Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With (at Least) Spyware.activitylog (alsys.exe)


  • This topic is locked This topic is locked
17 replies to this topic

#1 Christina8801

Christina8801

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 25 January 2007 - 03:31 PM

We're suddenly being blacklisted all over the place, so I've been running from PC to PC in our office to try to find the culprit(s). Here's one that seems to be at least one of our problems...what do I do now?

Logfile of HijackThis v1.99.1
Scan saved at 2:09:14 PM, on 1/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlservr.exe
C:\orant\bin\ifsrv60.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\orant\bin\ifweb60.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\taskdir.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINNT\system32\alsys.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
c:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\System32\MDM.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
S:\Anti-virus programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [Agent] C:\WINNT\system32\alsys.exe
O4 - HKCU\..\Run: [Agent] C:\WINNT\system32\alsys.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.local
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracle Forms Server [Forms60Server] (OracleFormsServer-Forms60Server) - Oracle Corporation - C:\orant\bin\ifsrv60.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 25 January 2007 - 04:33 PM

Hello Christina8801, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now, please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Open the extracted SDFix folder and double click runThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any key and it will restart the PC.
When the PC restarts the fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Post this in your next reply.

Please post me back the SDFix report, and a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 29 January 2007 - 10:49 AM

Sorry for the delay in getting back to you...I just got as far as extracting the files from SDFix.exe, but when I tried to reboot in Safe Mode, it wouldn't let me log on (I tried logging on as the local user and as administrator...neither worked). Please help ASAP!! This thing is getting worse...our entire network is slowing down!

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 29 January 2007 - 11:17 AM

Try running it in Normal Mode then, please. :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 29 January 2007 - 11:45 AM

Okay, I figured out and got it to run in Safe Mode. Here's the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:32:20 AM, on 1/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlservr.exe
C:\orant\bin\ifsrv60.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\orant\bin\ifweb60.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINNT\system32\lnwin.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
S:\Anti-virus programs\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINNT\system32\lnwin.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.local
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracle Forms Server [Forms60Server] (OracleFormsServer-Forms60Server) - Oracle Corporation - C:\orant\bin\ifsrv60.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


And here's the SDFix Report:


SDFix: Version 1.63

Mon 01/29/2007 - 10:23:01.36

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
wincom32

Path:
\??\C:\WINNT\system32\wincom32.sys

wincom32 Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINNT\system32\adirss.exe - Deleted
C:\WINNT\system32\game.exe - Deleted
C:\WINNT\system32\game0.exe - Deleted
C:\WINNT\system32\game1.exe - Deleted
C:\WINNT\system32\game2.exe - Deleted
C:\WINNT\system32\game3.exe - Deleted
C:\WINNT\system32\game4.exe - Deleted
C:\WINNT\system32\peers.ini - Deleted
C:\WINNT\system32\taskdir.exe - Deleted
C:\WINNT\system32\wincom32.ini - Deleted
C:\WINNT\system32\wincom32.sys - Deleted
C:\WINNT\system32\zlbw.dll - Deleted



ADS Check:

C:\WINNT\system32
No streams found.

Final Check:

Remaining Services:
------------------


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\arcldr.exe
C:\arcsetup.exe
C:\CONFIG.SYS
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off2h.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Off2s.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Officeh.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Offices.tmp
C:\Documents and Settings\formserver\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\shipping\My Documents\Word\~WRL0092.tmp
C:\RECYCLER\S-1-5-21-372916917-256646309-315576832-1264\Dc1\Word\~WRL0092.tmp
C:\WINNT\Temp\OLD15.tmp
C:\WINNT\Temp\OLD16.tmp

Finished

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 29 January 2007 - 12:09 PM

Hey there,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Please download ATF Cleaner. Don't run it yet

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [lnwin.exe] C:\WINNT\system32\lnwin.exe


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Now, please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

Click Exit on the main menu to close the program.

Next, please find and delete the following files/folders (if present):

C:\WINNT\system32\lnwin.exe <--File
C:\SDFix <--Folder

Reboot into Normal Mode again.

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

Please post me back the Panda report, along with a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 29 January 2007 - 02:01 PM

Okay, here's the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:58:42 PM, on 1/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlservr.exe
C:\orant\bin\ifsrv60.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\orant\bin\ifweb60.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\System32\MDM.EXE
S:\Anti-virus programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [Agent] C:\WINNT\system32\alsys.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.local
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracle Forms Server [Forms60Server] (OracleFormsServer-Forms60Server) - Oracle Corporation - C:\orant\bin\ifsrv60.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


And here's the Panda report:


Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\tleone\Cookies\tleone@atwola[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\tleone\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Adware:Adware/Comet Not disinfected C:\Program Files\SpyHunter\Backup\csadzap.dll.bak
Adware:Adware/Comet Not disinfected C:\Program Files\SpyHunter\Backup\csband.dll.bak
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\SpyHunter\Backup\mkisro@atdmt[2].txt.bak
Spyware:Cookie/Bfast Not disinfected C:\Program Files\SpyHunter\Backup\mkisro@bfast[1].txt.bak
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\SpyHunter\Backup\mkisro@bluestreak[1].txt.bak
Spyware:Cookie/CentrPort Not disinfected C:\Program Files\SpyHunter\Backup\mkisro@centrport[2].txt.bak
Spyware:Cookie/Coremetrics Not disinfected C:\Program Files\SpyHunter\Backup\mkisro@data.coremetrics[2].txt.bak
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\SpyHunter\Backup\mkisro@doubleclick[1].txt.bak
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\SpyHunter\Backup\mkisro@ehg-dig.hitbox[1].txt.bak
Spyware:Cookie/FastClick Not disinfected C:\Program Files\SpyHunter\Backup\mkisro@fastclick[2].txt.bak
Spyware:Cookie/Linksynergy Not disinfected C:\Program Files\SpyHunter\Backup\mkisro@linksynergy[2].txt.bak
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\SpyHunter\Backup\mkisro@qksrv[2].txt.bak
Spyware:Cookie/Valueclick Not disinfected C:\Program Files\SpyHunter\Backup\mkisro@valueclick[1].txt.bak
Spyware:Cookie/Adserver Not disinfected C:\Program Files\SpyHunter\Backup\mkisro@z1.adserver[1].txt.bak
Spyware:Cookie/Advertising Not disinfected C:\Program Files\SpyHunter\Backup\temp@advertising[1].txt.bak
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\SpyHunter\Backup\temp@atdmt[1].txt.bak
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\SpyHunter\Backup\temp@atdmt[2].txt.bak
Spyware:Cookie/Bfast Not disinfected C:\Program Files\SpyHunter\Backup\temp@bfast[1].txt.bak
Spyware:Cookie/Bfast Not disinfected C:\Program Files\SpyHunter\Backup\temp@bfast[2].txt.bak
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\SpyHunter\Backup\temp@bluestreak[1].txt.bak
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\SpyHunter\Backup\temp@bluestreak[2].txt.bak
Spyware:Cookie/CentrPort Not disinfected C:\Program Files\SpyHunter\Backup\temp@centrport[1].txt.bak
Spyware:Cookie/CentrPort Not disinfected C:\Program Files\SpyHunter\Backup\temp@centrport[2].txt.bak
Spyware:Cookie/Coremetrics Not disinfected C:\Program Files\SpyHunter\Backup\temp@data.coremetrics[2].txt.bak
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\SpyHunter\Backup\temp@doubleclick[1].txt.bak
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\SpyHunter\Backup\temp@doubleclick[2].txt.bak
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\SpyHunter\Backup\temp@ehg-dig.hitbox[1].txt.bak
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\SpyHunter\Backup\temp@ehg-dig.hitbox[2].txt.bak
Spyware:Cookie/FastClick Not disinfected C:\Program Files\SpyHunter\Backup\temp@fastclick[2].txt.bak
Spyware:Cookie/Gator Not disinfected C:\Program Files\SpyHunter\Backup\temp@gator[1].txt.bak
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\SpyHunter\Backup\temp@hg1.hitbox[1].txt.bak
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\SpyHunter\Backup\temp@hitbox[1].txt.bak
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\SpyHunter\Backup\temp@hitbox[2].txt.bak
Spyware:Cookie/Linksynergy Not disinfected C:\Program Files\SpyHunter\Backup\temp@linksynergy[1].txt.bak
Spyware:Cookie/Linksynergy Not disinfected C:\Program Files\SpyHunter\Backup\temp@linksynergy[2].txt.bak
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\SpyHunter\Backup\temp@mediaplex[1].txt.bak
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\SpyHunter\Backup\temp@mediaplex[2].txt.bak
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\SpyHunter\Backup\temp@qksrv[1].txt.bak
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\SpyHunter\Backup\temp@realmedia[1].txt.bak
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\SpyHunter\Backup\temp@realmedia[2].txt.bak
Spyware:Cookie/Advertising Not disinfected C:\Program Files\SpyHunter\Backup\temp@servedby.advertising[1].txt.bak
Spyware:Cookie/Advertising Not disinfected C:\Program Files\SpyHunter\Backup\temp@servedby.advertising[2].txt.bak
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Program Files\SpyHunter\Backup\temp@targetnet[2].txt.bak
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\SpyHunter\Backup\temp@trafficmp[1].txt.bak
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\SpyHunter\Backup\temp@trafficmp[2].txt.bak
Spyware:Cookie/Valueclick Not disinfected C:\Program Files\SpyHunter\Backup\temp@valueclick[2].txt.bak
Spyware:Cookie/X10 Not disinfected C:\Program Files\SpyHunter\Backup\temp@x10[1].txt.bak
Spyware:Cookie/Adserver Not disinfected C:\Program Files\SpyHunter\Backup\temp@z1.adserver[1].txt.bak
Adware:adware/comet Not disinfected C:\WINNT\Downloaded Program Files\cc.inf

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 29 January 2007 - 04:19 PM

It looks like the Panda log got cut off, so can you post me the whole log please in your next reply. Use more than one post if necessary.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 29 January 2007 - 04:34 PM

That's actually the extent of the text file. Should I try to run the Panda Scan again?

