Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Auto-launches To Junk Sites


  • Please log in to reply
131 replies to this topic

#1 namsilat

namsilat

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 22 September 2006 - 09:39 PM

When I click "Windows Update" or "Microsoft Update" from Start menu, nothing happens. But if I have IE opened ahead of time, then click "Windows Update", another IE window opens to the update site, then a second IE window opens to some junk web site. If I just open any other web link, then it doesn't happen. It seems to only happen with using Windows Update.

Logfile of HijackThis v1.99.1
Scan saved at 10:33:36 PM, on 9/22/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
d:\hardware\Logitech\MouseWare\system\em_exec.exe
D:\internet\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\software\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\internet\Java\jre1.5.0_06\bin\jusched.exe
D:\software\Symantec AntiVirus\DefWatch.exe
D:\compaq\Microsoft ActiveSync\wcescomm.exe
D:\compaq\MICROS~1\rapimgr.exe
D:\Microsoft Office\Office10\OUTLOOK.EXE
D:\software\OutTray\OutTray.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
D:\software\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\ICQ\Icq.exe
C:\Program Files\ICQ\Icq.exe
D:\internet\Netscape\Netscp.exe
D:\internet\Agent\agent.exe
D:\software\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\co79qxzd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5Cinternet%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\co79qxzd.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\multimedia\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\internet\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: RepliGoIEHelperCtl Class - {91DE4477-9CDC-4806-9BCB-28A963988E94} - D:\COMPAQ\RepliGo\RepliGoIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Spoolsv Class - {9C363D55-07D7-433d-A13E-D9C105202F6F} - C:\WINDOWS\system32\drivers\spoolsv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - d:\software\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - D:\COMPAQ\RepliGo\RepliGoIEBar.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\internet\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\software\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\internet\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\compaq\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: OUTLOOK.lnk = D:\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Global Startup: OutTray.lnk = D:\software\OutTray\OutTray.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157685099171
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\software\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\software\Diskeeper Professional 9\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - d:\software\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\software\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\software\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\software\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

BC AdBot (Login to Remove)

 


#2 namsilat

namsilat
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 23 September 2006 - 02:26 PM

I forgot to mention that I already checked the system in safe mode with Spybot, AD-Aware SE, Ewido, Windows Defender and Symantec Antivirus but found nothing.

#3 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:07 PM

Posted 25 September 2006 - 05:32 AM

Hi and welcome

That is kinda wierd...
If you had Microsoft Update installed from the M$ site I should see the associated ActiveX....I dont.
I only see Windows Update one.
No chance you got an email that looked like from Microsoft with link to download a patch?

Lets check a few things...

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If firewall ask for it to connect to internet please allow. Tool may need to download additional files.
Do NOT run in safe mode!

Also:

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

It might take 2 posts to get both logs in.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#4 namsilat

namsilat
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 25 September 2006 - 07:41 AM

ok here is the ComboFix log. One interesting thing happened when I allowed install of ActiveX from Kaspersky's site, the junk site was launched again. That's the first time I ever seen the junk site launched other than for Windows Update, so the problem may indeed be related to ActiveX.


Stephen - 06-09-25 8:10:14.78 Service Pack 2
ComboFix 06.09.25 - Running from: "D:\temp"

((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 ))))))))))))))))))))))))))))))))))


