoolbarnotifier.exe - (Google Inc. )
c:\program files\ewido anti-spyware 4.0\guard.exe - (Anti-Malware Development a.s. )
c:\program files\ipod\bin\ipodservice.exe - (Apple Computer, Inc. )
c:\program files\itunes\ituneshelper.exe - (Apple Computer, Inc. )
c:\program files\java\jre1.5.0_06\bin\jusched.exe - (Sun Microsystems, Inc. )
c:\program files\sunbelt software\personal firewall 4\kpf4gui.exe - (Sunbelt Software )
c:\program files\sunbelt software\personal firewall 4\kpf4gui.exe - (Sunbelt Software )
c:\program files\sunbelt software\personal firewall 4\kpf4ss.exe - (Sunbelt Software )
c:\windows\system32\nvsvc32.exe - (NVIDIA Corporation )
c:\program files\real\realone player\realplay.exe - (RealNetworks, Inc. )
c:\program files\common files\real\update_ob\realsched.exe - (RealNetworks, Inc. )
c:\program files\antivir personaledition classic\sched.exe - (Avira GmbH )
c:\windows\system32\slserv.exe - ( )
c:\windows\sm1bg.exe - (Cypress Semiconductor )
c:\windows\sointgr.exe - ( )
c:\windows\vsnpstd.exe - ( )
c:\progra~1\webshots\webshots.scr - (Webshots.com )
c:\documents and settings\Assir\desktop\winpfind2\winpfind2.exe - (OldTimer Tools )
c:\program files\winzip\wzqkpick.exe - (WinZip Computing, Inc. )
c:\program files\common files\softwin\bitdefender communicator\xcommsvr.exe - (Softwin )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKLM->Internet Explorer\\Search - http://www.google.com
HKCU->Internet Explorer\\Search - http://www.google.com
HKCU->Internet Explorer\\SearchURL - http://www.google.com
HKLM->Main\\Start Page - http://go.microsoft.com/fwlink/?LinkId=566...cid={SUB_CLCID}
HKLM->Main\\Search Page - http://go.microsoft.com/fwlink/?LinkId=54896
HKLM->Main\\Default_Page_URL - http://go.microsoft.com/fwlink/?LinkId=54729
HKLM->Main\\Default_Search_URL - http://go.microsoft.com/fwlink/?LinkId=54896
HKLM->Main\\Local Page - %SystemRoot%\system32\blank.htm
HKCU->Main\\Start Page - http://go.microsoft.com/fwlink/?LinkId=566...oo.com/p/d.html
HKCU->Main\\Search Bar - http://www.google.com/ie
HKCU->Main\\Search Page - http://www.msn.com/access/allinone.asp
HKCU->Main\\Default_Page_URL - about:blank
HKCU->Main\\Default_Search_URL - about:blank
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU->Search\\CustomizeSearch - about:blank
HKCU->URLSearchHooks\\ - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation )
HKCU->Internet Settings\\ProxyEnable - 0

[>> BHO's <<]
{02478D38-C3F9-4efb-9B51-7695ECA05670} - Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll (Yahoo! Inc. )
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated )
{0D74C531-6825-0CA5-FFE0-00E6DD45BCC8} - Reg Data missing or invalid = C:\WINDOWS\system32\hfmgevi.dll (File not found))
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc. )
{849B9523-785F-4014-9CAF-079FB4A74C61} - Reg Data missing or invalid = C:\WINDOWS\system32\oaoequso.dll (File not found))
{9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - BHO = C:\Program Files\BHO Plugin\plugin.dll ( )
{A8476C20-2363-4402-BF09-4009A685D303} - Reg Data missing or invalid = C:\WINDOWS\system32\awtss.dll (File not found))
{AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper = c:\program files\google\googletoolbar2.dll (Google Inc. )

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer Bars]
{32683183-48a0-441b-a342-7c2a440a9478} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )

[HKLM-> Internet Explorer ToolBars]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar2.dll (Google Inc. )
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint = C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ( )
{821F87FF-8245-4972-9E28-732E92EC2F51} - &VSToolBar = C:\Program Files\VSToolbar\VSToolBar.dll ( )
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll (Yahoo! Inc. )
{F8AD5AA5-D966-4667-9DAF-2561D68B2012} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))

