Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.trojan.downloader


  • This topic is locked This topic is locked
7 replies to this topic

#1 black bear

black bear

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 20 September 2006 - 11:41 PM

Hi!
I'll try to describe the problem even if it seems that there is (was) a lot of junk in my computer. :thumbsup:

I think it was infected few months ago when for the first time I got a trojan warning. I thought that the antivirus (xoftspy) deleted everythting but I got the same problem a couple of times. Adware was able to detect the trojans but I don't think (now) it could delete them.

Last week it found win32.trojan.downloader and again it seems to be able to delete it. But my computer was slow and was disconnecting and reconnecting.
I decided to run all the program you suggested and at every step something was found, especially by bitdefender that identified something like 30 viruses and thousands of infected files. I don't know why but the program kept working for more than 10 hours until the system runned out of virtual memory and I had to kill the process.

When I run HijackThis I got this error message:

An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

And this is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:23:07 PM, on 9/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Webdisk Client\wdService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groningen.bio.ucalgary.ca/vogel/?group
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://groningen.bio.ucalgary.ca/vogel/?group
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] D:\mario\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE0DC9D0-ECA5-4196-B564-4615421E920B}: NameServer = 136.159.2.1,136.159.1.21
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\Webdisk Client\wdService.exe

It would be great if you can help to clean my system (is it possible?)

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:37 PM

Posted 24 September 2006 - 03:01 PM

Hello black bear and welcome to the BC HijackThis forum. I see no signs of viruses or malware in the log. It is clean.

It looks like there might be a problem with the hosts file so let's have a look at that.

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Open Explorer and go to c:\windows\system32\drivers\etc. Open the hosts file in Notepad and post the contents back here. I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 black bear

black bear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 26 September 2006 - 01:12 PM

Thanks for the help!!!

Oh! Are you sure that there aren't problems?! Wow!

I think the hosts are fine, I checked and all of them are here in the university. I'm a little worried to post all the IP addresses here...

But I have the impression that my computer is still slow and it disconnects sometimes. Is it possible that when I run the programs you suggested something went wrong and now it isn't working properly?

Mario

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:37 PM

Posted 26 September 2006 - 07:30 PM

Hi black bear. Well, the HijackThis log shows nothing. We can run a different scanner that will look at some additional items but I don't think we will find anything. Let's check just to be sure.

Download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.
  • Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
  • Keep the standard settings.
  • In the AddOn-Options group click the checkboxes for
    • HKCU_IEDesktop.def
    • Jobs.def
    • Policies.def
    • SID_Run_Policies.def
    to select them.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the information back here and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 black bear

black bear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 26 September 2006 - 08:19 PM

This is the result (again, I deleted the IP adresses...)

Logfile created on: 09/26/2006 19:12
WinPFind2 by OldTimer - Version 1.0.10 Folder = C:\Documents and Settings\Mario\Desktop\WinPFind2\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)


< Processes (Non-Microsoft Only) >
c:\windows\system32\ezsp_px.exe - (Easy Systems Japan Ltd. )
c:\program files\network associates\common framework\frameworkservice.exe - (Network Associates, Inc. )
c:\windows\system32\hkcmd.exe - (Intel Corporation )
c:\windows\system32\lexbces.exe - (Lexmark International, Inc. )
d:\program files\network associates\virusscan\mcshield.exe - (Network Associates, Inc. )
c:\progra~1\networ~1\common~1\naprdmgr.exe - (Network Associates, Inc. )
c:\program files\nikon\pictureproject\nkbmonitor.exe - (Nikon Corporation )
d:\program files\network associates\virusscan\shstat.exe - (Network Associates, Inc. )
c:\program files\skype\phone\skype.exe - ( )
c:\program files\spybot - search & destroy\teatimer.exe - (Safer Networking Limited )
c:\program files\network associates\common framework\updaterui.exe - (Network Associates, Inc. )
c:\windows\system32\zonelabs\vsmon.exe - (Zone Labs Inc. )
d:\program files\network associates\virusscan\vstskmgr.exe - (Network Associates, Inc. )
c:\program files\webdisk client\wdservice.exe - ( )
c:\documents and settings\mario\desktop\winpfind2\winpfind2.exe - (OldTimer Tools )
c:\program files\zone labs\zonealarm\zlclient.exe - (Zone Labs Inc. )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://groningen.bio.ucalgary.ca/vogel/?group
HKLM->Main\\Search Page -
HKLM->Main\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKLM->Main\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKLM->Main\\Local Page - %SystemRoot%\system32\blank.htm
HKCU->Main\\Start Page - http://groningen.bio.ucalgary.ca/vogel/?group
HKCU->Main\\Search Page -
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKCU->Internet Settings\\ProxyEnable - 0
HKCU->Internet Settings\\ProxyOverride - localhost