2006-09-22 13:37 21,312 --a------ C:\WINDOWS\choice.exe
2006-09-07 22:51 178,408 --a------ C:\WINDOWS\system32\muweb.dll
2006-09-07 22:04 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll
2006-09-07 22:04 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2006-09-07 22:04 32,768 --------- C:\WINDOWS\system32\ativtmxx.dll
2006-09-06 20:29 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-09-06 07:37 135,680 --a------ C:\WINDOWS\taskmgr.exe
2006-09-06 07:32 53,671 --a------ C:\WINDOWS\setup9.exe
2006-09-06 07:31 250,888 --a------ C:\WINDOWS\10329.EXE
2006-09-05 20:03 53,668 --a------ C:\WINDOWS\setup11.exe
2006-09-05 19:43 250,889 --a------ C:\WINDOWS\10353.EXE
2006-09-05 18:50 0 --a------ C:\WINDOWS\ef26ev.dll
2006-09-04 18:50 55 --a------ C:\WINDOWS\system32\setup.bat
2006-09-04 18:50 200,521 --a------ C:\WINDOWS\system32\Setup4.exe
2006-09-03 09:52 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2006-09-01 15:51 10,880 --a------ C:\WINDOWS\RWUNINST.EXE
2006-08-30 17:46 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-08-30 17:46 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-24 21:14 -------- d-------- C:\Documents and Settings\Stephen\Application Data\Ahead
2006-09-24 21:07 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-20 23:00 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-17 08:50 -------- d--h----- C:\Program Files\Uninstall Information
2006-09-17 07:09 -------- d-------- C:\Documents and Settings\Stephen\Application Data\KlipFolio
2006-09-14 18:13 -------- d-------- C:\Program Files\ICQ
2006-09-13 15:28 -------- d-a------ C:\Program Files\Common Files
2006-09-13 15:28 -------- d-------- C:\Program Files\Common Files\Java
2006-09-08 15:25 -------- d---s---- C:\Documents and Settings\Stephen\Application Data\Microsoft
2006-09-07 22:04 -------- d-------- C:\Program Files\Windows Media Player
2006-09-06 23:34 -------- d-------- C:\Program Files\Compaq
2006-09-06 23:29 -------- d-------- C:\Documents and Settings\Stephen\Application Data\MSN6
2006-09-06 20:38 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-06 20:34 -------- d-------- C:\Program Files\Internet Explorer
2006-09-05 23:05 -------- d-------- C:\Program Files\msn gaming zone
2006-09-05 20:49 -------- d-------- C:\Program Files\Motive
2006-09-04 23:15 -------- d-------- C:\Documents and Settings\Stephen\Application Data\Lavasoft
2006-09-03 00:16 50 --a------ C:\WINDOWS\system32\drivers\cdnprot.sys
2006-08-29 20:37 -------- d-------- C:\Documents and Settings\Stephen\Application Data\ATI
2006-08-29 20:34 -------- d-------- C:\Program Files\ATI Technologies
2006-08-23 00:31 5906432 --------- C:\WINDOWS\system32\ieframe.dll
2006-08-23 00:31 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-08-23 00:31 457728 --------- C:\WINDOWS\system32\msfeeds.dll
2006-08-23 00:31 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-08-23 00:31 225792 --a------ C:\WINDOWS\system32\webcheck.dll
2006-08-23 00:31 175616 --------- C:\WINDOWS\system32\ieui.dll
2006-08-23 00:31 152064 --a------ C:\WINDOWS\system32\msls31.dll
2006-08-23 00:18 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-08-23 00:18 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-08-23 00:17 40448 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-08-23 00:17 105472 --a------ C:\WINDOWS\system32\url.dll
2006-08-23 00:17 100352 --a------ C:\WINDOWS\system32\occache.dll
2006-08-23 00:14 378368 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-08-23 00:14 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-08-23 00:13 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-08-23 00:13 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-08-23 00:13 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-08-23 00:13 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-08-23 00:13 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-08-23 00:13 122880 --a------ C:\WINDOWS\system32\advpack.dll
2006-08-23 00:13 11776 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-08-23 00:11 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-08-23 00:10 61440 --------- C:\WINDOWS\system32\icardie.dll
2006-08-23 00:10 35328 --a------ C:\WINDOWS\system32\imgutil.dll
2006-08-23 00:09 262656 --------- C:\WINDOWS\system32\iertutil.dll
2006-08-23 00:07 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-08-22 23:37 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-08-22 23:36 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-08-22 23:30 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-08-21 23:31 -------- d-------- C:\Program Files\Microsoft Money 2005
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-14 14:26 91648 --a------ C:\WINDOWS\system32\gunzip.exe
2006-08-08 23:23 -------- d-------- C:\Documents and Settings\Stephen\Application Data\URSoft
2006-08-07 17:54 -------- d-------- C:\Program Files\CyberLink
2006-08-02 18:12 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2006-08-02 18:08 258048 --a------ C:\WINDOWS\system32\ati2dvag.dll
2006-08-02 18:07 1681920 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2006-08-02 18:02 86016 --a------ C:\WINDOWS\system32\ati2evxx.dll
2006-08-02 18:02 77824 --a------ C:\WINDOWS\system32\Oemdspif.dll
2006-08-02 18:02 41984 --a------ C:\WINDOWS\system32\ati2edxx.dll
2006-08-02 18:02 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2006-08-02 18:02 114688 --a------ C:\WINDOWS\system32\atipdlxx.dll
2006-08-02 18:01 401408 --a------ C:\WINDOWS\system32\ati2evxx.exe
2006-08-02 18:00 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2006-08-02 17:55 2373088 --a------ C:\WINDOWS\system32\ati3duag.dll
2006-08-02 17:51 2354720 --a------ C:\WINDOWS\system32\ativvaxx.dll
2006-08-02 17:49 6684672 --a------ C:\WINDOWS\system32\atioglx1.dll
2006-08-02 17:45 5136384 --a------ C:\WINDOWS\system32\atioglxx.dll
2006-08-02 17:41 208896 --a------ C:\WINDOWS\system32\atikvmag.dll
2006-08-02 17:40 303104 --a------ C:\WINDOWS\system32\ATIDEMGR.dll
2006-08-02 17:40 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2006-08-02 17:35 286720 --a------ C:\WINDOWS\system32\ati2cqag.dll
2006-08-02 17:27 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-25 07:34 172032 --a------ C:\WINDOWS\system32\HTTPDll.dll
2006-07-25 07:32 40960 --a------ C:\WINDOWS\system32\lrcsys.exe
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNRecode.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroVision.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroShowTime.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2006-07-14 17:29 966656 --a------ C:\WINDOWS\UNNeroBackItUp.exe
2006-07-12 13:07 24576 --a------ C:\WINDOWS\uninstall.exe
2006-06-29 08:05 26112 --------- C:\WINDOWS\system32\idndl.dll
2006-06-29 08:05 23552 --------- C:\WINDOWS\system32\normaliz.dll
2006-06-28 17:59 24576 --------- C:\WINDOWS\system32\nlsdl.dll
2006-06-22 19:19 836 --a------ C:\Documents and Settings\Stephen\Application Data\DVDSubEdit.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"D:\\compaq\\Microsoft ActiveSync\\wcescomm.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Index Washer"="C:\\Program Files\\Webroot\\Washer\\WashIdx.exe \"Stephen\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe"
"Zone Labs Client"="\"D:\\internet\\ZoneAlarm\\zlclient.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="D:\\software\\SYMANT~1\\VPTray.exe"
"SunJavaUpdateSched"="D:\\internet\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,a2,01,00,00,23,00,00,00,a4,00,00,00,98,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{914B076F-8FC6-4452-93C8-D810062C81F9}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-0000-7760-000000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
"location"="Common Startup"
"item"="KODAK Picture Transfer Software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
"location"="Common Startup"
"item"="KODAK Software Updater"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacroMachine.lnk]
"location"="Common Startup"
"item"="MacroMachine"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MightyFAX Controller.lnk]
"backup"="C:\\WINDOWS\\pss\\MightyFAX Controller.lnkCommon Startup"
"location"="Common Startup"
"item"="MightyFAX Controller"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NetAssistant.lnk]
"backup"="C:\\windows\\pss\\NetAssistant.lnkCommon Startup"
"location"="Common Startup"
"item"="NetAssistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trojan Guarder Gold Version.lnk]
"location"="Common Startup"
"item"="Trojan Guarder Gold Version"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"D:\\multimedia\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATI Launchpad]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="launchpd"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\101628.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="101628"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\110045setup.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="110045setup"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\2041.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="2041"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\cocomuisc.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cocomuisc"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\SearchBar06049.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SearchBar06049"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\Setup-168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Setup-168"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\tshz168.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tshz168"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\wenzi17.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wenzi17"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CdnCtr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cdnup"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"d:\\multimedia\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MacroMachine BootMark]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BootMark"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Location Finder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LocationFinder"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Motive SmartBridge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MotiveSB"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RepliGo Assistant]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RepliGoMon"
"hkey"="HKLM"
"inimapping"="0"
"command"="\"D:\\COMPAQ\\RepliGo\\RepliGoMon.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SoundMAX]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Smax4"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SoundMAXPnP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SMax4PNP"
"hkey"="HKLM"
"command"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\spoolsv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="spoolsv"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Systweak Wallpaper Changer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wallpaper"
"hkey"="HKCU"
"command"="wallpaper.exe -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="D:\\multimedia\\Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"wfxsvc"=dword:00000002