[HKCU-> Internet Explorer ToolBars]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar2.dll (Google Inc. )
WebBrowser\\{821F87FF-8245-4972-9E28-732E92EC2F51} - &VSToolBar = C:\Program Files\VSToolbar\VSToolBar.dll ( )
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll (Yahoo! Inc. )

[HKCU-> Internet Explorer CmdMapping]
{000007C6-17DF-4438-92A4-DE5537471BA3} - 8195 - Reg Data missing or invalid
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8197 - Sun Java Console
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - 8199 - Reg Data missing or invalid
{85d1f590-48f4-11d9-9669-0800200c9a66} - 8200 - Uninstall BitDefender Online Scanner v8
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8196 - Reg Data missing or invalid
{A1100DDB-B277-4CAA-A640-B299D79FE25E} - 8194 - Reg Data missing or invalid
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8193 - Windows Messenger
NextId - 8201

[HKLM-> Internet Explorer Extensions]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc. )
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (HKCU CLSID) - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc. )
{85d1f590-48f4-11d9-9669-0800200c9a66} - MenuText: Uninstall BitDefender Online Scanner v8 = Reg Data missing or invalid (File not found))
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = Reg Data missing or invalid (File not found))
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )

[HKCU-> Internet Explorer Menu Extensions]
&Search - http://bar.mywebsearch.com/menusearch.html...2986GB_ZSzeb029 (File not found))
AltaVista Search - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm (File not found))
Download with GetRight - C:\Program Files\GetRight\GRdownload.htm (File not found))
E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation )
Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html ( )
Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html ( )
Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html ( )
Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html ( )
Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm (File not found))
Translate - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm (File not found))

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{08AB18D7-ACFB-4B59-93BA-81BBEE32D401} - Xentient.Thumbs = C:\Program Files\Xentient\Thumbnails\thumbs.dll (Xentient )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation )
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation )
{28710882-150A-48A6-A858-2FC774BA822E} - Viewpoint Photos Shell Extension = C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewpointPhotosShellExt.dll (Viewpoint Corporation )
{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} - dBpowerAMP Music Converter = C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll ( )
{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data missing or invalid (File not found))
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} - Shell Extension for Malware scanning = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
{5464D816-CF16-4784-B9F3-75C0DB52B499} - Yahoo! Mail = C:\WINDOWS\Downloaded Program Files\ymmapi.dll ( )
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ( )
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc. )
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} - BitDefender Antivirus v8 = C:\Program Files\Softwin\BitDefender8\bdshelxt.dll (SOFTWIN S.R.L. )
{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{EFA24E61-B078-11d0-89E4-00C04FC9E26E} - Favorites Band = Reg Data missing or invalid (File not found))
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealOne Player\rpshell.dll (RealNetworks, Inc. )
{F17FC690-720A-4277-8B97-EA0B26B7D1C9} - Inedita Shell Extension = C:\Program Files\Inedita\ExContext.dll (Versoworks Pty Ltd )
{FED7043D-346A-414D-ACD7-550D052499A7} - dBpowerAMP Music Converter 1 = C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll ( )

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - BitDefender Antivirus v8 - {D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Program Files\Softwin\BitDefender8\bdshelxt.dll (SOFTWIN S.R.L. )
* - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
* - Inedita - {F17FC690-720A-4277-8B97-EA0B26B7D1C9} = C:\Program Files\Inedita\ExContext.dll (Versoworks Pty Ltd )
* - Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
* - ViewpointPhotosExt - {28710882-150A-48A6-A858-2FC774BA822E} = C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewpointPhotosShellExt.dll (Viewpoint Corporation )
* - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
* - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
* - Yahoo! Mail - {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\WINDOWS\Downloaded Program Files\ymmapi.dll ( )
Directory - ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s. )
Directory - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
Directory - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
Folder - BitDefender Antivirus v8 - {D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Program Files\Softwin\BitDefender8\bdshelxt.dll (SOFTWIN S.R.L. )
Folder - Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH )
Folder - ViewpointPhotosExt - {28710882-150A-48A6-A858-2FC774BA822E} = C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewpointPhotosShellExt.dll (Viewpoint Corporation )
Folder - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
Folder - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]
Folder - {F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )
Folder - {FED7043D-346A-414D-ACD7-550D052499A7} - dBpShell Class = C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll ( )

