Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tmp0374.exe Error Message ?


  • Please log in to reply
42 replies to this topic

#1 Surprised

Surprised

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 29 March 2007 - 08:19 AM

I've run the superantispyware and it cleaned about 90 files out, but 2 keep showing up;

:PID[62250676]c:\windows\system32\GKNAGKN.dll AND
:c:\windows\system32\GKNAGKN.dll

When I ran hijackthis, I did see :c:\windows\system32\GKNAGKN.dll
in the list on the log but not the other one. Anyway, I'll stop trying to figure this out and ask for your assistance. My original problem began with a tmp0374 error message followed by no IE connection and often a fatal error message requiring me to shut down my computer.

Here is the hijackthis log following my superantispyware run:

Logfile of HijackThis v1.99.1
Scan saved at 5:09:25 PM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ipalm Camera Driver 1.0\ipalmmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\NetZero\exec.exe
C:\DOCUME~1\RUSSEL~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/signup?r=quick-sta...vicetag=68YLW61
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {8EADD2E2-8BC4-4898-B196-973DBF4C0BC4} - c:\windows\system32\gknagkn.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: ipalm Monitor 1.0.lnk = C:\Program Files\ipalm Camera Driver 1.0\ipalmmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA2FC3B-85ED-49A0-9133-12BB48A8C820}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AE453B8-D0BC-461D-AE6F-5DC4EB7EC702}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9B512CA-C925-41D1-8DC3-80E4A4C49F60}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1DA2FC3B-85ED-49A0-9133-12BB48A8C820}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{1DA2FC3B-85ED-49A0-9133-12BB48A8C820}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\..\{1DA2FC3B-85ED-49A0-9133-12BB48A8C820}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: labwejhy - C:\WINDOWS\SYSTEM32\gknagkn.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: MBackMonitor - - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe (file missing)
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mctskshd.exe (file missing)
O23 - Service: McAfee User Manager (mcusrmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


What do I need to do next to get my computer running without this problem again ? Thank you.

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 29 March 2007 - 08:41 AM

Welcome to the BleepingComputer HijackThis forum Surprised :thumbsup:

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

******************************

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply,along with a new Hijackthis log please.
Posted Image
Posted Image

#3 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 14 April 2007 - 03:18 PM

Due to the lack of feedback this topic is now closed.
If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image
Posted Image

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 16 April 2007 - 08:35 AM

*This topic has been reopened at the request of Surprised*
Posted Image
Posted Image

#5 Surprised

Surprised
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 16 April 2007 - 08:47 AM

Thank you. I ran Cleanup452 and this is the Fixware report. One problem I'm having is the computer that has the problem won't access the internet so I have to use another computer to respond here, run fixes on the affected computer and transfer reports via a memory stick to this computer to respond to these replies, sometimes resulting in a delay. Thanks, what's next ?


Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

C:\WINDOWS\SYSTEM32\dmbzf.exe 62048 08/04/2004


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"MMTray"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe"
"mmtask"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"Ink Monitor"="C:\\Program Files\\EPSON\\Ink Monitor\\InkMonitor.exe"
"EPSON Stylus CX4800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIADA.EXE /P26 \"EPSON Stylus CX4800 Series\" /O6 \"USB001\" /M \"Stylus CX4800\""
"MskAgentexe"="C:\\Program Files\\McAfee\\MSK\\MskAgent.exe"
"MBkLogOnHook"="C:\\Program Files\\McAfee\\MBK\\LogOnHook.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NetZero_uoltray"="C:\\Program Files\\NetZero\\exec.exe regrun"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 16 April 2007 - 09:14 AM

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA2FC3B-85ED-49A0-9133-12BB48A8C820}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AE453B8-D0BC-461D-AE6F-5DC4EB7EC702}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9B512CA-C925-41D1-8DC3-80E4A4C49F60}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1DA2FC3B-85ED-49A0-9133-12BB48A8C820}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{1DA2FC3B-85ED-49A0-9133-12BB48A8C820}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\..\{1DA2FC3B-85ED-49A0-9133-12BB48A8C820}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5

Exit Hijackthis.

************************

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete:
C:\WINDOWS\SYSTEM32\dmbzf.exe
C:\WINDOWS\SYSTEM32\gknagkn.dll
Reboot normally.