[>> BHO's <<]
{53707962-6F74-2D53-2644-206D7942484F} - Reg Data missing or invalid = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited )
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! )
{65D886A2-7CA7-479B-BB95-14D1EFB7946A} - YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll (Yahoo! Inc. )
{AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper = c:\program files\google\googletoolbar1.dll (Google Inc. )

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - &Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll (Yahoo! Inc. )
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer Bars]
{32683183-48a0-441b-a342-7c2a440a9478} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - &Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll (Yahoo! Inc. )
{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )

[HKLM-> Internet Explorer ToolBars]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc. )
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc. )

[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc. )
ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc. )
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc. )

[HKCU-> Internet Explorer CmdMapping]
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - 8192 - Reg Data missing or invalid
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - 8195 - Reg Data missing or invalid
{85d1f590-48f4-11d9-9669-0800200c9a66} - 8196 - Uninstall BitDefender Online Scanner v8
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8193 - Reg Data missing or invalid
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 - Windows Messenger
NextId - 8197

[HKLM-> Internet Explorer Extensions]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - ButtonText: Yahoo! Services = Reg Data missing or invalid (File not found))
{85d1f590-48f4-11d9-9669-0800200c9a66} - MenuText: Uninstall BitDefender Online Scanner v8 = Reg Data missing or invalid (File not found))
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = Reg Data missing or invalid (File not found))
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )

[HKCU-> Internet Explorer Menu Extensions]
&Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html (Google Inc. )
&Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html (Google Inc. )
Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html (Google Inc. )
Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html (Google Inc. )
E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation )
Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html (Google Inc. )
Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html (Google Inc. )

[HKLM-> Internet Explorer Plugins]
.tif - QuickTime Plug-in 5.0.2 = C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll (Apple Computer, Inc. )

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
- CorelDRAW Shell Extension Component = Reg Data missing or invalid (File not found))
{04466240-beb3-11d1-be1c-00aa006b77f4} - WebDrive Shell Extension = rfshext.dll ( )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data missing or invalid (File not found))
{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} - CopyToCD shell extension = C:\PROGRA~1\vso\COPYTO~1\COPYTO~1\CTCDSH~1.DLL (VSO Software )
{32020A01-506E-484D-A2A8-BE3CF17601C3} - AlcoholShellEx = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll (Alcohol Soft Development Team )
{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data missing or invalid (File not found))
{32A9D769-5B55-4a25-9A62-86B5683FE50A} - NikonView Drop Extension = C:\Program Files\Nikon\NkView6\NkvDropExt.dll (Nikon Corporation )
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found))
{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD} - CorelDRAW Shell Extension Component = d:\Program Files\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll (Corel Corporation )
{506F4668-F13E-4AA1-BB04-B43203AB3CC0} - {506F4668-F13E-4AA1-BB04-B43203AB3CC0} = D:\Program Files\Microsoft Office\Visio11\VISSHE.DLL ( )
{5464D816-CF16-4784-B9F3-75C0DB52B499} - Yahoo! Mail = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll (Yahoo! Inc. )
{5E44E225-A408-11CF-B581-008029601108} - Roxio DragToDisc Shell Extension = C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll (Roxio )
{63542C48-9552-494A-84F7-73AA6A7C99C1} - OpenOffice Property Sheet Handler = d:\Program Files\OpenOffice.org1.1.0\program\shlxthdl.dll (Sun Microsystems, Inc. )
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data missing or invalid (File not found))
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data missing or invalid (File not found))
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data missing or invalid (File not found))
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
{8FF88D21-7BD0-11D1-BFB7-00AA00262A11} - WinAce Archiver 2.65 Context Menu Shell Extension = C:\Program Files\WinAce\arcext.dll (e-merge GmbH )
{8FF88D23-7BD0-11D1-BFB7-00AA00262A11} - WinAce Archiver 2.65 Property Sheet Shell Extension = C:\Program Files\WinAce\arcext.dll (e-merge GmbH )
{8FF88D25-7BD0-11D1-BFB7-00AA00262A11} - WinAce Archiver 2.65 DragDrop Shell Extension = C:\Program Files\WinAce\arcext.dll (e-merge GmbH )
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} - WinAce Archiver 2.65 Context Menu Shell Extension = C:\Program Files\WinAce\arcext.dll (e-merge GmbH )
{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC} - My Media = C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll (Roxio, Inc. )
{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ( )
{D66DC78C-4F61-447F-942B-3FB6980118CF} - {D66DC78C-4F61-447F-942B-3FB6980118CF} = D:\Program Files\Microsoft Office\Visio11\VISSHE.DLL ( )
{E0D79304-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79305-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79306-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{E0D79307-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - Eudora's Shell Extension = D:\mario\Backup padova\posta\Eudora mario@unipd\EuShlExt.dll (File not found))
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealOne Player\rpshellext.dll (RealNetworks )
{F802F260-519B-11D1-BB5D-0060974C6013} - ICQ Shell Extension = Reg Data missing or invalid (File not found))