[>> File Associations Keys <<]
HKLM->SOFTWARE\Classes\.bat\\'' - batfile
HKLM->SOFTWARE\Classes\batfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.cmd\\'' - cmdfile
HKLM->SOFTWARE\Classes\cmdfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.com\\'' - comfile
HKLM->SOFTWARE\Classes\comfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.exe\\'' - exefile
HKLM->SOFTWARE\Classes\exefile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.hta\\'' - htafile
HKLM->SOFTWARE\Classes\htafile\shell\open\command\\'' - C:\WINDOWS\system32\mshta.exe "%1" %*
HKLM->SOFTWARE\Classes\.js\\'' - JSFile
HKLM->SOFTWARE\Classes\jsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.jse\\'' - JSEFile
HKLM->SOFTWARE\Classes\jsefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.scr\\'' - scrfile
HKLM->SOFTWARE\Classes\scrfile\shell\open\command\\'' - "%1" /S
HKLM->SOFTWARE\Classes\.vbe\\'' - VBEFile
HKLM->SOFTWARE\Classes\vbefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.vbs\\'' - VBSFile
HKLM->SOFTWARE\Classes\vbsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsf\\'' - WSFFile
HKLM->SOFTWARE\Classes\wsffile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsh\\'' - WSHFile
HKLM->SOFTWARE\Classes\wshfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.txt\\'' - notepad
HKLM->SOFTWARE\Classes\txtfile\shell\open\command\\'' - C:\PROGRA~1\CETUSC~1\CNotePad.exe "%1"

[>> Registry Run Keys <<]
HKLM->Run\\avgnt - "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min (Avira GmbH )
HKLM->Run\\BBDial - C:\Program Files\BT Broadband Help\BT Voyager 105 ADSL Modem\BT Broadband.exe (BT )
HKLM->Run\\BDMCon - "C:\Program Files\Softwin\BitDefender8\bdmcon.exe" (SOFTWIN S.R.L. )
HKLM->Run\\BDNewsAgent - "C:\Program Files\Softwin\BitDefender8\bdnagent.exe" ( )
HKLM->Run\\DSLAGENTEXE - C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe ( )
HKLM->Run\\DSLSTATEXE - C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon (GlobespanVirata, Inc. )
HKLM->Run\\Easy-PrintToolBox - C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon (CANON INC. )
HKLM->Run\\HPDJ Taskbar Utility - C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe (HP )
HKLM->Run\\iTunesHelper - "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Computer, Inc. )
HKLM->Run\\lmtxisk.dll - C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\lmtxisk.dll,aijtxkg (File not found))
HKLM->Run\\loaddr - C:\DOCUME~1\Assir\LOCALS~1\Temp\fred.exe ( )
HKLM->Run\\NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (File not found))
HKLM->Run\\SM1BG - C:\WINDOWS\SM1BG.EXE (Cypress Semiconductor )
HKLM->Run\\snpstd - C:\WINDOWS\vsnpstd.exe ( )
HKLM->Run\\SO5 Integrator Pass Two - C:\WINDOWS\SOINTGR.EXE ( )
HKLM->Run\\SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc. )
HKLM->Run\\SUPASTATUS - C:\Program Files\Internet Explorer\Connection Wizard\Status.exe (File not found))
HKLM->Run\\System - C:\WINDOWS\system32\kernels8.exe (File not found))
HKLM->Run\\TkBellExe - "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc. )
HKLM->Run\\Windows Defender - "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation )
HKLM->RunOnce\Setup\\Registrando Panda ActiveX - C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\as.dll (File not found))
HKLM->RunOnce\Setup\\Registrando Panda Almacen - C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\pavpz.dll (File not found))
HKLM->RunServices\\SystemTools - C:\WINDOWS\system32\kernels8.exe (File not found))
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\b7cc2271.exe - C:\Documents and Settings\Assir\Local Settings\Application Data\b7cc2271.exe (File not found))
HKCU->Run\\cprocsvc - C:\WINDOWS\system32\crunner\cproc.exe (File not found))
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
HKCU->Run\\MessengerPlus3 - "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart (File not found))
HKCU->Run\\MSMSGS - "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation )
HKCU->Run\\msnmsgr - "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (Microsoft Corporation )
HKCU->Run\\swg - C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe (Google Inc. )
HKCU->Run\\updateMgr - "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_5 -reboot 1 (Adobe Systems Incorporated )