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060922-224034-994
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157685099171
backup-20060907-003454-729
O23 - Service: Network Provisioning Service (xmlprov) - - (no file)
backup-20060907-003454-569
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Protection Technology - (no file)
backup-20060907-003454-810
O23 - Service: System Restore Service (srservice) - Zone Labs, LLC - (no file)
backup-20060907-003454-876
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Protection Technology - (no file)
backup-20060907-003454-396
O23 - Service: Workstation (lanmanworkstation) - Logitech, Inc. - (no file)
backup-20060907-003454-616
O23 - Service: Secondary Logon (seclogon) - Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. - (no file)
backup-20060907-003454-353
O23 - Service: System Event Notification (SENS) - Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. - (no file)
backup-20060907-003454-535
O23 - Service: Error Reporting Service (ERSvc) - 3Com Corporation - (no file)
backup-20060907-003454-445
O23 - Service: Application Management (AppMgmt) - ADMtek Incorporated. - (no file)
backup-20060907-003454-402
O23 - Service: Server (lanmanserver) - Logitech, Inc. - (no file)
backup-20060907-003454-733
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Anti-Malware Development a.s. - (no file)
backup-20060907-003454-235
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20060907-003454-631
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
backup-20060907-003454-268
O23 - Service: DHCP Client (Dhcp) - Symantec Corporation - (no file)
backup-20060907-003454-255
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20060907-003454-571
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
backup-20060906-204412-978
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-204412-800
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
backup-20060906-204412-768
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-204412-395
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20060906-204412-163
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20060906-204412-291
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20060906-202233-279
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20060906-202233-947
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-202233-344
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-202233-242
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145237446406
backup-20060906-202233-742
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093303585453
backup-20060906-202233-878
backup-20060906-202232-327
R3 - Default URLSearchHook is missing
backup-20060906-184004-178
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-184004-274
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-184004-816
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
backup-20060906-184004-377
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
backup-20060906-184004-911
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20060906-184004-850
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
backup-20060906-184004-870
O2 - BHO: JMX.JmxCenter - {63859236-76BF-493C-A587-DF479EBA2D4B} - C:\WINDOWS\system32\EJMX.dll
backup-20060906-145245-964
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20060906-145245-875
O15 - Trusted Zone: http://download.windowsupdate.com
backup-20060906-145245-697
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-145245-163
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-145245-194
O2 - BHO: BHOImp Class - {70AFF2CB-9DA2-499C-8D15-900729FCE83D} - C:\WINDOWS\system32\YHBO.dll
backup-20060906-145245-603
O15 - Trusted Zone: http://*.msn.com
backup-20060906-145245-277
backup-20060906-143539-736
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20060906-143539-491
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-143539-743
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-141805-968
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-141805-888
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20060906-141805-251
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-141804-527
O2 - BHO: 51Á╝║Ż - {D271A289-57EB-4D0E-9131-A0CD25D4D1F8} - C:\WINDOWS\system32\browsewmzero.dll
backup-20060906-141804-248
O2 - BHO: Sun Java2 - {C61A70F3-505E-4B90-916F-627A8706B4BC} - c:\WINDOWS\system32\COMBoHEvent.dll
backup-20060906-141804-957
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20060906-081425-477
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20060906-081425-382
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-081425-560
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-081113-518
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20060906-081113-233
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-081113-695
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-080807-921
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20060906-080807-441
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-080807-141
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-075245-194
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-075245-243
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20060906-075049-943
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
backup-20060906-075049-864
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-075049-441
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060906-075049-672
O9 - Extra 'Tools' menuitem: ═█═█╚Ý╝■¤┬ďě - {f15c22ef-534e-414d-ab5d-1425cd806e42} - http://www.51viva.com/plugin/redirect.jsp?...www.mydown.com/ (file missing) (HKCU)
backup-20060906-075049-135
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
backup-20060906-075049-777
O9 - Extra button: ═█═█╚Ý╝■¤┬ďě - {f15c22ef-534e-414d-ab5d-1425cd806e42} - http://www.51viva.com/plugin/redirect.jsp?...www.mydown.com/ (file missing) (HKCU)
backup-20060906-075048-223
O9 - Extra 'Tools' menuitem: ═█═█═°ÍĚÁ╝║Ż - {f15c22ef-534e-414d-ab5d-1425cd806e41} - http://www.51viva.com/plugin/redirect.jsp?.../114.yesky.com/ (file missing) (HKCU)
backup-20060906-075048-854
O9 - Extra button: ═█═█═°ÍĚÁ╝║Ż - {f15c22ef-534e-414d-ab5d-1425cd806e41} - http://www.51viva.com/plugin/redirect.jsp?.../114.yesky.com/ (file missing) (HKCU)
backup-20060906-075048-421
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20060906-075048-770
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20060906-075048-908
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - d:\MICROS~1\OFFICE11\REFIEBAR.DLL
backup-20060906-075048-296
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
backup-20060906-075048-674
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
backup-20060906-075048-379
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\compaq\MICROS~1\INetRepl.dll
backup-20060906-075047-217
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\compaq\MICROS~1\INetRepl.dll
backup-20060906-075047-822
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\compaq\MICROS~1\INetRepl.dll
backup-20060906-075047-869
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
backup-20060906-075047-909
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
backup-20060906-075047-254
O4 - HKCU\..\Run: [Spyware Doctor] "d:\software\Spyware Doctor\swdoctor.exe" /Q
backup-20060906-075047-336
backup-20060905-005529-725
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060905-005529-587
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...677/mcfscan.cab
backup-20060905-005529-227
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
backup-20060905-005529-242
O16 - DPF: {E154E3CC-0C3A-4101-91D8-6B4876F0FD64} (PrintScreen Class) - http://www.mydisplayimage.com/create/Flash2Image.cab
backup-20060905-005528-838
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
backup-20060905-005528-868
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
backup-20060905-005528-742
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exe
backup-20060905-005528-786
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
backup-20060905-005528-752
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
backup-20060905-005527-221
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
backup-20060905-005527-592
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
backup-20060905-005527-508
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
backup-20060905-005526-474
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
backup-20060905-005526-348
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
backup-20060905-005526-362
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
backup-20060905-005525-378
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
backup-20060905-005525-847
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
backup-20060905-005525-165
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
backup-20060905-005525-990
R3 - Default URLSearchHook is missing
backup-20060905-005525-769
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\DM_Install_Program.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 09/25/06 8:15:08.14
ComboFix.txt

#5 namsilat

namsilat
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 25 September 2006 - 03:35 PM

Here is the Kaspersky scan log:

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 25, 2006 4:32:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/09/2006
Kaspersky Anti-Virus database records: 226299
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\

Scan Statistics:
Total number of scanned objects: 94454
Number of viruses found: 7
Number of infected objects: 24 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:35:37