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 29 January 2007 - 04:44 PM

Hey,
No, don't worry about running Panda again: my bad.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O4 - HKCU\..\Run: [Agent] C:\WINNT\system32\alsys.exe


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Now, please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Next, please find and delete the following files (if present):

C:\WINNT\Downloaded Program Files\cc.inf <--File
C:\WINNT\system32\alsys.exe <--File

Navigate the the following folder, and delete its content:

C:\Program Files\SpyHunter\Backup

Reboot into Normal Mode again.

Download WinPFind3U to your Desktop and double-click on it to extract the files.
It will create a folder named WinPFind3u on your desktop.
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.

1) In the 'Files Created Within' group click 30 days,
2) In the 'Files Modified Within' group select 30 days
3) In the 'File String Search' group select Non-Microsoft

Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Paste the information back here in your next reply.
Make sure "end of report" is shown at the bottom, you may have to split the post up.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

Please post me back the WinPFind report, ComboFix log, along with a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 30 January 2007 - 11:14 AM

Here's the WinPFind report:

WinPFind3 logfile created on: 1/30/2007 9:45:17 AM
WinPFind3U by OldTimer - Version 1.0.11 Folder = C:\Documents and Settings\tleone\Desktop\WinPFind3u\
Microsoft Windows 2000 Service Pack 4 (Version = 5.0.2195)
Internet Explorer (Version = 6.0.2800.1106)

523828 Kb Total Physical Memory | 322408 Kb Available Physical Memory | 61.55% Memory free
1277676 Kb Paging File | 1078224 Kb Available in Paging File | 84.39% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 39070048 Kb Total Space | 33042808 Kb Free Space | 84.57% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 17727724 Kb Total Space | 3043968 Kb Free Space | 17.17% Space Free


