Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Machine With Popups, Etc Hijack This Log


  • Please log in to reply
26 replies to this topic

#1 td323i

td323i

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 27 March 2007 - 07:24 PM

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:06:25 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1144624916\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AMERIC~1.0A\waol.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
c:\program files\common files\aol\1144624916\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1144624916\ee\aolsoftware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AMERIC~1.0A\shellmon.exe
C:\Temp\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144624916\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
O4 - Global Startup: Macro Express 3.lnk = C:\Program Files\Macro Express3\MacExp.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Schoolpop - {B46F2A6A-3216-461c-BEEA-FBE442469812} - file://C:\Program Files\SchoolpopShoppingBuddy\System\Temp\schoolpop_script0.htm (file missing) (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://217.197.149.13/activex/AMC.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://www.carilloncams.com/activex/AMC.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9633 bytes

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:48 AM

Posted 05 April 2007 - 10:09 AM

Please delete any HijackThis Folders and Files you have now.Use Add/Remove Programs and remove HijackThis. What you have now is a Beta version.

You can get a complete installer that installs HijackThis to C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut from http://downloads.malwareremoval.com/HJTsetup.exe.

Click on the link and select Save, save it to your desktop and double click HJTsetup.exe.

Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, Click Edit> Select All> Edit> Copy> and paste its contents here.

#3 td323i

td323i
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 07 April 2007 - 02:27 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:24:19 PM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1144624916\ee\AOLSoftware.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AMERIC~1.0A\waol.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\AMERIC~1.0A\shellmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\program files\common files\aol\1144624916\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1144624916\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144624916\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
O4 - Global Startup: Macro Express 3.lnk = C:\Program Files\Macro Express3\MacExp.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Schoolpop - {B46F2A6A-3216-461c-BEEA-FBE442469812} - file://C:\Program Files\SchoolpopShoppingBuddy\System\Temp\schoolpop_script0.htm (file missing) (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://217.197.149.13/activex/AMC.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://www.carilloncams.com/activex/AMC.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:48 AM

Posted 08 April 2007 - 03:44 AM

  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic


#5 td323i

td323i
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 10 April 2007 - 09:53 PM

F Secure Log


04/10/07 21:43:10 [Info]: BlackLight Engine 1.0.61 initialized
04/10/07 21:43:10 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/10/07 21:43:19 [Note]: 7019 4
04/10/07 21:43:19 [Note]: 7005 0
04/10/07 21:43:49 [Note]: 7006 0
04/10/07 21:43:49 [Note]: 7022 0
04/10/07 22:03:45 [Note]: 7011 1904
04/10/07 22:03:46 [Note]: 7026 0
04/10/07 22:03:47 [Note]: 7026 0
04/10/07 22:04:05 [Note]: FSRAW library version 1.7.1021
04/10/07 22:50:14 [Note]: 7007 0

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:48 AM

Posted 11 April 2007 - 05:16 AM

  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic


#7 td323i

td323i
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 11 April 2007 - 06:50 PM

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-11 19:36:44
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\ZoneLabs\vsmon.exe[2032] ntdll.dll!KiFastSystemCall + 2 7C90EB8D 2 Bytes [ CD, 20 ]

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ F0, 81, A6, F5, 80, E4, A6, ... ]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ F0, 81, A6, F5, 80, E4, A6, ... ]
.text ntoskrnl.exe!_abnormal_termination + 465 804E2AC1 3 Bytes [ 25, A6, F5 ]
.text ntoskrnl.exe!_abnormal_termination + 465 804E2AC1 3 Bytes [ 25, A6, F5 ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F5A798A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F5A798A0] vsdatant.sys

---- System - GMER 1.0.12 ----

INT 0x20 srescan.sys F72C99B0

---- Kernel code sections - GMER 1.0.12 ----

? srescan.sys The system cannot find the file specified.

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwUnloadDriver

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\GPEP69VZ\v[1].:

---- EOF - GMER 1.0.12 ----





GMER 1.0.12.12086 - http://www.gmer.net
Autostart scan 2007-04-11 19:43:35
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AOL ACS /*AOL Connectivity Service*/@ = "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"
AOL TopSpeedMonitor /*AOL TopSpeed Monitor*/@ = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
aswUpdSv /*avast! iAVS4 Control Service*/@ = C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
avast! Antivirus /*avast! Antivirus*/@ = C:\Program Files\Alwil Software\Avast4\ashserv.exe
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\System32\nvsvc32.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
WANMiniportService /*WAN Miniport (ATW) Service*/@ = "C:\WINDOWS\wanmpsvc.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ezShieldProtector for PxC:\WINDOWS\System32\ezSP_Px.exe = C:\WINDOWS\System32\ezSP_Px.exe
@avast!C:\Program Files\Alwil Software\Avast4\ashDisp.exe = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
@PrnSys ExecutableC:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe /*file not found*/ = C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe /*file not found*/
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
@nwiznwiz.exe /install = nwiz.exe /install
@ViewMgrC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe /*file not found*/ = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe /*file not found*/
@IntelliPoint"C:\Program Files\Microsoft IntelliPoint\point32.exe" = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
@TkBellExe"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
@YeppStudioAgentC:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe = C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@HostManagerC:\Program Files\Common Files\AOL\1144624916\ee\AOLSoftware.exe = C:\Program Files\Common Files\AOL\1144624916\ee\AOLSoftware.exe
@AOLDialerC:\Program Files\Common Files\AOL\ACS\AOLDial.exe = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
@Pure Networks Port Magic"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run = "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
@SunJavaUpdateSched"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" = "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
@ZoneAlarm Client"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
@!AVG Anti-Spyware"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
@Aim6"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp = "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Program Files\Alwil Software\Avast4\ashShell.dll = C:\Program Files\Alwil Software\Avast4\ashShell.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{20082881-FC36-4E47-9A7A-644C95FF749F} /*IntelliPoint Wireless Control Panel Property Page*/"C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll" = "C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"
@{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE} /*IntelliPoint Wheel Control Panel Property Page*/"C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll" = "C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"
@{653DCCC2-13DB-45B2-A389-427885776CFE} /*IntelliPoint Activities Control Panel Property Page*/"C:\Program Files\Microsoft IntelliPoint\ipcplact.dll" = "C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"
@{124597D8-850A-41AE-849C-017A4FA99CA2} /*IntelliPoint Buttons Control Panel Property Page*/"C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll" = "C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.msn.com/ = http://www.msn.com/
@Local PageC:\WINDOWS\System32\blank.htm = C:\WINDOWS\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Photo Loader supervisory.lnk = Photo Loader supervisory.lnk
QuickBooks 2002 Delivery Agent.lnk = QuickBooks 2002 Delivery Agent.lnk