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\AcroForm\MRUFormsList Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\Collab\OfflineDocs Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\Collab\Reviews Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\TMGrpPrm.sav Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\6.0\Updater\udstore.js Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\description.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-10-11 17-17-50.txt Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2004-11-10 07-48-58.txt Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2006-09-05 00-12-42.txt Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2006-09-05 21-51-44.txt Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2006-09-22 23-21-35.txt Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Quarantine\auto-quarantine- 2004-10-11 17-18-12.bckp Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Quarantine\auto-quarantine- 2004-11-10 07-50-32.bckp Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Quarantine\auto-quarantine- 2006-09-05 00-12-57.bckp Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\settings.awc Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\stats.awd Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\HTML Help\hh.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-854245398-1303643608-725345543-500\3888fe0e-27e2-494b-b0ca-11fae9f631af Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-854245398-1303643608-725345543-500\Preferred Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\pluginreg.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\bookmarks.html Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\bookmarks.html.sbsd.bak Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\chrome\chrome.rdf Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\chrome\userChrome-example.css Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\chrome\userContent-example.css Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\cookies.txt Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\default-connections.rdf Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\default-invite.rdf Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\default-messages-icq.rdf Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\default-messages.rdf Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\hostperm.1 Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\localstore.rdf Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\loginNames-aim.rdf Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\loginNames-icq.rdf Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\mimeTypes.rdf Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\netscapetoolbar.rdf Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\prefs.js Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\search.rdf Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\secmod.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\io6uv1yn.slt\XUL.mfl Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\registry.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\MSN6\msndata.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\MSN6\msndata001.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Symantec\Shared\MyProfile.UserProfile Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Symantec\Shared\Options.VcPref Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Symantec\Shared\Sessions\20060317035034484.liveReg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\1100110886.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20744937.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20744969.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20745337.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20746382.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20746386.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20747634.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20747978.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20748817.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20748881.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20749299.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20750001.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20750521.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20750740.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20751354.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20751367.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20752292.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20752335.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20752388.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20752756.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20753332.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20753997.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20754484.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20756862.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20758676.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20759125.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20759344.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20759960.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20760983.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20761363.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20761672.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20761988.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20762195.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20762795.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20766524.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20766686.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20767004.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20767504.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20768297.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20768583.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20768881.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20769682.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20770034.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20771026.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20771118.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20772088.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20773068.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20777031.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20777865.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059\20778378.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1100111059.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269\540797.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269\541192.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269\545857.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269\552339.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269\554696.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269\556276.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269\556428.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269\559740.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269\560425.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269\565874.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269\566518.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269\574921.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1130720269.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1138326542\1303885.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1138326542\1306894.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1138326542\1310914.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1138326542.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\Regclean\1158174789.reg Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\SystemRestore.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\Backups\00000001.rcb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\Backups\00000002.rcb Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\URSoft\Your Uninstaller 2006\uruninstaller.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\URSoft\Your Uninstaller 2006\yu.log Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory\CLI.exe.c88dbd71.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory\Wizard.exe.280d5282.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\HelpCtr\HelpSessionHistory.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs\09122004.Log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs\09192004.Log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs\11102004.Log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs\09092006.Log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs\09172006.Log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs\09222006.Log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BWDHP8EJ\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OUKZK4QE\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TFFD4449\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\UXZTYHQC\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.ini Object is locked skipped
C:\Documents and Settings\Administrator\Recent\addrbar.txt.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Recent\Desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Recent\keyword.txt.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Recent\search.txt.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Recent\system32.lnk Object is locked skipped
C:\Documents and Settings\Administrator\s-1-5-21-854245398-1303643608-725345543-500.rrr Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Mail Recipient.MAPIMail Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\WinFax.LNK Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Templates\amipro.sam Object is locked skipped
C:\Documents and Settings\Administrator\Templates\excel.xls Object is locked skipped
C:\Documents and Settings\Administrator\Templates\excel4.xls Object is locked skipped
C:\Documents and Settings\Administrator\Templates\lotus.wk4 Object is locked skipped
C:\Documents and Settings\Administrator\Templates\powerpnt.ppt Object is locked skipped
C:\Documents and Settings\Administrator\Templates\presenta.shw Object is locked skipped
C:\Documents and Settings\Administrator\Templates\quattro.wb2 Object is locked skipped
C:\Documents and Settings\Administrator\Templates\sndrec.wav Object is locked skipped
C:\Documents and Settings\Administrator\Templates\winword.doc Object is locked skipped
C:\Documents and Settings\Administrator\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\Administrator\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\Administrator\Templates\wordpfct.wpg Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-05062006-081328.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephen\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Stephen\Application Data\Microsoft\Outlook\Default Outlook Profile~1.srs Object is locked skipped
C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\co79qxzd.slt\cert8.db Object is locked skipped
C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\co79qxzd.slt\history.dat Object is locked skipped
C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\co79qxzd.slt\key3.db Object is locked skipped
C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\co79qxzd.slt\parent.lock Object is locked skipped
C:\Documents and Settings\Stephen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Application Data\Identities\{3DD9A1F7-7B5E-480B-9234-A2B95098C30A}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Application Data\Identities\{3DD9A1F7-7B5E-480B-9234-A2B95098C30A}\Microsoft\Outlook Express\namsilat - Bulk Mail.dbx Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Application Data\Identities\{3DD9A1F7-7B5E-480B-9234-A2B95098C30A}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Application Data\Identities\{3DD9A1F7-7B5E-480B-9234-A2B95098C30A}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\History\History.IE5\MSHist012006092520060926\index.dat Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Temp\~DFDA8D.tmp Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Temp\~DFDA9C.tmp Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Temp\~DFE7F4.tmp Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Temp\~DFE803.tmp Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Temporary Internet Files\AntiPhishing\2997C193-A464-4307-88C9-F9C00083CD16.dat Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stephen\ntuser.dat Object is locked skipped
C:\Documents and Settings\Stephen\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\ICQ\2003b\26051120\Messages26051120.cdx Object is locked skipped
C:\Program Files\ICQ\2003b\26051120\Messages26051120.dbf Object is locked skipped
C:\Program Files\ICQ\2003b\26051120\Messages26051120.fpt Object is locked skipped
C:\Program Files\ICQ\2003b\26051120\O26051120.cdx Object is locked skipped
C:\Program Files\ICQ\2003b\26051120\O26051120.dbf Object is locked skipped
C:\Program Files\ICQ\2003b\26051120\O26051120.fpt Object is locked skipped
C:\Program Files\ICQ\2003b\26051120\Plugin26051120.cdx Object is locked skipped
C:\Program Files\ICQ\2003b\26051120\Plugin26051120.dbf Object is locked skipped
C:\Program Files\ICQ\2003b\26051120\Plugin26051120.fpt Object is locked skipped
C:\Program Files\ICQ\2003b\26051120\Users26051120.cdx Object is locked skipped
C:\Program Files\ICQ\2003b\26051120\Users26051120.dbf Object is locked skipped
C:\Program Files\ICQ\2003b\26051120\Users26051120.fpt Object is locked skipped
C:\Program Files\ICQ\2003b\36254102\Messages36254102.cdx Object is locked skipped
C:\Program Files\ICQ\2003b\36254102\Messages36254102.dbf Object is locked skipped
C:\Program Files\ICQ\2003b\36254102\Messages36254102.fpt Object is locked skipped
C:\Program Files\ICQ\2003b\36254102\O36254102.cdx Object is locked skipped
C:\Program Files\ICQ\2003b\36254102\O36254102.dbf Object is locked skipped
C:\Program Files\ICQ\2003b\36254102\O36254102.fpt Object is locked skipped
C:\Program Files\ICQ\2003b\36254102\Plugin36254102.cdx Object is locked skipped
C:\Program Files\ICQ\2003b\36254102\Plugin36254102.dbf Object is locked skipped
C:\Program Files\ICQ\2003b\36254102\Plugin36254102.fpt Object is locked skipped
C:\Program Files\ICQ\2003b\36254102\Users36254102.cdx Object is locked skipped
C:\Program Files\ICQ\2003b\36254102\Users36254102.dbf Object is locked skipped
C:\Program Files\ICQ\2003b\36254102\Users36254102.fpt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\10329.EXE/WISE0006.BIN Infected: not-a-virus:AdWare.Win32.NewWeb.e skipped
C:\WINDOWS\10329.EXE/WISE0007.BIN/stream/data0001 Infected: not-a-virus:AdWare.Win32.NewWeb.f skipped
C:\WINDOWS\10329.EXE/WISE0007.BIN/stream Infected: not-a-virus:AdWare.Win32.NewWeb.f skipped
C:\WINDOWS\10329.EXE/WISE0007.BIN Infected: not-a-virus:AdWare.Win32.NewWeb.f skipped
C:\WINDOWS\10329.EXE WiseSFX: infected - 4 skipped
C:\WINDOWS\10353.EXE/WISE0006.BIN Infected: not-a-virus:AdWare.Win32.NewWeb.e skipped
C:\WINDOWS\10353.EXE/WISE0007.BIN/stream/data0001 Infected: not-a-virus:AdWare.Win32.NewWeb.f skipped
C:\WINDOWS\10353.EXE/WISE0007.BIN/stream Infected: not-a-virus:AdWare.Win32.NewWeb.f skipped
C:\WINDOWS\10353.EXE/WISE0007.BIN Infected: not-a-virus:AdWare.Win32.NewWeb.f skipped
C:\WINDOWS\10353.EXE WiseSFX: infected - 4 skipped
C:\WINDOWS\backup\SearchBar06049.exe/stream/data0013 Infected: not-a-virus:AdWare.Win32.Eztracks.b skipped
C:\WINDOWS\backup\SearchBar06049.exe/stream Infected: not-a-virus:AdWare.Win32.Eztracks.b skipped
C:\WINDOWS\backup\SearchBar06049.exe NSIS: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\BLACKLIN.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\setup11.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.ae skipped
C:\WINDOWS\setup11.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.ae skipped
C:\WINDOWS\setup11.exe NSIS: infected - 2 skipped
C:\WINDOWS\setup9.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.ae skipped
C:\WINDOWS\setup9.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.ae skipped
C:\WINDOWS\setup9.exe NSIS: infected - 2 skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D92D9E55-943A-4E5A-9DD7-E5C43B2C8F13}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\spoolsv.dll Infected: not-a-virus:AdWare.Win32.BHO.ag skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd0509.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\Setup4.exe/data0004 Infected: not-a-virus:AdWare.Win32.BHO.ag skipped
C:\WINDOWS\system32\Setup4.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_238.dat Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_670.dat Object is locked skipped
C:\WINDOWS\TEMP\ZLT0546a.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT05481.TMP Object is locked skipped
C:\WINDOWS\uninstall.exe Infected: Trojan.Win32.Agent.tb skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\internet\Netscape\cache\Cache\_CACHE_001_ Object is locked skipped
D:\internet\Netscape\cache\Cache\_CACHE_002_ Object is locked skipped
D:\internet\Netscape\cache\Cache\_CACHE_003_ Object is locked skipped
D:\internet\Netscape\cache\Cache\_CACHE_MAP_ Object is locked skipped
D:\software\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\software\Symantec AntiVirus\SAVRT\0320NAV~.TMP Object is locked skipped
D:\software\Symantec AntiVirus\SAVRT\0601NAV~.TMP Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