[Processes - Non-Microsoft Only]
caissdt.exe -> %ProgramFiles%\CA\eTrust Internet Security Suite\caissdt.exe -> Computer Associates International, Inc. [Ver = Version 2.0.1.1 | Size = 165416 bytes | Modified Date = 4/21/2006 2:42:24 PM | Attr = ]
ifsrv60.exe -> %SystemDrive%\orant\BIN\ifsrv60.exe -> Oracle Corporation [Ver = 6.0.8.19.2 | Size = 79872 bytes | Modified Date = 5/8/2002 4:35:04 AM | Attr = ]
ifweb60.exe -> %SystemDrive%\orant\BIN\ifweb60.EXE -> Oracle Corporation [Ver = 6.0.8.19.2 | Size = 20992 bytes | Modified Date = 5/8/2002 4:35:04 AM | Attr = ]
mcagent.exe -> %ProgramFiles%\McAfee.com\Agent\mcagent.exe -> McAfee, Inc [Ver = 6, 0, 0, 16 | Size = 303104 bytes | Modified Date = 9/22/2005 6:29:08 PM | Attr = ]
mcshield.exe -> %ProgramFiles%\McAfee.com\VSO\McShield.exe -> McAfee Inc. [Ver = 11.0.0.151 | Size = 221184 bytes | Modified Date = 8/10/2005 10:22:02 AM | Attr = ]
mctskshd.exe -> %ProgramFiles%\McAfee.com\Agent\McTskshd.exe -> McAfee, Inc [Ver = 6, 0, 0, 13 | Size = 122368 bytes | Modified Date = 8/24/2005 3:01:04 PM | Attr = ]
mcvsescn.exe -> %ProgramFiles%\McAfee.com\VSO\McVSEscn.exe -> McAfee, Inc. [Ver = 10, 0, 0, 20 | Size = 483328 bytes | Modified Date = 7/8/2005 5:16:16 PM | Attr = ]
mcvsshld.exe -> %ProgramFiles%\McAfee.com\VSO\mcvsshld.exe -> McAfee, Inc. [Ver = 10, 0, 0, 22 | Size = 163840 bytes | Modified Date = 8/10/2005 11:49:20 AM | Attr = ]
oasclnt.exe -> %ProgramFiles%\McAfee.com\VSO\oasclnt.exe -> McAfee, Inc. [Ver = 10, 0, 0, 24 | Size = 53248 bytes | Modified Date = 8/11/2005 9:02:44 PM | Attr = ]
ppactivedetection.exe -> %ProgramFiles%\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe -> Computer Associates [Ver = 8, 0, 0, 3 | Size = 258048 bytes | Modified Date = 1/29/2007 3:21:18 PM | Attr = ]
vsmon.exe -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 75568 bytes | Modified Date = 1/8/2007 2:29:38 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.11.0 | Size = 306176 bytes | Modified Date = 1/18/2007 6:01:14 PM | Attr = ]
winvnc4.exe -> %ProgramFiles%\RealVNC\VNC4\winvnc4.exe -> RealVNC Ltd. [Ver = 4.0 | Size = 380928 bytes | Modified Date = 6/15/2004 1:29:42 PM | Attr = ]
wzqkpick.exe -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 106560 bytes | Modified Date = 10/11/2002 8:10:00 AM | Attr = ]
zlclient.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 919280 bytes | Modified Date = 1/8/2007 2:29:40 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> VERITAS Software Corp. [Ver = 2195.6624.297.3 | Size = 147728 bytes | Modified Date = 6/19/2003 1:05:04 PM | Attr = ]
(McShield) McAfee.com McShield [Win32_Own | Auto | Running] -> %ProgramFiles%\McAfee.com\VSO\McShield.exe -> McAfee Inc. [Ver = 11.0.0.151 | Size = 221184 bytes | Modified Date = 8/10/2005 10:22:02 AM | Attr = ]
(McTskshd.exe) McAfee Task Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\McAfee.com\Agent\McTskshd.exe -> McAfee, Inc [Ver = 6, 0, 0, 13 | Size = 122368 bytes | Modified Date = 8/24/2005 3:01:04 PM | Attr = ]
(mcupdmgr.exe) McAfee SecurityCenter Update Manager [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\McAfee.com\Agent\mcupdmgr.exe -> McAfee, Inc [Ver = 6, 0, 0, 4 | Size = 245760 bytes | Modified Date = 7/1/2005 6:22:50 PM | Attr = ]
(OracleClientCache80) OracleClientCache80 [Win32_Own | On_Demand | Stopped] -> %SystemDrive%\orant\BIN\ONRSD80.EXE -> [Ver = | Size = 101136 bytes | Modified Date = 10/18/2002 7:04:10 PM | Attr = ]
(OracleFormsServer-Forms60Server) Oracle Forms Server [Forms60Server] [Win32_Own | Auto | Running] -> %SystemDrive%\orant\BIN\ifsrv60.exe -> Oracle Corporation [Ver = 6.0.8.19.2 | Size = 79872 bytes | Modified Date = 5/8/2002 4:35:04 AM | Attr = ]
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running] -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 75568 bytes | Modified Date = 1/8/2007 2:29:38 PM | Attr = ]
(WinVNC4) VNC Server Version 4 [Win32_Own | Auto | Running] -> %ProgramFiles%\RealVNC\VNC4\winvnc4.exe -> RealVNC Ltd. [Ver = 4.0 | Size = 380928 bytes | Modified Date = 6/15/2004 1:29:42 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CaISSDT -> %ProgramFiles%\CA\eTrust Internet Security Suite\caissdt.exe -> Computer Associates International, Inc. [Ver = Version 2.0.1.1 | Size = 165416 bytes | Modified Date = 4/21/2006 2:42:24 PM | Attr = ]
eTrustPPAP -> %ProgramFiles%\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe -> Computer Associates [Ver = 8, 0, 0, 3 | Size = 258048 bytes | Modified Date = 1/29/2007 3:21:18 PM | Attr = ]
MCAgentExe -> %ProgramFiles%\McAfee.com\Agent\mcagent.exe -> McAfee, Inc [Ver = 6, 0, 0, 16 | Size = 303104 bytes | Modified Date = 9/22/2005 6:29:08 PM | Attr = ]
MCUpdateExe -> %ProgramFiles%\McAfee.com\Agent\mcupdate.exe -> McAfee, Inc [Ver = 6, 0, 0, 21 | Size = 212992 bytes | Modified Date = 1/11/2006 12:05:42 PM | Attr = ]
OASClnt -> %ProgramFiles%\McAfee.com\VSO\oasclnt.exe -> McAfee, Inc. [Ver = 10, 0, 0, 24 | Size = 53248 bytes | Modified Date = 8/11/2005 9:02:44 PM | Attr = ]
VirusScan Online -> %ProgramFiles%\McAfee.com\VSO\mcvsshld.exe -> McAfee, Inc. [Ver = 10, 0, 0, 22 | Size = 163840 bytes | Modified Date = 8/10/2005 11:49:20 AM | Attr = ]
VSOCheckTask -> %ProgramFiles%\McAfee.com\VSO\mcmnhdlr.exe -> McAfee, Inc. [Ver = 10, 0, 0, 20 | Size = 151552 bytes | Modified Date = 7/8/2005 5:18:22 PM | Attr = ]
ZoneAlarm Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 919280 bytes | Modified Date = 1/8/2007 2:29:40 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\WinZip Quick Pick.lnk -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 106560 bytes | Modified Date = 10/11/2002 8:10:00 AM | Attr = ]
< Disabled MSConfig Folder Items[HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 106560 bytes | Modified Date = 10/11/2002 8:10:00 AM | Attr = ]
< Disabled MSConfig Registry Items [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
Aim6 -> %ProgramFiles%\AIM6\aim6.exe -> AOL LLC [Ver = 1.4.9.1 | Size = 50736 bytes | Modified Date = 11/7/2006 9:29:04 AM | Attr = ]
OBi Server -> -> File not found
Spyware Doctor -> -> File not found
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
Control_RunDLL -> -> File not found
< Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
< Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 149 ->
-> HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer not found. ->
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
0 -> [Key] ->
0 -> FriendlyName = My Current Home Page ->
0 -> Source = About:Home ->
0 -> SubscribedURL = About:Home ->
< HOSTS File > -> C:\WINNT\System32\drivers\etc\Hosts
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINNT\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKCU: Start Page -> http://www.yahoo.com/ ->
HKCU: ProxyEnable -> 0 ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [AcroIEHlprObj Class] -> [Ver = 1, 0, 0, 1 | Size = 37808 bytes | Modified Date = 4/16/2001 4:39:02 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 3, 0, 12 | Size = 744960 bytes | Modified Date = 5/12/2004 12:03:00 AM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{BA52B914-B692-46c4-B683-905236F6F655} [HKLM] -> %ProgramFiles%\McAfee.com\VSO\mcvsshl.dll [McAfee VirusScan] -> McAfee, Inc. [Ver = 10, 0, 0, 19 | Size = 114688 bytes | Modified Date = 7/1/2005 7:44:30 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [&Yahoo! Toolbar] -> File not found
< Internet Explorer CmdMapping [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -> 8194 - Reg Data - Key not found ->
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> 8192 - Reg Data - Value does not exist ->
NextId -> 8195 ->
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> %ProgramFiles%\AIM95\aim.exe [ButtonText: AIM] -> America Online, Inc. [Ver = 5.9.3690 | Size = 66672 bytes | Modified Date = 9/1/2004 10:26:48 AM | Attr = ]
< Internet Explorer Plugins [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\
.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [Reg Data - Value does not exist] -> Intertrust Technologies, Inc. [Ver = 1.0.0.32 | Size = 270336 bytes | Modified Date = 8/1/2001 5:05:42 PM | Attr = ]
< Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{42071714-76d4-11d1-8b24-00a0c9068ff3} [HKLM] -> deskpan.dll [Display Panning CPL Extension] -> File not found
{764BF0E1-F219-11ce-972D-00AA00A14F56} [HKLM] -> Reg Data - Key not found [Shell extensions for file compression] -> File not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} [HKLM] -> Reg Data - Key not found [Encryption Context Menu] -> File not found
{88895560-9AA2-1069-930E-00AA0030EBC8} [HKLM] -> %System32%\HTICONS.DLL [HyperTerminal Icon Ext] -> Hilgraeve, Inc. [Ver = 5.00.2195.6684 | Size = 21776 bytes | Modified Date = 6/19/2003 1:05:04 PM | Attr = ]
{D9872D13-7651-4471-9EEE-F0A00218BEBB} [HKLM] -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlavscan.dll [Multiscan] -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 50928 bytes | Modified Date = 1/8/2007 2:29:00 PM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 10/11/2002 8:10:00 AM | Attr = ]
{E0D79305-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 10/11/2002 8:10:00 AM | Attr = ]
{E0D79306-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 10/11/2002 8:10:00 AM | Attr = ]
{E0D79307-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 10/11/2002 8:10:00 AM | Attr = ]
< Approved Shell Extensions [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{BDEADF00-C265-11d0-BCED-00A0C90AB50F} [HKLM] -> %CommonProgramFiles%\Microsoft Shared\Web Folders\MSONSEXT.DLL [Web Folders] -> [Ver = | Size = 561209 bytes | Modified Date = 1/27/2000 11:18:04 PM | Attr = ]
< ContextMenuHandlers - * [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\
{CFC7205E-2792-4378-9591-3879CC6C9022} [HKLM] -> %ProgramFiles%\McAfee.com\VSO\mcvsshl.dll [VSCContextMenu Class] -> McAfee, Inc. [Ver = 10, 0, 0, 19 | Size = 114688 bytes | Modified Date = 7/1/2005 7:44:30 PM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 10/11/2002 8:10:00 AM | Attr = ]
{D9872D13-7651-4471-9EEE-F0A00218BEBB} [HKLM] -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlavscan.dll [ZLAVShExt] -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 50928 bytes | Modified Date = 1/8/2007 2:29:00 PM | Attr = ]
< ContextMenuHandlers - Directory [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 10/11/2002 8:10:00 AM | Attr = ]
< ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\
{CFC7205E-2792-4378-9591-3879CC6C9022} [HKLM] -> %ProgramFiles%\McAfee.com\VSO\mcvsshl.dll [VSCContextMenu Class] -> McAfee, Inc. [Ver = 10, 0, 0, 19 | Size = 114688 bytes | Modified Date = 7/1/2005 7:44:30 PM | Attr = ]
{E0D79304-84BE-11CE-9641-444553540000} [HKLM] -> %ProgramFiles%\WinZip\WZSHLSTB.DLL [WinZip] -> WinZip Computing, Inc. [Ver = 4.1 (32-bit) | Size = 20552 bytes | Modified Date = 10/11/2002 8:10:00 AM | Attr = ]
{D9872D13-7651-4471-9EEE-F0A00218BEBB} [HKLM] -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlavscan.dll [ZLAVShExt] -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 50928 bytes | Modified Date = 1/8/2007 2:29:00 PM | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{15137963-0240-4AE4-83A2-A410CBDD2B05} -> (Intel® PRO/1000 MT Desktop Adapter) ->
{EF0D0299-92D5-497C-86EC-2C3208DD8CA3} -> (3Com EtherLink 10/100 PCI For Complete PC Management NIC (3C905C-TX)) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
vnd.ms.radio -> %System32%\msdxm.ocx -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 10:01:28 AM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -> QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab ->
{0C568603-D79D-11D2-87A7-00C04FF158BB} -> BrowseFolderPopup Class - CodeBase = http://download.mcafee.com/molbin/Shared/MGBrwFld.cab ->
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...director/sw.cab ->
{33564D57-9980-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab ->
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -> McAfee.com Operating System Class - CodeBase = http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab ->
{9F1C11AA-197B-4942-BA54-47A8489BB47F} -> Update Class - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/...7876.3526041667 ->
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -> DwnldGroupMgr Class - CodeBase = http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> Shockwave Flash Object - CodeBase = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab ->
DirectAnimation Java Classes -> - CodeBase = file://C:\WINNT\Java\classes\dajava.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINNT\Java\classes\xmldso.cab ->