---- EOF - GMER 1.0.12 ----

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:48 AM

Posted 12 April 2007 - 04:56 AM

  • Download WinPFind by OldTimer here
  • Double click on winpfind.exe to extract it
  • Click extract
  • Wait for the message "All files have been extracted" and then click OK
  • This will create the folder winPFind on your desktop
  • Inside that folder is a file called WinPFind.exe
  • Double click on that file to launch WinPFind
  • This will launch a configuration screen
    • Under Driver Services change the selection to Non-Microsoft
    • Under File Created Within change the selection to 60 days
    • Leave the other settings as they are
  • Click Run Scan
  • During the scan WinPFind may appear to be not responding, this is normal
  • Wait for the scan to finish, this may take several minutes
  • A notepad window will open with WinPFind's log.
  • Copy and paste the contents of that window here.
  • Note: You may need several posts to post the entire log, or it might get cut off


#9 td323i

td323i
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 15 April 2007 - 01:02 PM

WinPFind logfile created on: 4/15/2007 11:27:43 AM
WinPFind by OldTimer - v2.0.3 Folder = C:\Temp\WinPFind\

»»»»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Service Pack 2 | Version: 5.1.2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»»»»» Memory/Drive Info »»»»»»»»»»»»»»»»»»»»»»»»»»

383.48 Mb Total Physical Memory | 145.70 Mb Available Physical Memory | 37.99% Memory free
540.03 Mb Paging File | 178.63 Mb Available in Paging File | 33.08% Paging File free
Paging file location(s): C:\pagefile.sys 192 384;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 31.80 Gb Total Space | 8.19 Gb Free Space | 25.76% Space Free
Drive D: | 6.54 Gb Total Space | 6.51 Gb Free Space | 99.44% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: CASTALDI-GZCHKX
Current User Name: Dad
Logged in as Administrator.
Current Boot Mode: Normal

»»»»»»»»»»»»»»»»»»»» Running Processes (Non-Microsoft) »»»»»»»»

C:\Program Files\Alwil Software\Avast4\ashDisp.exe ()
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
C:\Program Files\Alwil Software\Avast4\ashServ.exe ()
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe ()
C:\Program Files\CASIO\Photo Loader\Plauto.exe (CASIO COMPUTER CO.,LTD.)
C:\Program Files\Common Files\AOL\1144624916\ee\AOLSoftware.exe (America Online, Inc.)
c:\program files\common files\AOL\1144624916\ee\aolsoftware.exe (America Online, Inc.)
c:\program files\common files\AOL\1144624916\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe ()
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (AOL LLC)
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe (America Online Inc)
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)
C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (Anti-Malware Development a.s.)
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (Anti-Malware Development a.s.)
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe ()
C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc.)
C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe (Sun Microsystems, Inc.)
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe ()
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
C:\Temp\WinPFind\WinPFind.exe (OldTimer Tools)
C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)
C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Zone Labs, LLC)
C:\WINDOWS\wanmpsvc.exe (America Online, Inc.)

»»»»»»»»»»»»»»»»»»»» Win32 Services (Non-Microsoft) »»»»»»»»»»»

(AOL ACS) AOL Connectivity Service [Win32_Own | Auto | Running]
= C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (AOL LLC)

(AOL TopSpeedMonitor) AOL TopSpeed Monitor [Win32_Own | Auto | Running]
= C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)

(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running]
= C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe ()

(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running]
= C:\Program Files\Alwil Software\Avast4\ashServ.exe ()

(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running]
= C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)

(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running]
= C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)

(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running]
= C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (Anti-Malware Development a.s.)

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\system32\dmadmin.exe (Microsoft Corp., Veritas Software)

(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)

(iPodService) iPodService [Win32_Own | On_Demand | Running]
= C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc.)

(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running]
= C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

(SPTISRV) Sony SPTI Service [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation)

(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running]
= C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Zone Labs, LLC)

(WANMiniportService) WAN Miniport (ATW) Service [Win32_Own | Auto | Running]
= C:\WINDOWS\wanmpsvc.exe (America Online, Inc.)

»»»»»»»»»»»»»»»»»»»» Driver Services (Non-Microsoft) »»»»»»»»»»

(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running]
= C:\WINDOWS\System32\drivers\aavmker4.sys (ALWIL Software)

(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped]
= (File not found)

(abp480n5) abp480n5 [Kernel | Disabled | Stopped]
= (File not found)

(admjoy) Aureal Game Port Enumerator [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\admjoy.sys (Aureal, Inc.)

(adpu160m) adpu160m [Kernel | Disabled | Stopped]
= (File not found)

(AFS2K) AFS2K [Kernel | System | Running]
= C:\WINDOWS\System32\drivers\AFS2K.SYS (Oak Technology Inc.)

(Aha154x) Aha154x [Kernel | Disabled | Stopped]
= (File not found)

(aic78u2) aic78u2 [Kernel | Disabled | Stopped]
= (File not found)

(aic78xx) aic78xx [Kernel | Disabled | Stopped]
= (File not found)

(AliIde) AliIde [Kernel | Disabled | Stopped]
= (File not found)

(amsint) amsint [Kernel | Disabled | Stopped]
= (File not found)

(asc) asc [Kernel | Disabled | Stopped]
= (File not found)

(asc3350p) asc3350p [Kernel | Disabled | Stopped]
= (File not found)

(asc3550) asc3550 [Kernel | Disabled | Stopped]
= (File not found)

(aswMon2) avast! Standard Shield Support [File_System | Auto | Running]
= C:\WINDOWS\System32\drivers\aswmon2.sys (ALWIL Software)

(aswRdr) aswRdr [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)

(aswTdi) avast! Network Shield Support [Kernel | System | Running]
= C:\WINDOWS\System32\drivers\aswTdi.sys (ALWIL Software)

(Atdisk) Atdisk [Kernel | Disabled | Stopped]
= (File not found)

(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running]
= C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ()

(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running]
= C:\WINDOWS\system32\drivers\AvgAsCln.sys (GRISOFT, s.r.o.)