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - CopyToCD - {2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = C:\PROGRA~1\vso\COPYTO~1\COPYTO~1\CTCDSH~1.DLL (VSO Software )
* - VirusScan - {cda2863e-2497-4c49-9b89-06840e070a87} = D:\Program Files\Network Associates\VirusScan\shext.dll (Network Associates, Inc. )
* - WebDrive - {04466240-beb3-11d1-be1c-00aa006b77f4} = C:\WINDOWS\SYSTEM32\rfshext.dll ( )
* - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
* - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
* - Yahoo! Mail - {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll (Yahoo! Inc. )
* - Zeon.DirectShellExt - {55C06484-81C6-43A7-AF96-E5E061FD8E4F} = C:\Program Files\Nitro PDF\bin\DirectShellExt.dll (Zeon Corporation )
* - ZFAdd - {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll (e-merge GmbH )
AllFilesystemObjects - WebDrive - {04466240-beb3-11d1-be1c-00aa006b77f4} = C:\WINDOWS\SYSTEM32\rfshext.dll ( )
Directory - CopyToCD - {2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = C:\PROGRA~1\vso\COPYTO~1\COPYTO~1\CTCDSH~1.DLL (VSO Software )
Directory - QuickFinderMenu - {C0E10002-0028-0003-C0E1-C0E1C0E1C0E1} = C:\Program Files\Corel\WordPerfect Office 2002\PROGRAMS\PFSE100.DLL (Novell, Inc., c/o Corel Corporation Limited )
Directory - VirusScan - {cda2863e-2497-4c49-9b89-06840e070a87} = D:\Program Files\Network Associates\VirusScan\shext.dll (Network Associates, Inc. )
Directory - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
Directory - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )
Directory - ZFAdd - {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll (e-merge GmbH )
Directory\Background - igfxcui - {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINDOWS\System32\igfxpph.dll (Intel Corporation )
Folder - CopyToCD - {2AA59FC0-31E8-42DA-9D3C-E9A52953853B} = C:\PROGRA~1\vso\COPYTO~1\COPYTO~1\CTCDSH~1.DLL (VSO Software )
Folder - VirusScan - {cda2863e-2497-4c49-9b89-06840e070a87} = D:\Program Files\Network Associates\VirusScan\shext.dll (Network Associates, Inc. )
Folder - WebDrive - {04466240-beb3-11d1-be1c-00aa006b77f4} = C:\WINDOWS\SYSTEM32\rfshext.dll ( )
Folder - WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ( )
Folder - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc. )

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]