#6 namsilat

namsilat
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 25 September 2006 - 07:56 PM

I deleted several of the infected files under safe mode, setup11.exe, setup9.exe, uninstall.exe, 10329.exe, and 10353.exe. I still get no response when clicking Windows Update or Microsoft Update from Start menu. However, with IE7 window open, when I click Microsoft or Windows Update, IE no longer launches into the junk web site. I am not sure if this is just a temporary phenomonen.

#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:07 PM

Posted 25 September 2006 - 11:47 PM

Hi

It's gonna take me some time to research some of those unfammiliar files I see in your logs. :thumbsup:

I do need to see a couple other logs. I see what looks like remanents of other adware such as "chinese keywords" and need to confirm..
Some of this is going to be kinda difficult to remove if my suspicions are correct.
It might take a few rounds to knock it all out. We'll get it tho :flowers:

Please post:

Complete startuplist & Uninstall list:
Start Hijackthis
Click "open misc tools section"
Check both options beside "generate startuplist log" and generate the log.
Leave hijackthis open for next log.

Post results.

In open Hijackthis click the "back button" (upper one)
click "open Uninstall manager"
Click "save list...."
Save the list someplace & post results here.

Might need 2 posts if logs are long.

I will be back in a bit.

Thanks :huh:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 namsilat

namsilat
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 26 September 2006 - 06:51 AM

StartupList report, 9/26/06, 8:02:14 AM
StartupList version: 1.52.2
Started from : D:\software\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Unable to get Internet Explorer version!
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\software\Symantec AntiVirus\DefWatch.exe
d:\hardware\Logitech\MouseWare\system\em_exec.exe
D:\software\Diskeeper Professional 9\DkService.exe
d:\software\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
D:\software\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\internet\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\software\SYMANT~1\VPTray.exe
D:\internet\Java\jre1.5.0_06\bin\jusched.exe
D:\compaq\Microsoft ActiveSync\wcescomm.exe
D:\Microsoft Office\Office10\OUTLOOK.EXE
D:\software\OutTray\OutTray.exe
D:\compaq\MICROS~1\rapimgr.exe
C:\Program Files\ICQ\Icq.exe
C:\Program Files\ICQ\Icq.exe
C:\Program Files\Outlook Express\msimn.exe
D:\Microsoft Office\Office10\WINWORD.EXE
D:\INTERNET\NETSCAPE\NETSCP.EXE
D:\software\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Stephen\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
OUTLOOK.lnk = D:\Microsoft Office\Office10\OUTLOOK.EXE
OutTray.lnk = D:\software\OutTray\OutTray.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Logitech Utility = Logi_MwX.Exe
Zone Labs Client = "D:\internet\ZoneAlarm\zlclient.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray = D:\software\SYMANT~1\VPTray.exe
SunJavaUpdateSched = D:\internet\Java\jre1.5.0_06\bin\jusched.exe
NeroFilterCheck = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
H/PC Connection Agent = "D:\compaq\Microsoft ActiveSync\wcescomm.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = Notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\plusnatr.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - D:\multimedia\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\internet\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - D:\COMPAQ\RepliGo\RepliGoIEHelper.dll - {91DE4477-9CDC-4806-9BCB-28A963988E94}
(no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - C:\WINDOWS\system32\drivers\spoolsv.dll - {9C363D55-07D7-433d-A13E-D9C105202F6F}
(no name) - D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - d:\software\Advanced System Optimizer\IEHelper.dll - {CF7C3CF0-4B15-11D1-ABED-709549C10000}