(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped]
= (File not found)

(Changer) Changer [Kernel | System | Stopped]
= (File not found)

(CmdIde) CmdIde [Kernel | Disabled | Stopped]
= (File not found)

(Cpqarray) Cpqarray [Kernel | Disabled | Stopped]
= (File not found)

(dac960nt) dac960nt [Kernel | Disabled | Stopped]
= (File not found)

(dmboot) dmboot [Kernel | Disabled | Stopped]
= C:\WINDOWS\system32\drivers\dmboot.sys (Microsoft Corp., Veritas Software)

(dmio) Logical Disk Manager Driver [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\dmio.sys (Microsoft Corp., Veritas Software)

(dmload) dmload [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\dmload.sys (Microsoft Corp., Veritas Software.)

(dpti2o) dpti2o [Kernel | Disabled | Stopped]
= (File not found)

(EUSBMSD) eUSB SmartMedia Driver [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\EUSBMSD.SYS (SCM Microsystems Inc.)

(FA312) NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\FA312nd5.sys (NETGEAR Corp.)

(GEARAspiWDM) GEAR CDRom Filter [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)

(gmer) gmer [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\gmer.sys (GMER)

(HCF_MSFT) HCF_MSFT [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\HCF_MSFT.sys (Conexant)

(hpn) hpn [Kernel | Disabled | Stopped]
= (File not found)

(hpt3xx) hpt3xx [Kernel | Disabled | Stopped]
= (File not found)

(i2omgmt) i2omgmt [Kernel | System | Stopped]
= (File not found)

(i2omp) i2omp [Kernel | Disabled | Stopped]
= (File not found)

(ini910u) ini910u [Kernel | Disabled | Stopped]
= (File not found)

(IntelIde) IntelIde [Kernel | Disabled | Stopped]
= (File not found)

(lbrtfdc) lbrtfdc [Kernel | System | Stopped]
= (File not found)

(MCSTRM) MCSTRM [Kernel | Auto | Running]
= C:\WINDOWS\System32\drivers\mcstrm.sys (RealNetworks, Inc.)

(mraid35x) mraid35x [Kernel | Disabled | Stopped]
= (File not found)

(ngrpci) NETGEAR FA310TX Fast Ethernet Adapter Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\Ngrpci.sys (NETGEAR Corporation.)

(nv) nv [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

(nv4) nv4 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\nv4.sys (NVIDIA Corporation)

(PCIDump) PCIDump [Kernel | System | Stopped]
= (File not found)

(PCIIde) PCIIde [Kernel | Disabled | Stopped]
= (File not found)

(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped]
= (File not found)

(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(PDRELI) PDRELI [Kernel | On_Demand | Stopped]
= (File not found)

(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(perc2) perc2 [Kernel | Disabled | Stopped]
= (File not found)

(perc2hib) perc2hib [Kernel | Disabled | Stopped]
= (File not found)

(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)

(PxHelp20) PxHelp20 [Kernel | Boot | Running]
= C:\WINDOWS\system32\drivers\pxhelp20.sys (VERITAS Software, Inc.)

(ql1080) ql1080 [Kernel | Disabled | Stopped]
= (File not found)

(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped]
= (File not found)

(ql12160) ql12160 [Kernel | Disabled | Stopped]
= (File not found)

(ql1240) ql1240 [Kernel | Disabled | Stopped]
= (File not found)

(ql1280) ql1280 [Kernel | Disabled | Stopped]
= (File not found)

(Secdrv) Secdrv [Kernel | Auto | Running]
= C:\WINDOWS\system32\drivers\secdrv.sys ()

(Simbad) Simbad [Kernel | Disabled | Stopped]
= (File not found)

(Sparrow) Sparrow [Kernel | Disabled | Stopped]
= (File not found)

(srescan) srescan [Kernel | Boot | Running]
= C:\WINDOWS\system32\ZoneLabs\srescan.sys (Zone Labs, LLC)

(symc810) symc810 [Kernel | Disabled | Stopped]
= (File not found)

(symc8xx) symc8xx [Kernel | Disabled | Stopped]
= (File not found)

(sym_hi) sym_hi [Kernel | Disabled | Stopped]
= (File not found)

(sym_u3) sym_u3 [Kernel | Disabled | Stopped]
= (File not found)

(TosIde) TosIde [Kernel | Disabled | Stopped]
= (File not found)

(ultra) ultra [Kernel | Disabled | Stopped]
= (File not found)

(vsdatant) vsdatant [Kernel | System | Running]
= C:\WINDOWS\system32\vsdatant.sys (Zone Labs, LLC)

(wanatw) WAN Miniport (ATW) [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)

(WDICA) WDICA [Kernel | On_Demand | Stopped]
= (File not found)

(wdm_au8830) Aureal Vortex 8830 Audio Driver (WDM) [Kernel | On_Demand | Running]
= C:\WINDOWS\system32\drivers\adm8830.sys (Aureal, Inc.)

(xbreader) MaxDrive XBox Driver (xbreader.sys) [Kernel | On_Demand | Stopped]
= C:\WINDOWS\system32\drivers\xbreader.sys (Thesycon GmbH, Germany)

»»»»»»»»»»»»»»»»»»»» Registry Items (Non-Microsoft) »»»»»»»»»»»

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
!AVG Anti-Spyware = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (Anti-Malware Development a.s.)
AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (AOL LLC)
avast! = C:\Program Files\Alwil Software\Avast4\ashDisp.exe ()
ezShieldProtector for Px = C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)
HostManager = C:\Program Files\Common Files\AOL\1144624916\ee\AOLSoftware.exe (America Online, Inc.)
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
NvCplDaemon = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation)
nwiz = C:\WINDOWS\system32\nwiz.exe (NVIDIA Corporation)
PrnSys Executable = C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe (File not found)
Pure Networks Port Magic = C:\Program Files\Pure Networks\Port Magic\PortAOL.exe (Pure Networks, Inc.)
QuickTime Task = C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe (Sun Microsystems, Inc.)
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (File not found)
YeppStudioAgent = C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe ()
ZoneAlarm Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Aim6 = C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe (America Online, Inc.)
NvMediaCenter = C:\WINDOWS\system32\nvmctray.dll (NVIDIA Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Installed = 1

< Common Startup Folder = C:\Documents and Settings\All Users\Start Menu\Programs\Startup >
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Loader supervisory.lnk
= C:\Program Files\CASIO\Photo Loader\Plauto.exe (CASIO COMPUTER CO.,LTD.)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
= C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe ()

< User Startup Folder = C:\Documents and Settings\Dad\Start Menu\Programs\Startup >
C:\Documents and Settings\Dad\Start Menu\Programs\Startup\desktop.ini ()