[>> Miscellaneous Startup Keys <<]

[AppInit DLLs]
AppInit_DLL - (File not found))

[Image File Execution Options]
Your Image File Name Here without a path - Debugger = ntsd -d

[Shell Service Object Delay Load]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation )
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation )

[Shell Execute Hooks]
{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook = C:\PROGRA~1\WIFD1F~1\MpShHook.dll (Microsoft Corporation )
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s. )
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[Shared Task Scheduler]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{553858A7-4922-4e7e-B1C1-97140C1C16EF} - IE Component Categories cache daemon = C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

[SafeBoot Option]

[HKLM Command Processor AutoRun]
HKLM->Command Processor\\AutoRun -

[HKCU Command Processor AutoRun]

[Security Providers]
SecurityProviders\\SecurityProviders - msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[BootExecute]
Session Manager\\BootExecute - autocheck autochk *;

[PendingFileRenameOperations]
Session Manager\\PendingFileRenameOperations - \??\C:\Documents and Settings\Assir\Desktop\AOLDNLD.exe;

[FileRenameOperations]

[ExcludeFromKnownDlls]
Session Manager\\ExcludeFromKnownDlls -

[>> Disabled MSConfig Items <<]
Services - MultiSeti
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - Adobe Reader Speed Launch = C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE (Adobe Systems Incorporated )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Help.lnk - BT Broadband Help = C:\PROGRA~1\BTBROA~1\bin\matcli.exe -boot (File not found))
StartUpFolder\C:^Documents and Settings^Assir^Start Menu^Programs^Startup^SETI@home.lnk - SETI@home = C:\PROGRA~1\SETI@H~1\SETI@H~1.EXE (File not found))
StartUpFolder\C:^Documents and Settings^Assir^Start Menu^Programs^Startup^Update WinBMD.lnk - Update WinBMD = C:\PROGRA~1\WinBMD\WiseUpdt.exe /C (File not found))
StartUpReg\BTopenworld - DialBTYahoo = "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial (British Telecommunications plc )
StartUpReg\IndexSearch - IndexSearch = C:\Program Files\Scansoft\PaperPort\IndexSearch.exe ( )
StartUpReg\InstantAccess - INSTAN~1 = C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h (File not found))
StartUpReg\Motive SmartBridge - BTHelpNotifier = C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe (File not found))
StartUpReg\PaperPort PTD - pptd40nt = C:\Program Files\Scansoft\PaperPort\pptd40nt.exe (ScanSoft, Inc. )
StartUpReg\QuickTime Task - qttask = "C:\Program Files\QuickTime\qttask.exe" -atboottime (File not found))
StartUpReg\RegisterDropHandler - REGIST~1 = C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE (File not found))
StartUpReg\saap - saap = c:\program files\180searchassistant\saap.exe (File not found))
StartUpReg\seticlient - SETI@home = C:\Program Files\SETI@home\SETI@home.exe -min (File not found))
StartUpReg\SoundMan - SOUNDMAN = SOUNDMAN.EXE (Realtek Semiconductor Corp. )
StartUpReg\TkBellExe - realsched = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc. )
StartUpReg\Top - SETI@home = C:\Documents and Settings\Assir\Desktop\SETI JuiceMaker.exe C:\Program Files\SETI@home\SETI@home.exe (File not found))
StartUpReg\WinampAgent - winampa = C:\Program Files\Winamp\winampa.exe ( )
StartUpReg\WinMX - WinMX = C:\Program Files\WinMX\WinMX.exe -m (File not found))
StartUpReg\WMC_AutoUpdate - = (File not found))