************************

Go to Start>Control Panel,and choose 'Network Connections'.
Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'.
Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'.
Click OK twice,restart your computer.

************************

Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste the following bold text below,then press Enter.
NETSH WINSOCK RESET
Then type EXIT press Enter,then reboot your pc.

Post a new Hijackthis log into your next reply,let me know whats happening now please.
Posted Image
Posted Image

#7 Surprised

Surprised
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 19 April 2007 - 09:48 PM

Thanks, sorry so slow to respond been out of town. I'll be off tommorrow so I'll try this and post the log them.

#8 Surprised

Surprised
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 19 April 2007 - 10:46 PM

Opened hidden files, ran Hijack this, deleted dmbzf.exe but computer won't delete the gknagkn.dll file, says I was denied access. There's also a gknagkn.bak below the dll file.

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 20 April 2007 - 09:01 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\SYSTEM32\gknagkn.dll
C:\WINDOWS\SYSTEM32\gknagkn.bak

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

**********************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#10 Surprised

Surprised
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 20 April 2007 - 01:38 PM

The Avenger indicated an error (selected file does not appear to be a valid script) clicked ok and program returned and error "0".

This looks bad doesn't it ?

#11 Surprised

Surprised
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 20 April 2007 - 02:22 PM

Avenger could not delete the files.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lyvbgddu

*******************

Script file located at: \??\C:\Documents and Settings\oriieoel.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\SYSTEM32\gknagkn.dll for deletion
Deletion of file C:\WINDOWS\SYSTEM32\gknagkn.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\gknagkn.dll
Status: 0xc0000022



File C:\WINDOWS\SYSTEM32\gknagkn.bak not found!
Deletion of file C:\WINDOWS\SYSTEM32\gknagkn.bak failed!

Could not process line:
C:\WINDOWS\SYSTEM32\gknagkn.bak
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 20 April 2007 - 04:53 PM

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

*****************************

Download Winpfind V2.0.2 and extract the contents to your desktop:
http://download.bleepingcomputer.com/oldtimer/winpfind.exe
Open the WinPFind folder and double click on Winpfind.exe
Leave the configuation settings as they are and click on 'Run Scan'.
The scan will take some time to complete so please be patient.
Once complete close the program.
Open the WinPFind folder,then copy and paste the entire content of winpfind.txt into your next reply.

*NOTE*
It may take more than one reply to post your replies.
Posted Image
Posted Image

#13 Surprised

Surprised
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 20 April 2007 - 11:24 PM

Dr. Webcure file log:

*** Log started on Friday April 20, 2007 at 23:15:54
***
*** Operating System: Windows XP Service Pack 2 version 5.1.2600
***
*** Directory: ""
*** Log File: "\SMax.log"
*** C:\WINDOWS\System32\Drivers\SMWDM.Sys - 5.12.1.5243
*** C:\WINDOWS\System32\Drivers\SenFilt.Sys - 5.10.0.3614
*** C:\Program Files\Analog Devices\Core\smwdmif.dll - 5.02.00.12
*** C:\Program Files\Analog Devices\Core\smwdmif.dll - 5.2.0.12
*** C:\Program Files\Analog Devices\Core\smax4pnp.exe - 5.2.0.5
***
*** Log Level: 0.0000
***
[DLL01]
[DLL01] INST01 - C:\Program Files\Analog Devices\Core\smax4pnp.exe (V5.2.0.5)
[DLL01]
[DLL01] == InitInterface ========================================
[DLL01] mode: 3.2
[DLL01] platform sid: 808624D5-019D1028
[DLL01] capabilities: 00000815h
[DLL01] action flags: 00000000h
[DLL01] bitfield: 00000342h
[DLL01] conf: FFFF75F1h
[DLL01] share: FFFFFFFFh
[DLL01] ===========================================================
[DLL01]
[APP01]
[APP01] InitDLL: Jack Count: 3
[APP01] InitDLL: ================== JackInfo table ==================
[APP01] InitDLL: iIdx: 0 ucPID: 0 ucFC: 1 ucSHC: 15 bFront: 0
[APP01] InitDLL: iIdx: 1 ucPID: 2 ucFC: 5 ucSHC: 15 bFront: 0
[APP01] InitDLL: iIdx: 2 ucPID: 3 ucFC: 7 ucSHC: 15 bFront: 0
[APP01] InitDLL: ====================================================
[APP01]
[APP01] ================== PNP Initialization Complete ====================
[APP01]