>>>>> MsConfig Disabled Items <<<<<

>>>>> Disabled Startup Folder Items <<<<<

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = AVG Anti-Spyware 7.5 ( HKLM = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.) )


>>>>> Winlogon Keys <<<<<


>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 734 bytes | Modified Date: 8/23/2001 2:00:00 PM)
127.0.0.1 localhost

>>>>> Desktop Components <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
FriendlyName = My Current Home Page
Source = About:Home
SubscribedURL = About:Home

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Search_URL = http://www.google.com/ie

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Search_URL = http://www.google.com/ie
SearchAssistant = http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Local Page = C:\WINDOWS\System32\blank.htm
Search Bar = http://www.google.com/ie
Search Page = http://www.google.com
Start Page = http://www.msn.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
SearchAssistant = http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
{EA756889-2338-43DB-8F07-D1CA6FB9C90D} = Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
- AcroIEHlprObj Class ( HKLM = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
- SSVHelper Class ( HKLM = C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (Sun Microsystems, Inc.) )

>>>>> HKLM Internet Explorer Bars <<<<<

>>>>> HKCU Internet Explorer Bars <<<<<

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}]
- Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

>>>>> HKLM Internet Explorer ToolBars <<<<<

>>>>> HKCU Internet Explorer ToolBars <<<<<

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ToolBar\WebBrowser]
{4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{DE9C389F-3316-41A7-809B-AA305ED9D922} - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Toolbar ( HKLM = Reg Data - Key not found (File not found) )

>>>>> HKCU Internet Explorer CmdMapping <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{3369AF0D-62E9-4bda-8103-B4C75499B578} = 8202 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{4982D40A-C53B-4615-B15B-B5B5E98D167C} = 8203 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{92780B25-18CC-41C8-B9BE-3C9C571A8263} = 8199 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} = 8196 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} = 8198 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{B46F2A6A-3216-461c-BEEA-FBE442469812} = 8197 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} = 8194 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{FB5F1910-F110-11d2-BB9E-00C04F795683} = 8193 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8205

>>>>> HKLM Internet Explorer Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
MenuText = Sun Java Console
ClsidExtension = {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - Java Plug-in 1.5.0_11 ( HKLM C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll (Sun Microsystems, Inc.) )
ClsidExtension = {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - Java Plug-in 1.5.0_11 ( HKCU C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}]
ButtonText = Research

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
ButtonText = Real.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping]

>>>>> HKCU Internet Explorer Menu Extensions <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&AOL Toolbar search]
@ = C:\Program Files\AOL Toolbar\toolbar.dll\SEARCH.HTM (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel]
@ = 000 (File not found)

>>>>> HKLM Internet Explorer Plugins Extensions <<<<<

>>>>> HKLM Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Taskbar and Start Menu ( HKLM = Reg Data - Key not found (File not found) )
{1CDB2949-8F65-4355-8456-263E7C208A5D} = Desktop Explorer ( HKLM = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation) )
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} = Desktop Explorer Menu ( HKLM = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation) )
{32683183-48a0-441b-a342-7c2a440a9478} = Media Band ( CLSID not found! )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Display Panning CPL Extension ( HKLM = deskpan.dll (File not found) )
{472083B0-C522-11CF-8763-00608CC02F24} = avast ( HKLM = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Shell extensions for file compression ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = User Accounts ( HKLM = Reg Data - Key not found (File not found) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Encryption Context Menu ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.) )
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = WinRAR ( HKLM = C:\Program Files\WinRAR\RarExt.dll () )
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} = iTunes ( HKLM = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc.) )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} = RealOne Player Context Menu Class ( HKLM = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.) )

>>>>> HKCU Approved Shell Extensions <<<<<

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\avast]
@ = {472083B0-C522-11CF-8763-00608CC02F24} ( HKLM = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\AVG Anti-Spyware]
@ = {8934FCEF-F5B8-468f-951F-78A921CD3920} ( HKLM = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Program Files\WinRAR\RarExt.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\AVG Anti-Spyware]
@ = {8934FCEF-F5B8-468f-951F-78A921CD3920} ( HKLM = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Program Files\WinRAR\RarExt.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\avast]
@ = {472083B0-C522-11CF-8763-00608CC02F24} ( HKLM = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR]
@ = {B41DB860-8EE4-11D2-9906-E49FADC173CA} ( HKLM = C:\Program Files\WinRAR\RarExt.dll () )

>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 255
WizmaxBackup_NoDriveTypeAutoRun = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
dontdisplaylastusername = 0
legalnoticecaption =
legalnoticetext =
shutdownwithoutlogon = 1
undockwithoutlogon = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 255
WizmaxBackup_NoDriveTypeAutoRun = 145

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
DisableRegistryTools = 0

>>>>> Security Providers <<<<<

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = autocheck autochk *;
ExcludeFromKnownDlls =
PendingFileRenameOperations = \??\C:\WINDOWS\system32\ZoneLabs\spyware.dat.zlbak;


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
ComSpec = %SystemRoot%\system32\cmd.exe ( C:\WINDOWS\system32\cmd.exe (Microsoft Corporation) )
TEMP = %SystemRoot%\TEMP
TMP = %SystemRoot%\TEMP
windir = %SystemRoot%

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path]
%SystemRoot%\system32
%SystemRoot%
%SystemRoot%\System32\Wbem
C:\Program Files\QuickTime\QTSystem\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT]
.COM
.EXE
.BAT
.CMD
.VBS
.VBE
.JS
.JSE
.WSF
.WSH

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> User Agent Post Platform <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.html [@ = aolfile_HTM] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\System32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -> "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -> "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -> C:\PROGRA~1\AMERIC~1.0A\aol.exe -u"%1" (America Online, Inc.)

https [open] -> C:\PROGRA~1\AMERIC~1.0A\aol.exe -u"%1" (America Online, Inc.)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe %SystemRoot%\System32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\system32\ie4uinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{13A5B4F0-8DCE-4D52-8BEF-E1E4086DA4BB}] ( NETGEAR FA311 Fast Ethernet Adapter )
DefaultGateway =
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{49C67A90-6811-4C5A-9CFB-86F953562E3A}]
DefaultGateway =
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6E4C6AD2-6948-4CD2-8CE6-2BDDCD3C7CB4}]
DefaultGateway =
DhcpDefaultGateway = 192.168.1.1;
DhcpIPAddress = 192.168.1.111
DhcpNameServer = 68.237.161.12 151.198.0.39
DhcpServer = 192.168.1.1
DhcpSubnetMask = 255.255.255.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ADCE3139-6D89-425E-9793-E956D5CDB6F4}] ( NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI) )
DefaultGateway =
DhcpServer = 255.255.255.255
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DC569898-662B-45C3-81D4-1EEC238E0184}] ( 1394 Net Adapter )
DefaultGateway =
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
NameServer =
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Default Protocols [HKLM] <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@ivt - 1 = Local intranet
file - 3 = Internet
ftp - 3 = Internet
http - 3 = Internet
https - 3 = Internet
shell - 0 = My Computer