[>> User Agent Post Platform <<]
SV1 -

[>> Winlogon <<]
HMLM->UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
HKLM->Shell - Explorer.exe (Microsoft Corporation )
HKLM->System - (File not found))
HKLM->VMApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\WgaLogon - WgaLogon.dll (Microsoft Corporation )
Notify\winrkp32 - winrkp32.dll ( )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

[>> DNS Name Servers <<]
{40B9839C-06D4-481E-AA31-4DA9BE3360CA} - (VIA Compatable Fast Ethernet Adapter)
{61661B31-A857-471B-81A1-DBD453B64FD1} - ()

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found))
msdaipp - (File not found))

[>> Protocol Filters (Non-Microsoft only) <<]

< Services (Non-Microsoft Only) >
AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH ) [Automatic - Running - Win32, running in it's own process]
AntiVir PersonalEdition Classic Guard (AntiVirService) - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (AVIRA GmbH ) [Automatic - Running - Win32, running in it's own process]
BitDefender Scan Server (bdss) - "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service ( ) [Automatic - Running - Win32, running in it's own process]
ewido anti-spyware 4.0 guard (ewido anti-spyware 4.0 guard) - C:\Program Files\ewido anti-spyware 4.0\guard.exe (Anti-Malware Development a.s. ) [Automatic - Running - Win32, running in it's own process]
iPodService (iPodService) - C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc. ) [On Demand - Running - Win32, running in it's own process]
Sunbelt Kerio Personal Firewall 4 (KPF4) - "C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe" (Sunbelt Software ) [Automatic - Running - Win32, running in it's own process]
NVIDIA Driver Helper Service (NVSvc) - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation ) [Automatic - Running - Win32, running in it's own process]
SmartLinkService (SLService) - slserv.exe ( ) [Automatic - Running - Win32, running in it's own process]
BitDefender Communicator (XCOMM) - "C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (Softwin ) [Automatic - Running - Win32, running in it's own process]

< Files >

Auto-Start Folders

HKLM->Explorer\Shell Folders\\Common Startup = C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Date = 09/24/2005 07:05 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 03/04/2003 16:16 | Attr = HS])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 106560 bytes | Date = 02/11/2003 08:10 | Attr = ])

HKLM->Explorer\User Shell Folders\\Common Startup = %ALLUSERSPROFILE%\Start Menu\Programs\Startup

HKLM->Explorer\Shell Folders\\Startup = C:\Documents and Settings\Assir\Start Menu\Programs\Startup
C:\Documents and Settings\Assir\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 03/04/2003 16:16 | Attr = HS])
C:\Documents and Settings\Assir\Start Menu\Programs\Startup\Webshots.lnk - C:\Program Files\Webshots\Launcher.exe ( [Ver = | Size = 45056 bytes | Date = 09/16/2004 09:46 | Attr = ])

HKCU->Explorer\User Shell Folders\\Startup = %USERPROFILE%\Start Menu\Programs\Startup

Miscellaneous Auto-Start Files
System.ini->[Boot]\\Shell - Explorer.exe
Wininit.ini: Line 1 - [Rename]
Wininit.ini: Line 2 - NUL=C:\PROGRA~1\Labtec\LABTEC~1\Keyboard.exe
Wininit.ini: Line 3 - NUL=C:\DOCUME~1\Katie\LOCALS~1\Temp\nstmp\uninstall.exe
Wininit.ini: Line 4 - NUL=C:\DOCUME~1\Katie\LOCALS~1\Temp\nstmp\uninstall.ini
Wininit.ini: Line 5 - NUL=C:\DOCUME~1\Katie\LOCALS~1\Temp\nstmp
WinStart.bat: Line 1 - @C:\WINDOWS\tmpcpyis.bat