#14 Surprised

Surprised
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 20 April 2007 - 11:46 PM

WinPFind log:
WinPFind logfile created on: 4/20/2007 11:26:10 PM
WinPFind by OldTimer - v2.0.3 Folder = C:\Documents and Settings\Russell Semon\Desktop\WinPFind\

»»»»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Service Pack 2 | Version: 5.1.2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»»»»» Memory/Drive Info »»»»»»»»»»»»»»»»»»»»»»»»»»

509.98 Mb Total Physical Memory | 215.97 Mb Available Physical Memory | 42.35% Memory free
1.22 Gb Paging File | 0.91 Gb Available in Paging File | 75.17% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.65 Gb Total Space | 18.90 Gb Free Space | 56.16% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 5.49 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free

Computer Name: D68YLW61
Current User Name: Russell Semon
Logged in as Administrator.
Current Boot Mode: Normal

»»»»»»»»»»»»»»»»»»»» Running Processes (Non-Microsoft) »»»»»»»»

C:\Documents and Settings\Russell Semon\Application Data\U3\0000060434091582\LaunchPad.exe ()
C:\Documents and Settings\Russell Semon\Desktop\WinPFind\WinPFind.exe (OldTimer Tools)
C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION)
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe (McAfee, Inc.)
c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
c:\program files\common files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
c:\Program Files\Common Files\McAfee\RedirSvc\RedirSvc.exe (McAfee, Inc.)
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
C:\Program Files\ipalm Camera Driver 1.0\ipalmmon.exe (Matsubleepa-Kotobuki Electronics Industries,LTD.)
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
C:\Program Files\McAfee\MBK\MBackMonitor.exe ( )
C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
C:\Program Files\McAfee\MSC\mcupdmgr.exe (McAfee, Inc.)
C:\Program Files\McAfee\MSK\mskagent.exe (McAfee Inc.)
C:\Program Files\McAfee\MSK\msksrver.exe (McAfee Inc.)
C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe (Musicmatch Inc.)
C:\Program Files\NetZero\exec.exe (NetZero)
C:\Program Files\NetZero\exec.exe (NetZero)
C:\Program Files\Real\RealPlayer\realplay.exe (RealNetworks, Inc.)
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe (Sonic Solutions)
C:\WINDOWS\SYSTEM32\hkcmd.exe (Intel Corporation)
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATIADA.EXE (SEIKO EPSON CORPORATION)
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S10IC2.EXE (SEIKO EPSON CORPORATION)

»»»»»»»»»»»»»»»»»»»» Win32 Services (Non-Microsoft) »»»»»»»»»»»

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DMADMIN.EXE (Microsoft Corp., Veritas Software)

(Emproxy) McAfee E-mail Proxy [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Common Files\McAfee\EmProxy\emproxy.exe (McAfee, Inc.)

(EPSONStatusAgent2) EPSON Printer Status Agent2 [Win32_Own | Auto | Running]
= C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION)

(MBackMonitor) MBackMonitor [Win32_Own | Auto | Running]
= C:\Program Files\McAfee\MBK\MBackMonitor.exe ( )

(McAfee HackerWatch Service) McAfee HackerWatch Service [Win32_Own | Auto | Running]
= C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe (McAfee, Inc.)

(McLogManagerService) McAfee Log Manager [Win32_Own | Auto | Stopped]
= C:\PROGRA~1\McAfee\MSC\mclogsrv.exe (File not found)

(mcmispupdmgr) McAfee Update Manager [Win32_Own | Auto | Running]
= C:\Program Files\McAfee\MSC\mcupdmgr.exe (McAfee, Inc.)

(mcmscsvc) McAfee Services [Win32_Own | Auto | Stopped]
= C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (File not found)

(McNASvc) McAfee Network Agent [Win32_Own | Auto | Running]
= c:\program files\common files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)

(McODS) McAfee Scanner [Win32_Own | Auto | Running]
= C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)

(mcpromgr) McAfee Protection Manager [Win32_Own | Auto | Stopped]
= C:\Program Files\McAfee\MSC\mcpromgr.exe (McAfee, Inc.)