>>>>> Protocol Handlers <<<<<

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}\DownloadInformation]
CODEBASE = http://go.microsoft.com/fwlink/?linkid=58813
INF = C:\WINDOWS\Downloaded Program Files\OGAControl.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{166B1BCA-3F9C-11CF-8075-444553540000}\DownloadInformation]
CODEBASE = http://download.macromedia.com/pub/shockwa...ector/swdir.cab
INF = C:\WINDOWS\Downloaded Program Files\erma.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17492023-C23A-453E-A040-C7C580BBF700}\DownloadInformation]
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
INF = C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-0000-0010-8000-00AA00389B71}\DownloadInformation]
CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
INF = C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B}\DownloadInformation]
CODEBASE = https://www.gamespyid.com/alaunch.cab

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{745395C8-D0E1-4227-8586-624CA9A10A8D}\DownloadInformation]
CODEBASE = http://217.197.149.13/activex/AMC.cab
INF = C:\WINDOWS\Downloaded Program Files\setup.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}\DownloadInformation]
CODEBASE = http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab
INF = C:\WINDOWS\Downloaded Program Files\cpbrkpie.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\DownloadInformation]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7659.4316203704
INF = C:\WINDOWS\Downloaded Program Files\iuctl.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{B1826A9F-4AA0-4510-BA77-9013E74E4B9B}\DownloadInformation]
CODEBASE = http://www.trendmicro.com/spyware-scan/as4web.cab
INF = C:\WINDOWS\Downloaded Program Files\SpyMD.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab
INF = C:\WINDOWS\Downloaded Program Files\swflash.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DE625294-70E6-45ED-B895-CFFA13AEB044}\DownloadInformation]
CODEBASE = http://www.carilloncams.com/activex/AMC.cab
INF = C:\WINDOWS\Downloaded Program Files\setup.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

»»»»»»»»»»»»»»»»»»»» Files / Folders Created Within 60 Days »»»»»»»»»»»»»

C:\.jagex_cache_32 [Folder | Created Date = 3/13/2007 5:58:18 PM | Attr = ]
C:\fsbl.exe F-Secure Corporation [Ver = 2, 2, 1061, 0 | Size = 899952 bytes | Created Date = 4/10/2007 8:41:48 PM | Attr = ]
@Alternate Data Stream - C:\fsbl.exe:Zone.Identifier (26 bytes)
C:\hiberfil.sys [Ver = | Size = 402182144 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
C:\Documents and Settings\All Users\Application Data\Insight Software Solutions [Folder | Created Date = 3/6/2007 8:44:02 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage [Folder | Created Date = 3/24/2007 10:21:42 PM | Attr = ]
C:\Documents and Settings\Dad\Application Data\Viewpoint [Folder | Created Date = 3/5/2007 7:36:43 PM | Attr = ]
C:\Documents and Settings\All Users\Documents\Insight Software [Folder | Created Date = 3/6/2007 8:43:31 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\AVG Anti-Spyware.lnk [Ver = | Size = 892 bytes | Created Date = 4/7/2007 2:36:46 PM | Attr = ]
C:\Documents and Settings\Dad\Desktop\Gmer [Folder | Created Date = 4/11/2007 6:09:35 PM | Attr = ]
C:\Documents and Settings\Dad\Desktop\hijackthis_sfx.exe [Ver = | Size = 251392 bytes | Created Date = 4/7/2007 2:23:27 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Dad\Desktop\hijackthis_sfx.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Dad\Desktop\New Folder [Folder | Created Date = 4/11/2007 6:09:34 PM | Attr = ]
C:\WINDOWS\$NtUninstallKB904942$ [Folder | Created Date = 3/24/2007 10:15:37 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB925902$ [Folder | Created Date = 4/7/2007 1:46:11 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB929338$ [Folder | Created Date = 3/24/2007 2:04:31 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB929399$ [Folder | Created Date = 3/24/2007 2:18:29 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB930178$ [Folder | Created Date = 4/10/2007 8:35:19 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931261$ [Folder | Created Date = 4/10/2007 8:39:22 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931784$ [Folder | Created Date = 4/10/2007 8:43:02 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB932168$ [Folder | Created Date = 4/10/2007 8:29:25 PM | Attr = H ]
C:\WINDOWS\gmer.dll [Ver = 1, 0, 12, 12086 | Size = 565311 bytes | Created Date = 4/11/2007 6:11:38 PM | Attr = ]
C:\WINDOWS\gmer.exe [Ver = 1, 0, 12, 12086 | Size = 573440 bytes | Created Date = 4/11/2007 6:11:38 PM | Attr = ]
C:\WINDOWS\gmer.ini [Ver = | Size = 250 bytes | Created Date = 4/11/2007 6:11:51 PM | Attr = ]
C:\WINDOWS\gmer_uninstall.cmd [Ver = | Size = 80 bytes | Created Date = 4/11/2007 6:11:39 PM | Attr = ]
C:\WINDOWS\System32\java.exe Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 49248 bytes | Created Date = 3/24/2007 1:57:59 PM | Attr = ]
C:\WINDOWS\System32\javaw.exe Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 53346 bytes | Created Date = 3/24/2007 1:57:59 PM | Attr = ]
C:\WINDOWS\System32\javaws.exe Sun Microsystems, Inc. [Ver = 5.0.110.3 | Size = 127078 bytes | Created Date = 3/24/2007 1:58:00 PM | Attr = ]
C:\WINDOWS\System32\libeay32_0.9.6l.dll [Ver = | Size = 796312 bytes | Created Date = 3/24/2007 2:36:21 PM | Attr = ]
C:\WINDOWS\System32\OGACheckControl.DLL [Ver = | Size = 676224 bytes | Created Date = 3/5/2007 12:34:28 PM | Attr = ]
C:\WINDOWS\System32\SRCLIENT.DL_ [Ver = | Size = 28849 bytes | Created Date = 4/7/2007 10:02:19 PM | Attr = ]
C:\WINDOWS\System32\vswmi.dll Zone Labs, LLC [Ver = 7.0.337.000 | Size = 46832 bytes | Created Date = 3/24/2007 2:36:04 PM | Attr = ]
C:\WINDOWS\System32\zlcomm.dll Zone Labs, LLC [Ver = 7.0.337.000 | Size = 83696 bytes | Created Date = 3/24/2007 2:36:14 PM | Attr = ]
C:\WINDOWS\System32\zlcommdb.dll Zone Labs, LLC [Ver = 7.0.337.000 | Size = 71408 bytes | Created Date = 3/24/2007 2:36:15 PM | Attr = ]
C:\WINDOWS\System32\zpeng24.dll Python Software Foundation [Ver = 2.4.2 | Size = 1087216 bytes | Created Date = 3/24/2007 2:36:02 PM | Attr = ]
C:\WINDOWS\System32\drivers\AvgAsCln.sys GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 4/7/2007 2:36:44 PM | Attr = ]
C:\WINDOWS\System32\drivers\gmer.sys GMER [Ver = 1, 0, 12, 3816 | Size = 68993 bytes | Created Date = 4/11/2007 6:11:39 PM | Attr = ]
C:\WINDOWS\System32\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf [Ver = | Size = 0 bytes | Created Date = 3/2/2007 2:45:14 PM | Attr = H ]