[Files - Created Within 30 days]
IPH.PH -> %SystemDrive%\IPH.PH -> [Ver = | Size = 1493 bytes | Created Date = 1/25/2007 1:56:13 PM | Attr = H ]
tbunins.exe -> %CommonProgramFiles%\AOL\AOLDiag\tbunins.exe -> AOL LLC [Ver = 3.3.11.1 | Size = 88673 bytes | Created Date = 1/25/2007 2:02:03 PM | Attr = ]
alunins.exe -> %CommonProgramFiles%\AOL\Loader\alunins.exe -> AOL LLC [Ver = 9.3.1.1 | Size = 88495 bytes | Created Date = 1/25/2007 2:02:02 PM | Attr = ]
Uninstall.exe -> %CommonProgramFiles%\Nullsoft\ActiveX\2.6\Uninstall.exe -> [Ver = | Size = 32675 bytes | Created Date = 1/25/2007 2:02:34 PM | Attr = ]
atid.ini -> %SystemRoot%\atid.ini -> [Ver = | Size = 29 bytes | Created Date = 1/25/2007 1:56:15 PM | Attr = ]
nsreg.dat -> %SystemRoot%\nsreg.dat -> [Ver = | Size = 335 bytes | Created Date = 1/25/2007 1:59:11 PM | Attr = ]
pestpatrol5.INI -> %SystemRoot%\pestpatrol5.INI -> [Ver = | Size = 0 bytes | Created Date = 1/29/2007 3:22:47 PM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 100 bytes | Created Date = 1/25/2007 3:06:52 PM | Attr = ]
zllsputility.exe -> %SystemRoot%\zllsputility.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 75512 bytes | Created Date = 1/29/2007 4:13:38 PM | Attr = ]
abc.exe -> %System32%\abc.exe -> [Ver = | Size = 54213 bytes | Created Date = 1/29/2007 7:32:30 AM | Attr = ]
asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 1/29/2007 11:39:07 AM | Attr = ]
H5g2uC6.exe -> %System32%\H5g2uC6.exe -> [Ver = | Size = 35781 bytes | Created Date = 1/1/1601 6:00:00 AM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 1/29/2007 11:38:29 AM | Attr = ]
libeay32_0.9.6l.dll -> %System32%\libeay32_0.9.6l.dll -> [Ver = | Size = 796312 bytes | Created Date = 1/29/2007 4:13:23 PM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Created Date = 1/29/2007 11:38:28 AM | Attr = ]
Perflib_Perfdata_2b8.dat -> %System32%\Perflib_Perfdata_2b8.dat -> [Ver = | Size = 16384 bytes | Created Date = 1/25/2007 4:02:38 PM | Attr = ]
Perflib_Perfdata_304.dat -> %System32%\Perflib_Perfdata_304.dat -> [Ver = | Size = 16384 bytes | Created Date = 1/1/1601 6:00:00 AM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Created Date = 1/29/2007 11:38:29 AM | Attr = ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 49404 bytes | Created Date = 1/29/2007 4:13:13 PM | Attr = ]
vsdata.dll -> %System32%\vsdata.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 83696 bytes | Created Date = 1/29/2007 4:12:30 PM | Attr = ]
vsdatant.sys -> %System32%\vsdatant.sys -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 394160 bytes | Created Date = 1/29/2007 4:13:13 PM | Attr = ]
vsinit.dll -> %System32%\vsinit.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 157424 bytes | Created Date = 1/29/2007 4:12:30 PM | Attr = ]
vsmonapi.dll -> %System32%\vsmonapi.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 104176 bytes | Created Date = 1/29/2007 4:13:14 PM | Attr = ]
vspubapi.dll -> %System32%\vspubapi.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 272112 bytes | Created Date = 1/29/2007 4:13:14 PM | Attr = ]
vsregexp.dll -> %System32%\vsregexp.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 71408 bytes | Created Date = 1/29/2007 4:13:23 PM | Attr = ]
vsutil.dll -> %System32%\vsutil.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 472816 bytes | Created Date = 1/29/2007 4:12:30 PM | Attr = ]
vswmi.dll -> %System32%\vswmi.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 46832 bytes | Created Date = 1/29/2007 4:13:16 PM | Attr = ]
vsxml.dll -> %System32%\vsxml.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 100080 bytes | Created Date = 1/29/2007 4:13:15 PM | Attr = ]
zlcomm.dll -> %System32%\zlcomm.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 83696 bytes | Created Date = 1/29/2007 4:13:20 PM | Attr = ]
zlcommdb.dll -> %System32%\zlcommdb.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 71408 bytes | Created Date = 1/29/2007 4:13:20 PM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Created Date = 1/29/2007 4:13:55 PM | Attr = H ]
zpeng24.dll -> %System32%\zpeng24.dll -> Python Software Foundation [Ver = 2.4.2 | Size = 1087216 bytes | Created Date = 1/29/2007 4:13:15 PM | Attr = ]
ZPORT4AS.dll -> %System32%\ZPORT4AS.dll -> [Ver = | Size = 11776 bytes | Created Date = 1/29/2007 11:39:07 AM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1049 | Size = 94480 bytes | Created Date = 1/29/2007 2:40:55 PM | Attr = ]