(McProxy) McAfee Proxy Service [Win32_Own | Auto | Running]
= c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)

(McRedirector) McAfee Redirector Service [Win32_Own | Auto | Running]
= c:\Program Files\Common Files\McAfee\RedirSvc\RedirSvc.exe (McAfee, Inc.)

(McShield) McAfee Real-time Scanner [Win32_Own | Unknown | Running]
= (File not found)

(McSysmon) McAfee SystemGuards [Win32_Own | On_Demand | Stopped]
= C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)

(McTskshd.exe) McAfee Task Scheduler [Win32_Own | Auto | Stopped]
= C:\PROGRA~1\McAfee\MSC\mctskshd.exe (File not found)

(mcusrmgr) McAfee User Manager [Win32_Own | Auto | Stopped]
= C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe (File not found)

(MpfService) McAfee Personal Firewall Service [Win32_Own | Auto | Running]
= C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)

(MPS9) McAfee Privacy Service [Win32_Own | Auto | Stopped]
= C:\PROGRA~1\McAfee\MPS\mps.exe (File not found)

(MSK80Service) McAfee SpamKiller Service [Win32_Own | Auto | Running]
= C:\Program Files\McAfee\MSK\msksrver.exe (McAfee Inc.)

(NetSvc) Intel NCS NetService [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe (Intel® Corporation)

»»»»»»»»»»»»»»»»»»»» Registry Items (Non-Microsoft) »»»»»»»»»»»

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
dla = C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe (Sonic Solutions)
DVDLauncher = C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
EPSON Stylus CX4800 Series = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATIADA.EXE (SEIKO EPSON CORPORATION)
HotKeysCmds = C:\WINDOWS\SYSTEM32\hkcmd.exe (Intel Corporation)
IgfxTray = C:\WINDOWS\SYSTEM32\igfxtray.exe (Intel Corporation)
Ink Monitor = C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe (BillP Studios)
IntelMeM = C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
MBkLogOnHook = C:\Program Files\McAfee\MBK\LogOnHook.exe ( )
mmtask = C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe (Musicmatch Inc.)
MMTray = C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
MskAgentexe = C:\Program Files\McAfee\MSK\mskagent.exe (McAfee Inc.)
PCMService = C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
QuickTime Task = C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
RealTray = C:\Program Files\Real\RealPlayer\realplay.exe (RealNetworks, Inc.)
SoundMAXPnP = C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
UpdateManager = C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DellSupport = C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
NetZero_uoltray = C:\Program Files\NetZero\exec.exe (NetZero)
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Installed = 1

< Common Startup Folder = C:\Documents and Settings\All Users\Start Menu\Programs\Startup >
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI ()

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
= C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE (SEIKO EPSON CORPORATION)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ipalm Monitor 1.0.lnk
= C:\Program Files\ipalm Camera Driver 1.0\ipalmmon.exe (Matsubleepa-Kotobuki Electronics Industries,LTD.)

< User Startup Folder = C:\Documents and Settings\Russell Semon\Start Menu\Programs\Startup >
C:\Documents and Settings\Russell Semon\Start Menu\Programs\Startup\DESKTOP.INI ()

>>>>> MsConfig Disabled Items <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
system.ini = 0
win.ini = 0
bootini = 2
services = 0
startup = 0

>>>>> Disabled Startup Folder Items <<<<<

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} = ( HKLM = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) )


>>>>> Winlogon Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
DllName = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
DllName = C:\WINDOWS\SYSTEM32\igfxsrvc.dll (Intel Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\labwejhy]
DllName = C:\WINDOWS\SYSTEM32\gknagkn.dll ()

>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 23 bytes | Modified Date: 4/19/2007 11:10:20 PM)
127.0.0.1 localhost

>>>>> Desktop Components <<<<<

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Local Page = C:\windows\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Local Page = C:\windows\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
{4D25F926-B9FE-4682-BF72-8AB8210D6D75} = Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\adult-empire.com\www]
https