»»»»»»»»»»»»»»»»»»»» Files / Folders Modified Within 30 Days »»»»»»»»»»»»»

C:\fsbl.exe F-Secure Corporation [Ver = 2, 2, 1061, 0 | Size = 899952 bytes | Modified Date = 4/10/2007 9:41:52 PM | Attr = ]
@Alternate Data Stream - C:\fsbl.exe:Zone.Identifier (26 bytes)
C:\hiberfil.sys [Ver = | Size = 402182144 bytes | Modified Date = 4/15/2007 11:14:34 AM | Attr = HS]
C:\Program Files [Folder | Modified Date = 4/7/2007 10:27:14 PM | Attr = R ]
C:\Temp [Folder | Modified Date = 4/15/2007 11:26:36 AM | Attr = ]
C:\VETlog.dmp [Ver = | Size = 54507 bytes | Modified Date = 4/7/2007 3:10:00 PM | Attr = ]
C:\WINDOWS [Folder | Modified Date = 4/11/2007 7:11:52 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\AOL [Folder | Modified Date = 3/27/2007 10:12:52 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Google [Folder | Modified Date = 3/27/2007 10:13:28 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage [Folder | Modified Date = 3/24/2007 11:21:44 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Viewpoint [Folder | Modified Date = 4/7/2007 9:52:54 PM | Attr = ]
C:\Documents and Settings\Dad\Local Settings\Application Data\IconCache.db [Ver = | Size = 5357652 bytes | Modified Date = 4/11/2007 7:49:32 PM | Attr = H ]
C:\Documents and Settings\All Users\Documents\AOL Downloads [Folder | Modified Date = 4/7/2007 2:56:00 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\AVG Anti-Spyware.lnk [Ver = | Size = 892 bytes | Modified Date = 4/7/2007 3:36:48 PM | Attr = ]
C:\Documents and Settings\Dad\Desktop\Gmer [Folder | Modified Date = 4/11/2007 7:47:34 PM | Attr = ]
C:\Documents and Settings\Dad\Desktop\hijackthis_sfx.exe [Ver = | Size = 251392 bytes | Modified Date = 4/7/2007 3:23:30 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Dad\Desktop\hijackthis_sfx.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Dad\Desktop\hollywood [Folder | Modified Date = 3/27/2007 10:33:50 PM | Attr = ]
C:\Documents and Settings\Dad\Desktop\New Folder [Folder | Modified Date = 4/11/2007 7:09:36 PM | Attr = ]
C:\Program Files\Common Files\AOL [Folder | Modified Date = 3/24/2007 3:05:10 PM | Attr = ]
C:\Program Files\Common Files\aolshare [Folder | Modified Date = 3/27/2007 10:12:52 PM | Attr = ]
C:\Program Files\Common Files\Microsoft Shared [Folder | Modified Date = 3/24/2007 9:41:40 PM | Attr = ]
C:\WINDOWS\$hf_mig$ [Folder | Modified Date = 4/10/2007 9:13:52 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB904942$ [Folder | Modified Date = 3/24/2007 11:15:40 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB925902$ [Folder | Modified Date = 4/7/2007 2:46:16 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB929338$ [Folder | Modified Date = 3/24/2007 3:04:36 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB929399$ [Folder | Modified Date = 3/24/2007 3:18:32 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB930178$ [Folder | Modified Date = 4/10/2007 9:35:22 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931261$ [Folder | Modified Date = 4/10/2007 9:39:26 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931784$ [Folder | Modified Date = 4/10/2007 9:43:08 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB932168$ [Folder | Modified Date = 4/10/2007 9:29:30 PM | Attr = H ]
C:\WINDOWS\bootstat.dat [Ver = | Size = 2048 bytes | Modified Date = 4/15/2007 11:14:36 AM | Attr = S]
C:\WINDOWS\Cursors [Folder | Modified Date = 4/7/2007 10:47:58 PM | Attr = ]
C:\WINDOWS\Downloaded Program Files [Folder | Modified Date = 3/24/2007 11:21:36 PM | Attr = S]
C:\WINDOWS\gmer.dll [Ver = 1, 0, 12, 12086 | Size = 565311 bytes | Modified Date = 4/11/2007 7:11:40 PM | Attr = ]
C:\WINDOWS\gmer.ini [Ver = | Size = 250 bytes | Modified Date = 4/11/2007 7:47:02 PM | Attr = ]
C:\WINDOWS\gmer_uninstall.cmd [Ver = | Si

#10 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:48 AM

Posted 15 April 2007 - 03:48 PM

The winpfind log got cut off, please post the rest of it

#11 td323i

td323i
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 15 April 2007 - 08:33 PM

sorry i thought it was all in there.