--------------------------------------------------

Enumerating Task Scheduler jobs:

1-Click Maintenance.job
DM_Install_Program.job
MP Scheduled Scan.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1159106414593

[Java Plug-in]
InProcServer32 = D:\internet\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[SassCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft.com/security/controls/SassCln.CAB

[Java Plug-in]
InProcServer32 = D:\internet\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[Java Plug-in]
InProcServer32 = D:\internet\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = D:\internet\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\system32\pnrpnsp.dll
NameSpace #5: C:\WINDOWS\system32\pnrpnsp.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

61883 Unit Device: system32\DRIVERS\61883.sys (manual start)
IPv6 Helper Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter: System32\DRIVERS\AN983.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
atksgt: system32\DRIVERS\atksgt.sys (autostart)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVC Device: system32\DRIVERS\avc.sys (manual start)
Background Intelligent Transfer Service: %systemRoot%\System32\svchost.exe -k netsvcs (manual start)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ICatch VI PC CAMERA: System32\Drivers\SPCA561.SYS (manual start)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
d346bus: System32\DRIVERS\d346bus.sys (system)
d346prt: System32\Drivers\d346prt.sys (system)
dbustrcm: \??\C:\DOCUME~1\Stephen\LOCALS~1\Temp\dbustrcm.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Symantec AntiVirus Definition Watcher: "D:\software\Symantec AntiVirus\DefWatch.exe" (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Diskeeper: "D:\software\Diskeeper Professional 9\DkService.exe" (autostart)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
dtscsi: \SystemRoot\System32\Drivers\dtscsi.sys (manual start)
Symantec Eraser Control driver: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)
3Com 3C2000x EtherLink XL Adapter: System32\DRIVERS\EL2K_XP.sys (manual start)
EraserUtilDrv10622: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10622.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
ewido anti-spyware 4.0 driver: \??\d:\software\ewido anti-spyware 4.0\guard.sys (system)
ewido anti-spyware 4.0 guard: d:\software\ewido anti-spyware 4.0\guard.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Logitech PS/2 Mouse Filter Driver: System32\DRIVERS\L8042pr2.Sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Logitech HID/USB Mouse Filter Driver: System32\DRIVERS\LHidFlt2.Sys (manual start)
lirsgt: system32\DRIVERS\lirsgt.sys (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech Mouse Class Filter Driver: System32\DRIVERS\LMouFlt2.Sys (manual start)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
MidiSyn: system32\drivers\MidiSyn.sys (manual start)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Microsoft DV Camera and VCR: System32\DRIVERS\msdv.sys (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060924.005\naveng.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060924.005\navex15.sys (manual start)
NetBEUI Protocol: System32\DRIVERS\nbf.sys (autostart)
NBService: D:\hardware\Nero 7\Nero BackItUp\NBService.exe (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NetGroup Packet Filter Driver: system32\drivers\npf.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
VIA OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Peer Networking Group Authentication: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
Peer Networking Identity Manager: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
Peer Networking: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Low level access layer for CD devices: System32\Drivers\Pcouffin.sys (manual start)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Peer Name Resolution Protocol: %SystemRoot%\System32\svchost.exe -k p2psvc (manual start)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Logitech QuickCam Pro USB(PID_D001): system32\DRIVERS\p35u.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRoam: "D:\software\Symantec AntiVirus\SavRoam.exe" (manual start)
SAVRT: \??\D:\software\Symantec AntiVirus\savrt.sys (system)
SAVRTPEL: \??\D:\software\Symantec AntiVirus\Savrtpel.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
StarForce Protection Environment Driver (version 1.x): System32\drivers\sfdrv01.sys (system)
StarForce Protection Helper Driver (version 2.x): System32\drivers\sfhlp02.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Simple TCP/IP Services: %SystemRoot%\System32\tcpsvcs.exe (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (manual start)
SNMP Service: %SystemRoot%\System32\snmp.exe (autostart)
SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)
SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (manual start)
Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
srescan: system32\ZoneLabs\srescan.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Stealth: System32\DRIVERS\stealth.sys (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
SVKP: \??\C:\WINDOWS\System32\SVKP.sys (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Symantec AntiVirus: "D:\software\Symantec AntiVirus\Rtvscan.exe" (autostart)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
tcaicchg: \??\C:\WINDOWS\System32\tcaicchg.sys (autostart)
TCAITDI Protocol: System32\DRIVERS\TCAITDI.sys (autostart)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Microsoft IPv6 Protocol Driver: system32\DRIVERS\tcpip6.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft Tun Miniport Adapter Driver: system32\DRIVERS\tunmp.sys (manual start)
TuneUp WinStyler Theme Service: "D:\software\TuneUp Utilities 2006\WinStylerThemeSvc.exe" (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
SecuROM User Access Service (V7): C:\WINDOWS\system32\UAService7.exe (autostart)
Vax347b: system32\DRIVERS\Vax347b.sys (system)
Vax347s: System32\Drivers\Vax347s.sys (system)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
viaraid: System32\DRIVERS\viaraid.sys (system)
VMware Virtual Ethernet Adapter Driver: system32\DRIVERS\vmnetadapter.sys (manual start)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Windows CE USB Serial Host Driver: system32\DRIVERS\wceusbsh.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
WinFax PRO: C:\WINDOWS\system32\WFXSVC.EXE (disabled)
Windows Defender Service: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: C:\Program Files\Windows Media Player\WMPNetwk.exe (manual start)
WpdUsb: System32\Drivers\wpdusb.sys (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Washer AutoComplete: C:\WINDOWS\system32\wwSecure.exe (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
xmasbus: System32\DRIVERS\xmasbus.sys (system)
xmasscsi: System32\Drivers\xmasscsi.sys (system)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Stephen\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\Stephen\LOCALS~1\Temp\A~NSISu_.exe||C:\DOCUME~1\Stephen\LOCALS~1\Temp\~nsu.tmp\Au_.exe||C:\DOCUME~1\Stephen\LOCALS~1\Temp\_iu14D2N.tmp||C:\DOCUME~1\Stephen\LOCALS~1\Temp\A~NSISu_.exe|||S

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 39,785 bytes
Report generated in 0.219 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Edited by namsilat, 26 September 2006 - 07:04 AM.