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myspace.com\www]
https

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\state.la.us\gw6.dhh]
https

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
- Yahoo! Toolbar Helper ( HKLM = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
- AcroIEHlprObj Class ( HKLM = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52706EF7-D7A2-49AD-A615-E903858CF284}]
- X1IEHook Class ( HKLM = C:\Program Files\NetZero\qsacc\X1IEBHO.dll (United Online, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
- DriveLetterAccess ( HKLM = C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
- scriptproxy ( HKLM = c:\program files\McAfee\virusscan\scriptcl.dll (McAfee, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8EADD2E2-8BC4-4898-B196-973DBF4C0BC4}]
- ( HKLM = c:\WINDOWS\SYSTEM32\gknagkn.dll () )

>>>>> HKLM Internet Explorer Bars <<<<<

>>>>> HKCU Internet Explorer Bars <<<<<

>>>>> HKLM Internet Explorer ToolBars <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar ( HKLM = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) )
{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - ZeroBar ( HKLM = C:\Program Files\NetZero\Toolbar.dll () )

>>>>> HKCU Internet Explorer ToolBars <<<<<

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ToolBar\WebBrowser]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar ( HKLM = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) )
{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - ZeroBar ( HKLM = C:\Program Files\NetZero\Toolbar.dll () )
{F5735C15-1FB2-41FE-BA12-242757E69DDE} - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

>>>>> HKCU Internet Explorer CmdMapping <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} = 8192 - Reg Data - Value does not exist ( HKLM = Reg Data - Key not found (File not found) )
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} = 8194 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{FB5F1910-F110-11d2-BB9E-00C04F795683} = 8193 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8195

>>>>> HKLM Internet Explorer Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
MenuText = Sun Java Console
ClsidExtension = {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Data - Value does not exist ( HKLM Reg Data - Key not found (File not found) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
ButtonText = Real.com

>>>>> HKCU Internet Explorer Menu Extensions <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Display All Images with Full Quality]
@ = 28 (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Display Image with Full Quality]
@ = 27 (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel]
@ = 000 (File not found)

>>>>> HKLM Internet Explorer Plugins Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\.mpg]
Location = C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll (Apple Computer, Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\.wav]
Location = C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll (Apple Computer, Inc.)

>>>>> HKLM Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} = Shell Autoplay for Slideshow ( HKLM = Reg Data - Key not found (File not found) )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Taskbar and Start Menu ( HKLM = Reg Data - Key not found (File not found) )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Display Panning CPL Extension ( HKLM = deskpan.dll (File not found) )
{5CA3D70E-1895-11CF-8E15-001234567890} = DriveLetterAccess ( HKLM = C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Shell extensions for file compression ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = User Accounts ( HKLM = Reg Data - Key not found (File not found) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Encryption Context Menu ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = C:\WINDOWS\SYSTEM32\HTICONS.DLL (Hilgraeve, Inc.) )
{DEE12703-6333-4D4E-8F34-738C4DCC2E04} = RecordNow! SendToExt ( HKLM = C:\Program Files\Sonic\RecordNow!\shlext.dll () )

>>>>> HKCU Approved Shell Extensions <<<<<

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}]
- SASContextMenu Class ( HKLM = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL (SUPERAntiSpyware.com) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\MCVSRIGHTCLICKSCANNER]
@ = {162EFDC5-2957-465D-887B-590AF4A7E84D} ( HKLM = c:\Program Files\McAfee\VirusScan\mcodsax.dll (McAfee, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\FAExt]
@ = {05672D66-9736-42F5-8BEB-FA1DD3CA51C4} ( HKLM = C:\Program Files\FileASSASSIN\FileASSASSINExt.dll (Malwarebytes) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shell\Browse with Paint Shop Pro Studio\command]
@ = "C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\\Paint Shop Pro Studio.exe" "/Browse" "%L" (C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\Paint Shop Pro Studio.exe (Jasc Software, Inc.))

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\{CA8ACAFA-5FBB-467B-B348-90DD488DE003}]
- SASContextMenu Class ( HKLM = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL (SUPERAntiSpyware.com) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers\igfxcui]
@ = {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} ( HKLM = C:\WINDOWS\SYSTEM32\igfxpph.dll (Intel Corporation) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\MCVSRIGHTCLICKSCANNER]
@ = {162EFDC5-2957-465D-887B-590AF4A7E84D} ( HKLM = c:\Program Files\McAfee\VirusScan\mcodsax.dll (McAfee, Inc.) )

>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
dontdisplaylastusername = 0
legalnoticecaption =
legalnoticetext =
shutdownwithoutlogon = 1
undockwithoutlogon = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 145