Reposting from last completed section


»»»»»»»»»»»»»»»»»»»» Files / Folders Modified Within 30 Days »»»»»»»»»»»»»

C:\fsbl.exe F-Secure Corporation [Ver = 2, 2, 1061, 0 | Size = 899952 bytes | Modified Date = 4/10/2007 9:41:52 PM | Attr = ]
@Alternate Data Stream - C:\fsbl.exe:Zone.Identifier (26 bytes)
C:\hiberfil.sys [Ver = | Size = 402182144 bytes | Modified Date = 4/15/2007 11:14:34 AM | Attr = HS]
C:\Program Files [Folder | Modified Date = 4/7/2007 10:27:14 PM | Attr = R ]
C:\Temp [Folder | Modified Date = 4/15/2007 11:26:36 AM | Attr = ]
C:\VETlog.dmp [Ver = | Size = 54507 bytes | Modified Date = 4/7/2007 3:10:00 PM | Attr = ]
C:\WINDOWS [Folder | Modified Date = 4/11/2007 7:11:52 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\AOL [Folder | Modified Date = 3/27/2007 10:12:52 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Google [Folder | Modified Date = 3/27/2007 10:13:28 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage [Folder | Modified Date = 3/24/2007 11:21:44 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Viewpoint [Folder | Modified Date = 4/7/2007 9:52:54 PM | Attr = ]
C:\Documents and Settings\Dad\Local Settings\Application Data\IconCache.db [Ver = | Size = 5357652 bytes | Modified Date = 4/11/2007 7:49:32 PM | Attr = H ]
C:\Documents and Settings\All Users\Documents\AOL Downloads [Folder | Modified Date = 4/7/2007 2:56:00 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\AVG Anti-Spyware.lnk [Ver = | Size = 892 bytes | Modified Date = 4/7/2007 3:36:48 PM | Attr = ]
C:\Documents and Settings\Dad\Desktop\Gmer [Folder | Modified Date = 4/11/2007 7:47:34 PM | Attr = ]
C:\Documents and Settings\Dad\Desktop\hijackthis_sfx.exe [Ver = | Size = 251392 bytes | Modified Date = 4/7/2007 3:23:30 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Dad\Desktop\hijackthis_sfx.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Dad\Desktop\hollywood [Folder | Modified Date = 3/27/2007 10:33:50 PM | Attr = ]
C:\Documents and Settings\Dad\Desktop\New Folder [Folder | Modified Date = 4/11/2007 7:09:36 PM | Attr = ]
C:\Program Files\Common Files\AOL [Folder | Modified Date = 3/24/2007 3:05:10 PM | Attr = ]
C:\Program Files\Common Files\aolshare [Folder | Modified Date = 3/27/2007 10:12:52 PM | Attr = ]
C:\Program Files\Common Files\Microsoft Shared [Folder | Modified Date = 3/24/2007 9:41:40 PM | Attr = ]
C:\WINDOWS\$hf_mig$ [Folder | Modified Date = 4/10/2007 9:13:52 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB904942$ [Folder | Modified Date = 3/24/2007 11:15:40 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB925902$ [Folder | Modified Date = 4/7/2007 2:46:16 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB929338$ [Folder | Modified Date = 3/24/2007 3:04:36 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB929399$ [Folder | Modified Date = 3/24/2007 3:18:32 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB930178$ [Folder | Modified Date = 4/10/2007 9:35:22 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931261$ [Folder | Modified Date = 4/10/2007 9:39:26 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931784$ [Folder | Modified Date = 4/10/2007 9:43:08 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB932168$ [Folder | Modified Date = 4/10/2007 9:29:30 PM | Attr = H ]
C:\WINDOWS\bootstat.dat [Ver = | Size = 2048 bytes | Modified Date = 4/15/2007 11:14:36 AM | Attr = S]
C:\WINDOWS\Cursors [Folder | Modified Date = 4/7/2007 10:47:58 PM | Attr = ]
C:\WINDOWS\Downloaded Program Files [Folder | Modified Date = 3/24/2007 11:21:36 PM | Attr = S]
C:\WINDOWS\gmer.dll [Ver = 1, 0, 12, 12086 | Size = 565311 bytes | Modified Date = 4/11/2007 7:11:40 PM | Attr = ]
C:\WINDOWS\gmer.ini [Ver = | Size = 250 bytes | Modified Date = 4/11/2007 7:47:02 PM | Attr = ]
C:\WINDOWS\gmer_uninstall.cmd [Ver = | Size = 80 bytes | Modified Date = 4/11/2007 7:11:40 PM | Attr = ]
C:\WINDOWS\imsins.BAK [Ver = | Size = 1374 bytes | Modified Date = 4/10/2007 9:41:00 PM | Attr = ]
C:\WINDOWS\inf [Folder | Modified Date = 4/10/2007 9:45:18 PM | Attr = H ]
C:\WINDOWS\Installer [Folder | Modified Date = 3/27/2007 10:29:36 PM | Attr = HS]
C:\WINDOWS\Internet Logs [Folder | Modified Date = 4/15/2007 11:28:12 AM | Attr = ]
C:\WINDOWS\msagent [Folder | Modified Date = 4/11/2007 7:01:20 PM | Attr = ]
C:\WINDOWS\Prefetch [Folder | Modified Date = 4/10/2007 9:13:46 PM | Attr = ]
C:\WINDOWS\security [Folder | Modified Date = 4/8/2007 8:13:52 AM | Attr = ]
C:\WINDOWS\system32 [Folder | Modified Date = 4/15/2007 11:19:32 AM | Attr = ]
@Alternate Data Stream - C:\WINDOWS\system32:{DA6227CB-326B-4B4D-9A81-04B81F1538DD} (12 bytes)
C:\WINDOWS\Temp [Folder | Modified Date = 4/15/2007 11:24:24 AM | Attr = ]
C:\WINDOWS\win.ini [Ver = | Size = 788 bytes | Modified Date = 4/7/2007 3:47:22 PM | Attr = ]
C:\WINDOWS\System32\CatRoot [Folder | Modified Date = 3/24/2007 2:53:18 PM | Attr = ]
C:\WINDOWS\System32\CatRoot2 [Folder | Modified Date = 4/10/2007 9:13:06 PM | Attr = ]
C:\WINDOWS\System32\dllcache [Folder | Modified Date = 4/11/2007 7:01:20 PM | Attr = RHS]
C:\WINDOWS\System32\drivers [Folder | Modified Date = 4/11/2007 7:11:40 PM | Attr = ]
C:\WINDOWS\System32\FNTCACHE.DAT [Ver = | Size = 255864 bytes | Modified Date = 4/7/2007 3:07:40 PM | Attr = ]
C:\WINDOWS\System32\perfc009.dat [Ver = | Size = 40836 bytes | Modified Date = 4/15/2007 11:19:32 AM | Attr = ]
C:\WINDOWS\System32\perfh009.dat [Ver = | Size = 314508 bytes | Modified Date = 4/15/2007 11:19:32 AM | Attr = ]
C:\WINDOWS\System32\PerfStringBackup.INI [Ver = | Size = 360124 bytes | Modified Date = 4/15/2007 11:19:32 AM | Attr = ]
C:\WINDOWS\System32\Restore [Folder | Modified Date = 4/8/2007 8:13:08 AM | Attr = ]
C:\WINDOWS\System32\vsconfig.xml [Ver = | Size = 47197 bytes | Modified Date = 4/15/2007 11:16:22 AM | Attr = H ]
C:\WINDOWS\System32\wpa.dbl [Ver = | Size = 2262 bytes | Modified Date = 4/15/2007 11:14:38 AM | Attr = ]
C:\WINDOWS\System32\zllictbl.dat [Ver = | Size = 4212 bytes | Modified Date = 4/10/2007 9:03:36 PM | Attr = H ]
C:\WINDOWS\System32\ZoneLabs [Folder | Modified Date = 4/15/2007 11:24:34 AM | Attr = ]
C:\WINDOWS\System32\drivers\gmer.sys GMER [Ver = 1, 0, 12, 3816 | Size = 68993 bytes | Modified Date = 4/11/2007 7:11:40 PM | Attr = ]