Miscellaneous Folders

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 03/04/2003 16:09 | Attr = HS])
C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache - ( [Ver = | Size = 1759 bytes | Date = 07/21/2006 21:19 | Attr = ])
C:\Documents and Settings\All Users\Application Data\AutoSearch.dll - ( [Ver = 1, 0, 0, 1 | Size = 118784 bytes | Date = 09/13/2006 15:13 | Attr = ])
C:\Documents and Settings\All Users\Application Data\addr_file.html - ( [Ver = | Size = 305 bytes | Date = 10/11/2006 00:39 | Attr = ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\Assir\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 03/04/2003 16:09 | Attr = HS])
C:\Documents and Settings\Assir\Application Data\dm.ini - ( [Ver = | Size = 0 bytes | Date = 01/09/2004 22:09 | Attr = ])
C:\Documents and Settings\Assir\Application Data\user52.rdb - ( [Ver = | Size = 8192 bytes | Date = 03/10/2004 16:25 | Attr = ])
C:\Documents and Settings\Assir\Application Data\iPodAccess_Time - ( [Ver = | Size = 10 bytes | Date = 01/14/2006 10:30 | Attr = H ])
C:\Documents and Settings\Assir\Application Data\iPod Access v2 Prefs - ( [Ver = | Size = 117 bytes | Date = 01/14/2006 10:30 | Attr = ])
C:\Documents and Settings\Assir\Application Data\iScrobbler.ini - ( [Ver = | Size = 126 bytes | Date = 01/28/2006 05:58 | Attr = ])
C:\Documents and Settings\Assir\Application Data\.iScrobbler - ( [Ver = | Size = 2358 bytes | Date = 01/28/2006 05:58 | Attr = ])
C:\Documents and Settings\Assir\Application Data\BonsaiErrorLog.txt - ( [Ver = | Size = 139 bytes | Date = 04/01/2006 14:42 | Attr = ])

Program Files Folder

Common Files Folder
C:\Program Files\Common Files\SM1updtr.dll - (Cypress Semiconductor [Ver = 6.01.1000.0 | Size = 36963 bytes | Date = 08/27/2003 14:19 | Attr = R ])
C:\Program Files\Common Files\Yazzle1438OinUninstaller.exe - ( [Ver = | Size = 32179 bytes | Date = 09/27/2006 21:43 | Attr = HS])
C:\Program Files\Common Files\Yazzle1452OinUninstaller.exe - ( [Ver = | Size = 32179 bytes | Date = 09/25/2006 21:38 | Attr = HS])

DPF files
{00B71CFB-6864-4346-A978-C0A14556272C} - Checkers Class - CodeBase = http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab
{1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - Musicnotes Viewer - CodeBase = http://www.musicnotes.com/download/mnviewer.cab
{14B87622-7E19-4EA8-93B3-97215F77A6BC} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...ector/swdir.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - MSSecurityAdvisor Class - CodeBase = http://download.microsoft.com/download/0/5...b?1093685803562
{233C1507-6A77-46A4-9443-F871F945D258} - Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/pub/shock...director/sw.cab
{2917297F-F02B-4B9D-81DF-494B6333150B} - Minesweeper Flags Class - CodeBase = http://messenger.zone.msn.com/binary/MineS...er.cab27571.cab
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - YInstStarter Class - CodeBase = http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
{3C403675-B43C-410B-BF56-D4D1FB68356C} - ActiveXPortal Control - CodeBase = http://72.29.80.113/OCX/gwnet.cab
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc3.cab
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} - MSN Photo Upload Tool - CodeBase = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} - - CodeBase = http://software-dl.real.com/137749cd45d773...ip/RdxIE601.cab
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab
{644E432F-49D3-41A1-8DD5-E099162EEEC5} - Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
{665585FD-2068-4C5E-A6D3-53AC3270ECD4} - FileSharingCtrl Class - CodeBase = http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdat...b?1125998113156
{74D05D43-3236-11D4-BDCD-00C04F9A3B61} - HouseCall Control - CodeBase = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://www.pandasoftware.com/activescan/as5free/asinst.cab
{9AA73F41-EC64-489E-9A73-9CD52E528BC4} - ZoneAxRcMgr Class - CodeBase = http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
{A8658086-E6AC-4957-BC8E-8D54A7E8A790} - GDIChk Object - CodeBase = http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
{A8F2B9BD-A6A0-486A-9744-18920D898429} - ScorchPlugin Class - CodeBase = http://www.sibelius.com/download/software/...tiveXPlugin.cab
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - MsnMessengerSetupDownloadControl Class - CodeBase = http://messenger.msn.com/download/MsnMesse...pDownloader.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} - ZoneIntro Class - CodeBase = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
{C81B5180-AFD1-41A3-97E1-99E8D254DB98} - CSS Web Installer Class - CodeBase = http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - - CodeBase =
{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - - CodeBase =
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - - CodeBase =
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - PopCapLoader Object - CodeBase = http://www.popcap.com/games/popcaploader_v6.cab
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - Solitaire Showdown Class - CodeBase = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab
Yahoo! Klondike Solitaire - - CodeBase = http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab

Hosts file = 196 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
# Start of entries inserted by Spybot - Search & Destroy -
# End of entries inserted by Spybot - Search & Destroy -

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 1
Desktop\Components\0 -
Desktop\Components\0\\Source - About:Home
Desktop\Components\0\\SubscribedURL - About:Home
Desktop\Components\0\\FriendlyName - My Current Home Page
Desktop\Components\0\\Flags - 2
Desktop\Components\0\\Position - 2C 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 E2 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 04 00 00 40
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 E2 02 00 00 04 00 00 40
Desktop\Components\0\\RestoredStateInfo - 18 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 E2 02 00 00 01 00 00 00
Desktop\General -
Desktop\General\\BackupWallpaper - %APPDATA%\Webshots\The Webshots Desktop\Wallpaper.bmp
Desktop\General\\WallpaperFileTime - 00 05 76 0E 38 68 C5 01
Desktop\General\\WallpaperLocalFileTime - 00 6D 3A 70 40 68 C5 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 0
Desktop\General\\Wallpaper - %APPDATA%\Webshots\The Webshots Desktop\Wallpaper.bmp
Desktop\General\\ComponentsPositioned - 1
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 00 04 00 00 E2 02 00 00
Desktop\SafeMode -
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Attachments -
policies\Attachments\\ScanWithAntiVirus - 2
policies\Explorer -
policies\Explorer\\NoBrowserOptions - 0
policies\Explorer\\NoSetHomePage - 0
policies\Explorer\\NoWindowsUpdate - 0
policies\Explorer\run -
policies\Ext -
policies\Ext\CLSID -
policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} - 1
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 145
policies\Explorer\\NoBrowserOptions - 0
policies\Explorer\\NoSetHomePage - 0
policies\Explorer\\NoWindowsUpdate - 0
policies\Explorer\Run -
policies\System -
policies\System\\DisableRegistryTools - 0
policies\System\\ -
policies\System\\NoAdminPage - 1
policies\System\\DisableTaskMgr - 1

>>>>Output for AddOn file SID_Run_Policies.def<<<<

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\CTFMON.EXE - C:\WINDOWS\System32\CTFMON.EXE

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\CTFMON.EXE - C:\WINDOWS\System32\CTFMON.EXE

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145

< End of report >

#6 Assir

Assir
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 12 October 2006 - 06:30 PM

I should probably mention that my antivirus is nagging me like mad ("Infection found! Delete/Repair/Deny Access?") and I'm not being very consistent about what I click. Also, we have Spybot and Bit Defender running occasionally, so... that may affect the WinPFind. I don't know.

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:25 PM

Posted 13 October 2006 - 05:28 PM

Hi Assir. Ok, let's cleanup the rest of the log. Please print these directions and then proceed with the following steps in order.