#9 namsilat

namsilat
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 26 September 2006 - 07:09 AM

123 CD Extractor
3Com NIC Diagnostics
AC-3 ACM Decompressor
AC3Filter (remove only)
Ac3Tool (remove only)
ACDSee 5.0 PowerPack
ACDSee Mobile for Windows« CE
Ad-Aware SE Personal
Adobe Acrobat 7.0.8 Professional
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Advanced System Optimizer 2.01.2
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Avi2Dvd 0.2.9 beta
AVIcodec (remove only)
AviSynth 2.5
BioWare Premium Module: Neverwinter Nights - Kingmaker
BioWare Premium Module: Neverwinter Nights - ShadowGuard
BioWare Premium Module: Neverwinter Nights - Witch's Wake
CCleaner (remove only)
CDisplay 1.8
Concord WinFax Plugin v3.0
DAO
Direct Show Ogg Vorbis Filter (remove only)
DirectShow subtitle filter colleciton (remove only)
Diskeeper Professional Edition
DivxToDVD 0.5.2
Download Accelerator Plus (DAP)
DVD Shrink 3.2
e-Speaking
ewido anti-spyware 4.0
FolderMatch v3.3.8
FortÚ Agent
GSpot Codec Information Appliance
Handango Medical Student Suite - Documentation
HanDBase« for Pocket PC Enterprise v3.0
Handmark« Tetris Classic™ Game Pak for Pocket PC
Handmark« YAHTZEE« for Pocket PC
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hoyle Board Games 2005
Hoyle Card Games 2005
Hoyle Casino 2006 (remove only)
Hoyle Puzzle Games 2005
HT MPEG Encoder 7.0 ProAuthor
ICQ
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_12
Jitbit Macro Recorder
Kaspersky Online Scanner
KlipFolio (remove only)
Lavasoft VX2 Cleaner
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech MouseWare 9.79
Logitech QuickCam
Macromedia Flash Player
Macromedia Flash Player 8
MasterSplitter Program
Matroska Pack (remove only)
Medved QuoteTracker
Microsoft .NET Framework 2.0
Microsoft ActiveSync 4.0
Microsoft ASP.NET Web Matrix
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Publisher 2003
Microsoft Office XP Professional with FrontPage
Microsoft Plus! for Windows XP
Microsoft Speech SDK 5.1
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
MKVtoolnix 1.6.5
Morgan Stream Switcher
MPEG-4 Video Codec
Nero 7 Premium
Netscape (7.2)
Neverwinter Nights
NewsBin Pro V5
OutTray
PowerDVD
PrimoPDF
QuickPar 0.9
ratDVD 0.78.1444
Reader Drivers and Utilities
Registry Mechanic 5.1
Registry Repair 2006
RepliGo Desktop (remove only)
RepliGo Viewer (remove only)
Resco Picture Viewer
Scratchfix
SDP Downloader
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Shockwave
Skype 1.4
SoundMAX
Spybot - Search & Destroy 1.3
SpywareBlaster v3.5.1
Symantec AntiVirus
SyncExpress (Remove only)
Tiger Woods PGA TOUR 06
TMPGEnc DVD Author 1.6
TMPGEnc Plus 2.5
TOD
Tranquil - Waterfalls Screen Saver
TreeSize 1.7
TuneUp Utilities 2006
Tweakui Powertoy for Windows XP
Ultima Online: Samurai Empire
UOAssist
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
USB Driver for Panasonic DVC
VIA VT6410 RAID Driver(Remove)
VideoReDo/Plus Version 2-2-1-445
VobSub v2.23 (Remove Only)
Winamp (remove only)
Window Washer
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
WordBook for PocketPC
XviD MPEG-4 Video Codec
Your Uninstaller! 2006 Version 5
ZoneAlarm

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:07 PM

Posted 27 September 2006 - 05:08 AM

Hi

Thanks for the logs.

If this is not the pay for version of Tranquil - Waterfalls Screen Saver; Please go to add/remove programs and uninstall:

Tranquil - Waterfalls Screen Saver

Likely need reboot when done.

-------------

Please either print out or save instructions to a notepad file.
You will need your browsers closed for fix.

Download Killbox from here and save it to your desktop:
Don't run it yet.

http://killbox.net/downloads/KillBox.exe

Download ATF Cleaner by Atribune and save it to your Desktop. Don't run it yet.

http://www.atribune.org/ccount/click.php?id=1

-----------

Copy the following text inside code box to a new notepad file. Make sure wordwrap is off.
Save as file name Fix.reg
As file types: all files.
Save it to your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{914B076F-8FC6-4452-93C8-D810062C81F9}"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\101628.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\110045setup.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\SearchBar06049.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\Setup-168.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\cocomuisc.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\tshz168.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\C:\WINDOWS\wenzi17.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CdnCtr]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\spoolsv]

Once saved; close all open browser windows and proceed.
Please also save any work you have open because you will be rebooting shortly.

1.) Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.



2.) Double click fix.reg and allow the merge.
You should get success messege.

3.) Double click killbox.exe

Checkmark "delete files at reboot" and click "all files" button.
It should be flashing green.

Copy the list below to your clipboard by hilighting it and pressing "ctrl+c" on keyboard.

C:\WINDOWS\system32\Setup4.exe
C:\WINDOWS\uninstall.exe
C:\WINDOWS\system32\drivers\spoolsv.dll
C:\WINDOWS\setup9.exe
C:\WINDOWS\setup11.exe
C:\WINDOWS\backup\SearchBar06049.exe
C:\WINDOWS\10353.EXE
C:\WINDOWS\10329.EXE
C:\WINDOWS\system32\lrcsys.exe
C:\WINDOWS\taskmgr.exe
C:\WINDOWS\ef26ev.dll
C:\WINDOWS\system32\xactengine2_3.dll
C:\WINDOWS\system32\xinput1_2.dll
C:\WINDOWS\system32\Setup4.exe
C:\WINDOWS\system32\drivers\cdnprot.sys


Click the "file" menu and choose "paste from clipboard"

Press the Red circle with White X.
Answer YES when prompted to reboot.

Let the machine reboot.

4.) Once restarted...

Open hijackthis
Run system scan and check:

O2 - BHO: Spoolsv Class - {9C363D55-07D7-433d-A13E-D9C105202F6F} - C:\WINDOWS\system32\drivers\spoolsv.dll

Close all open windows and click "fix checked".
Exit Hijackthis

5.) Some files I need you to get scanned:

C:\WINDOWS\System32\SVKP.sys
C:\WINDOWS\system32\HTTPDll.dll
C:\WINDOWS\RWUNINST.EXE
C:\WINDOWS\system32\setup.bat

Please have them scanned at either of these sites:

http://virusscan.jotti.org/

http://www.virustotal.com/

Let me know results. You can copy/paste scan results here.