»»»»»»»»»»»»»»»»»»»» File String Scan (Non-Microsoft Only) »»»»»
@Alternate Data Stream - C:\fsbl.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Dad\My Documents\Thumbs.db:encryptable (0 bytes)
@Alternate Data Stream - C:\Documents and Settings\Dad\Desktop\hijackthis_sfx.exe:Zone.Identifier (26 bytes)
[UPX! , UPX0 , ]C:\WINDOWS\IFinst26.exe ()
@Alternate Data Stream - C:\WINDOWS\system32:{DA6227CB-326B-4B4D-9A81-04B81F1538DD} (12 bytes)
[UPX! , UPX0 , ]C:\WINDOWS\System32\aswBoot.exe ()
[PEC2 , ]C:\WINDOWS\System32\dfrg.msc ()
[winsync , ]C:\WINDOWS\System32\wbdbase.deu ()
[UPX0 , WSUD , ]C:\WINDOWS\System32\dllcache\hwxjpn.dll ()
[PTech , ]C:\WINDOWS\System32\drivers\mtlstrm.sys (Smart Link)

< End of report >

#12 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:48 AM

Posted 16 April 2007 - 01:12 PM

  • Go to Start > My Computer
  • Go to Tools > Folder Options
  • Click on the View tab
  • Untick the following:
    • Hide extensions for known file types
    • Hide protected operating system files (Recommended)
  • You will get a message warning you about showing protected operating system files, click Yes
  • Make sure this option is selected:
    • Show hidden files and folders
  • Click Apply and then click OK
Then please upload this file:

C:\WINDOWS\IFinst26.exe

To either jotti or virustotal

Post back with the jotti/virustotal results and a new HijackThis log

#13 td323i

td323i
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 16 April 2007 - 08:57 PM

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.


STATUS: FINISHEDComplete scanning result of "IFinst26.exe", received in VirusTotal at 04.17.2007, 03:47:10 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.14.0 04.16.2007 no virus found
AntiVir 7.3.1.52 04.16.2007 no virus found
Authentium 4.93.8 04.16.2007 no virus found
Avast 4.7.981.0 04.16.2007 no virus found
AVG 7.5.0.447 04.16.2007 no virus found
BitDefender 7.2 04.17.2007 no virus found
CAT-QuickHeal 9.00 04.16.2007 no virus found
ClamAV devel-20070312 04.17.2007 no virus found
DrWeb 4.33 04.17.2007 no virus found
eSafe 7.0.15.0 04.16.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3572 04.16.2007 no virus found
Ewido 4.0 04.16.2007 no virus found
FileAdvisor 1 04.17.2007 no virus found
Fortinet 2.85.0.0 04.16.2007 suspicious
F-Prot 4.3.2.48 04.16.2007 no virus found
F-Secure 6.70.13030.0 04.17.2007 no virus found
Ikarus T3.1.1.5 04.16.2007 no virus found
Kaspersky 4.0.2.24 04.17.2007 no virus found
McAfee 5010 04.16.2007 no virus found
Microsoft 1.2405 04.17.2007 no virus found
NOD32v2 2196 04.17.2007 no virus found
Norman 5.80.02 04.14.2007 no virus found
Panda 9.0.0.4 04.17.2007 no virus found
Prevx1 V2 04.17.2007 no virus found
Sophos 4.16.0 04.16.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.17.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.16.2007 no virus found
VirusBuster 4.3.7:9 04.16.2007 no virus found
Webwasher-Gateway 6.0.1 04.17.2007 no virus found


Aditional Information
File size: 65024 bytes
MD5: fdc9d4de50a845137580698494b19f13
SHA1: 0982241e310fd7d79ce544d1c78ee4c6ce704091
packers: UPX
packers: UPX
packers: UPX

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail info@virustotal.com



Logfile of HijackThis v1.99.1
Scan saved at 9:54:43 PM, on 4/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1144624916\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
c:\program files\common files\aol\1144624916\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1144624916\ee\aolsoftware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PrnSys Executable] C:\Program Files\Hewlett-Packard\hp print screen utility\PrnSys.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144624916\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [aswAhAScr.dll] C:\PROGRA~1\ALWILS~1\Avast4\ASWREG~1.EXE "C:\Program Files\Alwil Software\Avast4\AhAScr.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Schoolpop - {B46F2A6A-3216-461c-BEEA-FBE442469812} - file://C:\Program Files\SchoolpopShoppingBuddy\System\Temp\schoolpop_script0.htm (file missing) (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://217.197.149.13/activex/AMC.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://www.carilloncams.com/activex/AMC.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#14 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:48 AM

Posted 17 April 2007 - 11:22 AM

When do the pop-ups occur, and can you post a screenshot of one?

#15 td323i

td323i
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 17 April 2007 - 09:09 PM

MOST OF THEM seem to have disappeared< but i still get a aol error that says i must reinstall it, but it seems to work fine. i also get messages from zonealarn that the aol connectivity /dialer is logging keystokes and mouse activity.

the file you had me scan had the two AV's that picked up something but i cant download either of those AV to try to deal with the probelm. any suggestions?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users