[>> File Associations Keys <<]
HKLM->SOFTWARE\Classes\.bat\\'' - batfile
HKLM->SOFTWARE\Classes\batfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.cmd\\'' - cmdfile
HKLM->SOFTWARE\Classes\cmdfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.com\\'' - comfile
HKLM->SOFTWARE\Classes\comfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.exe\\'' - exefile
HKLM->SOFTWARE\Classes\exefile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.hta\\'' - htafile
HKLM->SOFTWARE\Classes\htafile\shell\open\command\\'' - C:\WINDOWS\System32\mshta.exe "%1" %*
HKLM->SOFTWARE\Classes\.js\\'' - JSFile
HKLM->SOFTWARE\Classes\jsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.jse\\'' - JSEFile
HKLM->SOFTWARE\Classes\jsefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.scr\\'' - scrfile
HKLM->SOFTWARE\Classes\scrfile\shell\open\command\\'' - "%1" /S
HKLM->SOFTWARE\Classes\.vbe\\'' - VBEFile
HKLM->SOFTWARE\Classes\vbefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.vbs\\'' - VBSFile
HKLM->SOFTWARE\Classes\vbsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsf\\'' - WSFFile
HKLM->SOFTWARE\Classes\wsffile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsh\\'' - WSHFile
HKLM->SOFTWARE\Classes\wshfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.txt\\'' - txtfile
HKLM->SOFTWARE\Classes\txtfile\shell\open\command\\'' - %SystemRoot%\system32\NOTEPAD.EXE %1

[>> Registry Run Keys <<]
HKLM->Run\\ezShieldProtector for Px - C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd. )
HKLM->Run\\HotKeysCmds - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation )
HKLM->Run\\McAfeeUpdaterUI - "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" (Network Associates, Inc. )
HKLM->Run\\POINTER - point32.exe (File not found))
HKLM->Run\\ShStatEXE - "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE (Network Associates, Inc. )
HKLM->Run\\XoftSpy - C:\Program Files\XoftSpy\XoftSpy.exe -s (ParetoLogic Inc. )
HKLM->Run\\Zone Labs Client - "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Zone Labs Inc. )
HKLM->RunOnce\Setup\\Registering ActiveScan controles - C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\ascontrol.dll (File not found))
HKLM->RunOnce\Setup\\Registrando Panda ActiveX - C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\as.dll (File not found))
HKLM->RunOnce\Setup\\Registrando Panda Almacen - C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\pavpz.dll (File not found))
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
HKCU->Run\\Skype - "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized ( )
HKCU->Run\\SpybotSD TeaTimer - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited )
HKCU->Run\\updateMgr - D:\mario\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1 (File not found))
HKCU->Run\\Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet ( )

[>> Miscellaneous Startup Keys <<]

[AppInit DLLs]
AppInit_DLL - (File not found))

[Image File Execution Options]
Your Image File Name Here without a path - Debugger = ntsd -d

[Shell Service Object Delay Load]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
coursings - = Reg Data missing or invalid (File not found))
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

[Shell Execute Hooks]
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )
{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - Eudora's Shell Extension = D:\mario\Backup padova\posta\Eudora mario@unipd\EuShlExt.dll (File not found))

[Shared Task Scheduler]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
coursings - Reg Data missing or invalid = Reg Data missing or invalid (File not found))

[SafeBoot Option]

[HKLM Command Processor AutoRun]
HKLM->Command Processor\\AutoRun -

[HKCU Command Processor AutoRun]

[Security Providers]
SecurityProviders\\SecurityProviders - msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[BootExecute]
Session Manager\\BootExecute - autocheck autochk *;

[PendingFileRenameOperations]

[FileRenameOperations]