6.) Please post:

New hijackthis log
Contents of c:\!Killbox\logs\kb.log

Careful in that !Killbox folder please there are live files in there. They are nasties.

Let me know how the machine is running.

Thanks :thumbsup:

Edited by Blender, 27 September 2006 - 05:10 AM.

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 namsilat

namsilat
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 27 September 2006 - 07:25 AM

ok a problem occurred when running Killbox. An error message came up:

"PendingFileRenameOperations Registry data has been removed by external process!"

Is that because I already deleted some of the files manually in safe mode as I indicated in earlier posts? Should I delete those files manuallly then?

#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:07 PM

Posted 27 September 2006 - 08:38 AM

Hi

If you reboot the computer they should still get deleted.
I suspect there will be a few that won't delete through explorer that easy.

That error messege usually means something tried to stop the "Pending operations" (delete at reboot)

Most should be gone after manual reboot.
Go ahead and try deleting any that are left over.

Make note of any files that will not delete and let me know please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 namsilat

namsilat
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 27 September 2006 - 03:34 PM

All those files are now absent in the machine. Here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:31:32 PM, on 9/27/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\software\Symantec AntiVirus\DefWatch.exe
d:\hardware\Logitech\MouseWare\system\em_exec.exe
D:\software\Diskeeper Professional 9\DkService.exe
d:\software\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
D:\software\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\internet\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\software\SYMANT~1\VPTray.exe
D:\internet\Java\jre1.5.0_06\bin\jusched.exe
D:\compaq\Microsoft ActiveSync\wcescomm.exe
D:\Microsoft Office\Office10\OUTLOOK.EXE
D:\software\OutTray\OutTray.exe
D:\compaq\MICROS~1\rapimgr.exe
D:\internet\Netscape\Netscp.exe
D:\software\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\co79qxzd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5Cinternet%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\co79qxzd.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\multimedia\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\internet\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: RepliGoIEHelperCtl Class - {91DE4477-9CDC-4806-9BCB-28A963988E94} - D:\COMPAQ\RepliGo\RepliGoIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - d:\software\Advanced System Optimizer\IEHelper.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\internet\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\software\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\internet\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\compaq\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: OUTLOOK.lnk = D:\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Global Startup: OutTray.lnk = D:\software\OutTray\OutTray.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159106414593
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\software\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\software\Diskeeper Professional 9\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - d:\software\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\hardware\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\software\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\software\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\software\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

#14 namsilat

namsilat
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 27 September 2006 - 03:46 PM

Of the four files you wanted scanned at one of the online sites, SVKP.SYS cannot be found in my machine, and the other 3 scanned ok. Here is the Killbox log:

Pocket Killbox version 2.0.0.881
Running on Windows XP as Stephen(Administrator)
was started @ Wednesday, September 27, 2006, 8:13 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\Setup4.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\spoolsv.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\lrcsys.exe


# 4 [Delete on Reboot]
Path = C:\WINDOWS\taskmgr.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\ef26ev.dll


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\xactengine2_3.dll


# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\xinput1_2.dll


# 8 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\cdnprot.sys


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:14:49 AM
# 9 [Delete on Reboot]
Path = C:\WINDOWS\system32\Setup4.exe


# 10 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\spoolsv.dll


# 11 [Delete on Reboot]
Path = C:\WINDOWS\system32\lrcsys.exe


# 12 [Delete on Reboot]
Path = C:\WINDOWS\taskmgr.exe


# 13 [Delete on Reboot]
Path = C:\WINDOWS\ef26ev.dll


# 14 [Delete on Reboot]
Path = C:\WINDOWS\system32\xactengine2_3.dll


# 15 [Delete on Reboot]
Path = C:\WINDOWS\system32\xinput1_2.dll


# 16 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\cdnprot.sys


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:16:48 AM
# 17 [Delete on Reboot]
Path = C:\WINDOWS\system32\Setup4.exe


# 18 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\spoolsv.dll


# 19 [Delete on Reboot]
Path = C:\WINDOWS\system32\lrcsys.exe


# 20 [Delete on Reboot]
Path = C:\WINDOWS\taskmgr.exe


# 21 [Delete on Reboot]
Path = C:\WINDOWS\ef26ev.dll


# 22 [Delete on Reboot]
Path = C:\WINDOWS\system32\xactengine2_3.dll


# 23 [Delete on Reboot]
Path = C:\WINDOWS\system32\xinput1_2.dll


# 24 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\cdnprot.sys


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:20:38 AM
# 25 [Delete on Reboot]
Path = C:\WINDOWS\system32\Setup4.exe


# 26 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\spoolsv.dll


# 27 [Delete on Reboot]
Path = C:\WINDOWS\system32\lrcsys.exe


# 28 [Delete on Reboot]
Path = C:\WINDOWS\taskmgr.exe


# 29 [Delete on Reboot]
Path = C:\WINDOWS\ef26ev.dll


# 30 [Delete on Reboot]
Path = C:\WINDOWS\system32\xactengine2_3.dll


# 31 [Delete on Reboot]
Path = C:\WINDOWS\system32\xinput1_2.dll


# 32 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\cdnprot.sys


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:23:27 AM
Killbox Closed(Exit) @ 8:24:34 AM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Stephen(Administrator)
was started @ Wednesday, September 27, 2006, 8:25 AM

Killbox Closed(Exit) @ 8:26:29 AM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Stephen(Administrator)
was started @ Wednesday, September 27, 2006, 8:26 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\Setup4.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\spoolsv.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\lrcsys.exe


# 4 [Delete on Reboot]
Path = C:\WINDOWS\taskmgr.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\ef26ev.dll


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\xactengine2_3.dll


# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\xinput1_2.dll


# 8 [Delete on Reboot]
Path = C:\WINDOWS\system32\drivers\cdnprot.sys


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:27:34 AM
Killbox Closed(Exit) @ 8:27:34 AM
__________________________________________________

#15 namsilat

namsilat
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 27 September 2006 - 03:55 PM

ok here is what's going with my machine so far. When I click Windows or Microsoft Update from the Start Menu, nothing happens (which was the same thing before). When I have IE7 window open, then click Windows or Microsoft Update from Start Menu, then another IE7 window opens and launches to the update web site at Microsoft (which was also same as before). There is no longer another IE7 window launched to the junk web site, but that's also the case prior to starting steps outlined in your steps earlier today around 6am. With TASKMGR.EXE gone, now I don't have Task Manager when I hit CTRL-ALT-DEL.

The junk site was only launched when ActiveX was active. It happened when I used Kaspersky's web site and allowed ActiveX. So is there a way to test that out? Finally, how do I get back functionality of Task Manager, Microsoft Update, and Windows Update? Also, should I delete those files under Killbox directory?

Edited by namsilat, 27 September 2006 - 10:06 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users