[Files - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 192 bytes | Modified Date = 1/29/2007 3:48:30 PM | Attr = HS]
IPH.PH -> %SystemDrive%\IPH.PH -> [Ver = | Size = 1493 bytes | Modified Date = 1/25/2007 2:03:14 PM | Attr = H ]
ppctl.dll -> %CommonProgramFiles%\Scanner\ppctl.dll -> CA [Ver = 5.6.9.3 | Size = 800272 bytes | Modified Date = 1/29/2007 3:19:50 PM | Attr = ]
tbunins.exe -> %CommonProgramFiles%\AOL\AOLDiag\tbunins.exe -> AOL LLC [Ver = 3.3.11.1 | Size = 88673 bytes | Modified Date = 1/25/2007 2:02:04 PM | Attr = ]
alunins.exe -> %CommonProgramFiles%\AOL\Loader\alunins.exe -> AOL LLC [Ver = 9.3.1.1 | Size = 88495 bytes | Modified Date = 1/25/2007 2:02:04 PM | Attr = ]
Uninstall.exe -> %CommonProgramFiles%\Nullsoft\ActiveX\2.6\Uninstall.exe -> [Ver = | Size = 32675 bytes | Modified Date = 1/25/2007 2:02:36 PM | Attr = ]
atid.ini -> %SystemRoot%\atid.ini -> [Ver = | Size = 29 bytes | Modified Date = 1/25/2007 1:56:16 PM | Attr = ]
nsreg.dat -> %SystemRoot%\nsreg.dat -> [Ver = | Size = 335 bytes | Modified Date = 1/25/2007 1:59:12 PM | Attr = ]
pestpatrol5.INI -> %SystemRoot%\pestpatrol5.INI -> [Ver = | Size = 0 bytes | Modified Date = 1/29/2007 3:22:48 PM | Attr = ]
SYSTEM.INI -> %SystemRoot%\SYSTEM.INI -> [Ver = | Size = 246 bytes | Modified Date = 1/29/2007 3:48:30 PM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 482 bytes | Modified Date = 1/29/2007 3:48:30 PM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 100 bytes | Modified Date = 1/25/2007 3:06:54 PM | Attr = ]
zllsputility.exe -> %SystemRoot%\zllsputility.exe -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 75512 bytes | Modified Date = 1/8/2007 2:29:40 PM | Attr = ]
abc.exe -> %System32%\abc.exe -> [Ver = | Size = 54213 bytes | Modified Date = 1/29/2007 7:32:32 AM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 1/29/2007 11:38:30 AM | Attr = ]
libeay32_0.9.6l.dll -> %System32%\libeay32_0.9.6l.dll -> [Ver = | Size = 796312 bytes | Modified Date = 1/8/2007 2:28:40 PM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 1/29/2007 11:38:30 AM | Attr = ]
Perflib_Perfdata_2b8.dat -> %System32%\Perflib_Perfdata_2b8.dat -> [Ver = | Size = 16384 bytes | Modified Date = 1/25/2007 4:02:40 PM | Attr = ]
Perflib_Perfdata_304.dat -> %System32%\Perflib_Perfdata_304.dat -> [Ver = | Size = 16384 bytes | Modified Date = 1/30/2007 9:41:52 AM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 1/29/2007 11:38:30 AM | Attr = ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 49404 bytes | Modified Date = 1/30/2007 9:42:14 AM | Attr = ]
vsdata.dll -> %System32%\vsdata.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 83696 bytes | Modified Date = 1/8/2007 2:28:52 PM | Attr = ]
vsdatant.sys -> %System32%\vsdatant.sys -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 394160 bytes | Modified Date = 1/8/2007 2:29:54 PM | Attr = ]
vsinit.dll -> %System32%\vsinit.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 157424 bytes | Modified Date = 1/8/2007 2:28:52 PM | Attr = ]
vsmonapi.dll -> %System32%\vsmonapi.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 104176 bytes | Modified Date = 1/8/2007 2:28:52 PM | Attr = ]
vspubapi.dll -> %System32%\vspubapi.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 272112 bytes | Modified Date = 1/8/2007 2:28:54 PM | Attr = ]
vsregexp.dll -> %System32%\vsregexp.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 71408 bytes | Modified Date = 1/8/2007 2:28:54 PM | Attr = ]
vsutil.dll -> %System32%\vsutil.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 472816 bytes | Modified Date = 1/8/2007 2:28:56 PM | Attr = ]
vswmi.dll -> %System32%\vswmi.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 46832 bytes | Modified Date = 1/8/2007 2:28:58 PM | Attr = ]
vsxml.dll -> %System32%\vsxml.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 100080 bytes | Modified Date = 1/8/2007 2:28:58 PM | Attr = ]
zlcomm.dll -> %System32%\zlcomm.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 83696 bytes | Modified Date = 1/8/2007 2:29:00 PM | Attr = ]
zlcommdb.dll -> %System32%\zlcommdb.dll -> Zone Labs, LLC [Ver = 7.0.302.000 | Size = 71408 bytes | Modified Date = 1/8/2007 2:29:00 PM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Modified Date = 1/29/2007 4:15:02 PM | Attr = H ]
zpeng24.dll -> %System32%\zpeng24.dll -> Python Software Foundation [Ver = 2.4.2 | Size = 1087216 bytes | Modified Date = 1/8/2007 2:29:14 PM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1049 | Size = 94480 bytes | Modified Date = 1/29/2007 2:40:56 PM | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %System32%\abc.exe -> [Ver = | Size = 54213 bytes | Modified Date = 1/29/2007 7:32:32 AM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 12/7/1999 6:00:00 AM | Attr = ]
PEC2 , -> %System32%\drivers\winacpci.sys -> Conexant [Ver = 2.1.2.164.005 | Size = 900528 bytes | Modified Date = 10/6/1999 4:15:30 PM | Attr = ]