[ExcludeFromKnownDlls]
Session Manager\\ExcludeFromKnownDlls -

[>> Disabled MSConfig Items <<]
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk - Adobe Gamma Loader = C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE (Adobe Systems, Inc. )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - Adobe Reader Speed Launch = D:\mario\Reader\READER~1.EXE (File not found))
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk - Billminder = C:\PROGRA~1\Quicken\billmind.exe -startup (Intuit )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk - Microsoft Office OneNote 2003 Quick Launch = D:\PROGRA~1\MICROS~1\OFFICE11\ONENOTEM.EXE /tsr (Microsoft Corporation )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk - Microsoft Office = D:\PROGRA~1\MICROS~1\Office10\OSA.EXE -b -l (Microsoft Corporation )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk - Quicken Scheduled Updates = C:\PROGRA~1\Quicken\bagent.exe (Intuit Inc. )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk - Quicken Startup = C:\PROGRA~1\Quicken\QWDLLS.EXE (Intuit )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk - WinZip Quick Pick = D:\PROGRA~1\WinZip\WZQKPICK.EXE (WinZip Computing, Inc. )
StartUpReg\AGRSMMSG - AGRSMMSG = AGRSMMSG.exe (Agere Systems )
StartUpReg\dvd43 - dvd43_tray = C:\Program Files\dvd43\dvd43_tray.exe (Captain Red )
StartUpReg\ezShieldProtector for Px - ezSP_Px = C:\WINDOWS\System32\ezSP_Px.exe (Easy Systems Japan Ltd. )
StartUpReg\IgfxTray - igfxtray = C:\WINDOWS\System32\igfxtray.exe (Intel Corporation )
StartUpReg\LDM - LogitechDesktopMessenger = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (File not found))
StartUpReg\LogitechVideoRepair - ISStart = C:\Program Files\Logitech\Video\ISStart.exe (File not found))
StartUpReg\LogitechVideoTray - LogiTray = C:\Program Files\Logitech\Video\LogiTray.exe (File not found))
StartUpReg\mmtask - mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe (File not found))
StartUpReg\QuickFinder Scheduler - QFSCHD100 = "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" (Novell, Inc., c/o Corel Corporation Limited )
StartUpReg\RoxioAudioCentral - RxMon = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" (Roxio, Inc. )
StartUpReg\RoxioDragToDisc - DrgToDsc = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" (Roxio )
StartUpReg\RoxioEngineUtility - EngUtil = "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" (Roxio )
StartUpReg\StorageGuard - sgtray = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r (VERITAS Software, Inc. )
StartUpReg\VAIO Recovery - PartSeal = C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe (Sony Electronics Inc )
StartUpReg\WinampAgent - winampa = C:\Program Files\Winamp\winampa.exe ( )

[>> User Agent Post Platform <<]
SV1 -

[>> Winlogon <<]
HMLM->UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
HKLM->Shell - Explorer.exe (Microsoft Corporation )
HKLM->System - (File not found))
HKLM->VMApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\igfxcui - igfxsrvc.dll (Intel Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\WgaLogon - WgaLogon.dll (Microsoft Corporation )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

[>> DNS Name Servers <<]
{5EEEEA16-7FD5-4BF4-B540-DA8BB321EFD5} - (1394 Net Adapter)
{B1E96335-37EB-4520-A8D6-A36EC61BF55F} - ()
{FE0DC9D0-ECA5-4196-B564-4615421E920B} - 136.159.2.1,136.159.1.21 (Realtek RTL8139/810x Family Fast Ethernet NIC)

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found))
msdaipp - (File not found))

[>> Protocol Filters (Non-Microsoft only) <<]

< Services (Non-Microsoft Only) >
LexBce Server (LexBceS) - C:\WINDOWS\system32\LEXBCES.EXE (Lexmark International, Inc. ) [Automatic - Running - Win32, running in it's own process]
McAfee Framework Service (McAfeeFramework) - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart (Network Associates, Inc. ) [Automatic - Running - Win32, running in it's own process]
Network Associates McShield (McShield) - "D:\Program Files\Network Associates\VirusScan\Mcshield.exe" (Network Associates, Inc. ) [Automatic - Running - Win32, running in it's own process]
Network Associates Task Manager (McTaskManager) - "D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe" (Network Associates, Inc. ) [Automatic - Running - Win32, running in it's own process]
TrueVector Internet Monitor (vsmon) - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (Zone Labs Inc. ) [Automatic - Running - Win32, running in it's own process]
WebDrive Service (WebDriveService) - C:\Program Files\Webdisk Client\wdService.exe ( ) [Automatic - Running - Win32, running in it's own process]

< Files >

Auto-Start Folders

HKLM->Explorer\Shell Folders\\Common Startup = C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 06/23/2003 16:33 | Attr = HS])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe (Nikon Corporation [Ver = 1, 6, 1, 3000 | Size = 118784 bytes | Date = 09/07/2005 18:45 | Attr = ])

HKLM->Explorer\User Shell Folders\\Common Startup = %ALLUSERSPROFILE%\Start Menu\Programs\Startup