Step #1
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings.
  • In the AddOn-Options group click the checkboxes for
    • HKCU_IEDesktop.def
    • Jobs.def
    • Policies.def
    • SID_Run_Policies.def
    to select them.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click on the Registry tab.
  • Find the following items and click the checkbox in front of each one to select it:In the >> Internet Explorer Settings << section:HKCU->Main\\Default_Page_URL - about:blank
    HKCU->Main\\Default_Search_URL - about:blank
    HKCU->Search\\CustomizeSearch - about:blank
    HKCU->URLSearchHooks\\ - Reg Data missing or invalid = Reg Data missing or invalid (File not found))

    In the >> BHO's << section:{0D74C531-6825-0CA5-FFE0-00E6DD45BCC8} - Reg Data missing or invalid = C:\WINDOWS\system32\hfmgevi.dll (File not found))
    {849B9523-785F-4014-9CAF-079FB4A74C61} - Reg Data missing or invalid = C:\WINDOWS\system32\oaoequso.dll (File not found))
    {A8476C20-2363-4402-BF09-4009A685D303} - Reg Data missing or invalid = C:\WINDOWS\system32\awtss.dll (File not found))

    In the HKCU-> Internet Explorer Bars section:{32683183-48a0-441b-a342-7c2a440a9478} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
    {EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))

    In the HKLM-> Internet Explorer ToolBars section:{F8AD5AA5-D966-4667-9DAF-2561D68B2012} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
    In the HKLM-> Internet Explorer Extensions section:{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = Reg Data missing or invalid (File not found))
    In the HKCU-> Internet Explorer Menu Extensions section:&Search - http://bar.mywebsearch.com/menusearch.html...2986GB_ZSzeb029 (File not found))
    AltaVista Search - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm (File not found))
    Download with GetRight - C:\Program Files\GetRight\GRdownload.htm (File not found))
    Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm (File not found))
    Translate - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm (File not found))

    In the >> Registry Run Keys << section:HKLM->Run\\lmtxisk.dll - C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\lmtxisk.dll,aijtxkg (File not found))
    HKLM->Run\\loaddr - C:\DOCUME~1\Assir\LOCALS~1\Temp\fred.exe ( )
    HKLM->Run\\System - C:\WINDOWS\system32\kernels8.exe (File not found))
    HKLM->RunServices\\SystemTools - C:\WINDOWS\system32\kernels8.exe (File not found))
    HKCU->Run\\b7cc2271.exe - C:\Documents and Settings\Assir\Local Settings\Application Data\b7cc2271.exe (File not found))
    HKCU->Run\\cprocsvc - C:\WINDOWS\system32\crunner\cproc.exe (File not found))

    In the >> Winlogon << section:Notify\winrkp32 - winrkp32.dll ( )
[*]Click on the Delete Entries button on the right-hand side of the toolbar at the top.
[*]Now click on the Add On's Tab.
[*]Find the following items and click the checkbox in front of each one to select it:In the KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS section:policies\System\\NoAdminPage - 1
policies\System\\DisableTaskMgr - 1

[/list][*]Click the Delete Items button on the right-hand side of the toolbar at the top.
[/list]Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\hfmgevi.dll
C:\WINDOWS\system32\oaoequso.dll
C:\WINDOWS\system32\awtss.dll
C:\WINDOWS\system32\lmtxisk.dll
C:\WINDOWS\system32\kernels8.exe
C:\WINDOWS\system32\crunner\ <--folder
C:\Program Files\Dynamic Toolbar\ <--folder
C:\Program Files\GetRight\ <--folder
C:\Documents and Settings\Assir\Local Settings\Application Data\b7cc2271.exe

Now perform a search for these files and delete all instances. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.winrkp32.dll
Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you rebooted into Safe Mode reboot normally.

Step #3

Download CCleaner and install it. Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #4

Run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #5

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #6

OK. Reboot your computer normally and do the following:
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings.
  • In the AddOn-Options group click the checkbox for
    • Policies.def
    to select it.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the information back here and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 Assir

Assir
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 17 October 2006 - 07:57 AM

It's embarrassing moment time. The Holder of the Purse Strings, They who must be Obeyed, has decided that it's just not worth curing this old piece of junk and... we now have a new PC. Thanks so much for your help, OldTimer, but it looks like it sorted itself out the expensive way.

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:25 PM

Posted 19 October 2006 - 03:09 PM

Hi Assir. That is certainly 1 way to resolve the issue lol. Having a new computer is a good thing!

Good luck and Happy Computing!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users