< End of report >

#12 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 30 January 2007 - 11:15 AM

And the ComboFix log:

"tleone" - Tue 01/30/2007 10:00:51 Service Pack 4
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\tleone\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-30 to 2007-01-30 ))))))))))))))))))))))))))))))))))


2007-01-29 16:13 75,512 --a------ C:\WINNT\zllsputility.exe
2007-01-29 16:13 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2007-01-29 16:13 1,087,216 --a------ C:\WINNT\system32\zpeng24.dll
2007-01-29 16:13 <DIR> d-a------ C:\WINNT\system32\ZoneLabs
2007-01-29 16:12 <DIR> d-a------ C:\WINNT\Internet Logs
2007-01-29 15:27 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-29 15:26 499,712 --a------ C:\WINNT\system32\msvcp71.dll
2007-01-29 15:19 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-01-29 15:19 <DIR> d-------- C:\Program Files\CA
2007-01-29 15:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\CA
2007-01-29 14:40 94,480 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-01-29 14:23 158,208 --a------ C:\WINNT\system32\MSCONFIG.EXE
2007-01-29 14:23 <DIR> d-------- C:\WINNT\pss
2007-01-29 11:38 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-01-29 07:32 54,213 --a------ C:\WINNT\system32\abc.exe
2007-01-25 15:48 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-25 15:48 <DIR> d-------- C:\DOCUME~1\tleone\Application Data\Lavasoft
2007-01-25 14:43 <DIR> d-------- C:\DOCUME~1\tleone\Application Data\Viewpoint
2007-01-25 14:03 <DIR> d-------- C:\DOCUME~1\tleone\Application Data\acccore
2007-01-25 14:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL OCP
2007-01-25 14:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL
2007-01-25 14:02 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-01-25 14:02 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-01-25 13:59 <DIR> d-------- C:\Program Files\AIM6
2007-01-25 13:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL Downloads


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-29 12:25 -------- d-------- C:\Program Files\quicktime
2007-01-25 15:16 -------- d-------- C:\Program Files\aim95
2007-01-25 13:29 -------- d-------- C:\Program Files\yahoo!
2007-01-25 13:28 -------- d-------- C:\Program Files\spyhunter


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"Synchronization Manager"="mobsync.exe /logon"
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINNT\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Service Manager.lnk"
"backup"="C:\\WINNT\\pss\\Service Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\80\\Tools\\Binn\\sqlmangr.exe /n"
"item"="Service Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\WINNT\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim6"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OBi Server]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mobsync"
"hkey"="HKLM"
"command"="mobsync.exe /logon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0


Completion time: Tue 2007-01-30 10:03:07


And the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:10, on 07-01-30
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlservr.exe
C:\orant\bin\ifsrv60.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\orant\bin\ifweb60.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\WinZip\WZQKPICK.EXE
S:\Anti-virus programs\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.local
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracle Forms Server [Forms60Server] (OracleFormsServer-Forms60Server) - Oracle Corporation - C:\orant\bin\ifsrv60.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 30 January 2007 - 01:04 PM

Hey there,
I would recommend that you uninstall SpyHunter; it's a rouge antispyware.
You can uninstall it from Add/Remove Programs in the Control Panel if you wish.
You can also read more infomation on the following link, where it is listed:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the Desktop but do not run it.
Paste the following bold part into the Suspicious File Packer window:
C:\WINNT\system32\abc.exe
C:\WINNT\system32\H5g2uC6.exe

Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 Christina8801

Christina8801
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 30 January 2007 - 04:23 PM

I have submitted the files. =)

Thanks!

Christina

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 30 January 2007 - 04:26 PM

Thanks. Let me take a look at them and I'll get back to you soon... :thumbsup:

EDIT: We can try another way to upload the file:

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to C:\WINNT\system32 and see if you can find a file called "H5g2uC6.exe". If you can, please proceed with my steps, if not, post back telling me you can't find it.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Open the Suspicious File Packer now.
Paste the following bold part into the Suspicious File Packer window:
C:\WINNT\system32\H5g2uC6.exe
Allow SFP to pack the file. This will generate a CAB archive on your Desktop.

Reboot back into Normal Mode.
Please submit the new files to the same page as before, using my old instrcuctions if necessary.
Thanks,
Charles

Edited by rookie147, 30 January 2007 - 04:41 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users