HKLM->Explorer\Shell Folders\\Startup = C:\Documents and Settings\Mario\Start Menu\Programs\Startup
C:\Documents and Settings\Mario\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 06/23/2003 16:33 | Attr = HS])

HKCU->Explorer\User Shell Folders\\Startup = %USERPROFILE%\Start Menu\Programs\Startup

Miscellaneous Auto-Start Files
System.ini->[Boot]\\Shell - Explorer.exe

Miscellaneous Folders

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 06/23/2003 16:26 | Attr = HS])
C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt - ( [Ver = | Size = 5 bytes | Date = 03/17/2005 21:07 | Attr = ])
C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT - ( [Ver = | Size = 20 bytes | Date = 03/15/2006 14:55 | Attr = H ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\Mario\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 06/23/2003 16:26 | Attr = HS])

Program Files Folder

Common Files Folder

DPF files
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://www.pandasoftware.com/activescan/as5free/asinst.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/...7795.6521180556
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
{FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - IWinAmpActiveX Class - CodeBase = http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

Hosts file = 2664 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright © 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13
13

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 5
Desktop\Components\0 -
Desktop\Components\0\\Source - About:Home
Desktop\Components\0\\SubscribedURL - About:Home
Desktop\Components\0\\FriendlyName - My Current Home Page
Desktop\Components\0\\Flags - 2
Desktop\Components\0\\Position - 2C 00 00 00 00 01 00 00 00 00 00 00 00 04 00 00 DE 03 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 04 00 00 40
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 FF FF 00 00 FF FF 00 00 FF FF FF FF FF FF FF FF 04 00 00 00
Desktop\Components\0\\RestoredStateInfo - 18 00 00 00 F2 01 00 00 B7 00 00 00 7C 00 00 00 70 00 00 00 01 00 00 00
Desktop\General -
Desktop\General\\BackupWallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\WallpaperFileTime - 50 D3 A2 FF 60 CA C6 01
Desktop\General\\WallpaperLocalFileTime - 50 63 08 B5 2E CA C6 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 2
Desktop\General\\Wallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\ComponentsPositioned - 0
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 00 05 00 00 DE 03 00 00
Desktop\SafeMode -
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Jobs.def<<<<

DIR - C:\WINDOWS\tasks\*.* - Parameters = Include SubFolders
C:\WINDOWS\tasks\desktop.ini - ( [Ver = | Size = 65 bytes | Date = 08/29/2002 06:00 | Attr = RH ])
C:\WINDOWS\tasks\Registration reminder 2.job - ( [Ver = | Size = 258 bytes | Date = 06/23/2003 16:11 | Attr = ])
C:\WINDOWS\tasks\SA.DAT - ( [Ver = | Size = 6 bytes | Date = 09/25/2006 09:33 | Attr = H ])
C:\WINDOWS\tasks\XoftSpy.job - ( [Ver = | Size = 348 bytes | Date = 09/25/2006 09:30 | Attr = ])

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoWelcomeScreen - 1
policies\Explorer\Run -
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 145

>>>>Output for AddOn file SID_Run_Policies.def<<<<

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run -

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run -

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145
Policies\Explorer\\CDRAutoRun - 0

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145
Policies\Explorer\\CDRAutoRun - 0

< End of report >

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:37 PM

Posted 27 September 2006 - 03:34 PM

Hi black bear. That log is clean also.

There are a couple of leftover items from a possible past infection that is no longer present. We can remove them as a matter of housekeeping.Start WinPFind2.
In the Registry Options group click the Remove All button.
Click the checkbox in front of Miscellaneous Auto-Run Keys.
Click the Registry tab.
Click the Scan Registry button.
Locate the following items and click the checkboxes in front of each one:Under [Shell Service Object Delay Load]coursings - = Reg Data missing or invalid (File not found))
Under [Shared Task Scheduler]coursings - Reg Data missing or invalid = Reg Data missing or invalid (File not found))
[/list]Now click the Delete Entries button.
[/list]Other than that the log is clean.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 black bear

black bear
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 27 September 2006 - 03:45 PM

That's great!!!

Thanks for the help! I send the link to this website to many people since you do a fantastic job!


Mario

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:37 PM

Posted 27 September 2006 - 04:57 PM

You re very welcome black bear. I am glad that we could help.

I will now close this topic. If you have any malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users