>>>>> Security Providers <<<<<

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = autocheck autochk *;
ExcludeFromKnownDlls =


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
ComSpec = %SystemRoot%\system32\cmd.exe ( C:\WINDOWS\SYSTEM32\CMD.EXE (Microsoft Corporation) )
TEMP = %SystemRoot%\TEMP
TMP = %SystemRoot%\TEMP
windir = %SystemRoot%

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path]
%SystemRoot%\system32
%SystemRoot%
%SystemRoot%\System32\Wbem
C:\PROGRA~1\COMMON~1\SONICS~1\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT]
.COM
.EXE
.BAT
.CMD
.VBS
.VBE
.JS
.JSE
.WSF
.WSH

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> User Agent Post Platform <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.html [@ = FirefoxHTML] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -> "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -> "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -> C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" (Mozilla Corporation)

https [open] -> C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" (Mozilla Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [Browse with Paint Shop Pro Studio] -> "C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\\Paint Shop Pro Studio.exe" "/Browse" "%L" (Jasc Software, Inc.)
Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\system32\ie4uinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1DA2FC3B-85ED-49A0-9133-12BB48A8C820}]
DefaultGateway =
DhcpNameServer = 85.255.113.90,85.255.112.5
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6AE453B8-D0BC-461D-AE6F-5DC4EB7EC702}] ( Intel® PRO/100 VE Network Connection )
DefaultGateway =
DhcpServer = 255.255.255.255
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A9B512CA-C925-41D1-8DC3-80E4A4C49F60}] ( 1394 Net Adapter )
DefaultGateway =
DhcpNameServer = 85.255.113.90,85.255.112.5
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Default Protocols [HKLM] <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@ivt - 1 = Local intranet
file - 3 = Internet
ftp - 3 = Internet
http - 3 = Internet
https - 3 = Internet
shell - 0 = My Computer

>>>>> Protocol Handlers <<<<<

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\DownloadInformation]
CODEBASE = http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
INF = C:\WINDOWS\Downloaded Program Files\mcinsctl.inf

»»»»»»»»»»»»»»»»»»»» Files / Folders Created Within 30 Days »»»»»»»»»»»»»

C:\7-8.xls [Ver = | Size = 20992 bytes | Created Date = 3/25/2007 3:48:25 PM | Attr = ]
@Alternate Data Stream - C:\7-8.xls:Zone.Identifier (26 bytes)
C:\avenger [Folder | Created Date = 4/20/2007 1:16:22 PM | Attr = ]
C:\Combined.xls [Ver = | Size = 18432 bytes | Created Date = 3/25/2007 5:13:48 PM | Attr = ]
C:\ComboFix.exe [Ver = | Size = 974888 bytes | Created Date = 4/20/2007 12:30:30 PM | Attr = ]
C:\Draft Plan 3-08-07.doc [Ver = | Size = 176128 bytes | Created Date = 3/23/2007 11:35:44 PM | Attr = ]
@Alternate Data Stream - C:\Draft Plan 3-08-07.doc:Zone.Identifier (26 bytes)
C:\DrWeb.csv [Ver = | Size = 1176 bytes | Created Date = 4/20/2007 10:14:20 PM | Attr = ]
C:\fixwareout [Folder | Created Date = 4/15/2007 3:23:06 PM | Attr = ]
C:\hiberfil.sys [Ver = | Size = 534827008 bytes | Created Date = 1/1/1601 6:00:00 AM | Attr = HS]
C:\Hijackthis [Folder | Created Date = 3/28/2007 4:07:21 PM | Attr = ]
C:\SDFix [Folder | Created Date = 3/27/2007 8:19:03 PM | Attr = ]
C:\SDFix.doc [Ver = | Size = 36352 bytes | Created Date = 3/27/2007 8:34:02 PM | Attr = ]
C:\SDFix.exe [Ver = | Size = 700372 bytes | Created Date = 3/27/2007 8:18:28 PM | Attr = ]
C:\SDFixa.doc [Ver = | Size = 34816 bytes | Created Date = 3/27/2007 9:19:14 PM | Attr = ]
C:\t-ball.xls [Ver = | Size = 19968 bytes | Created Date = 3/25/2007 3:48:36 PM | Attr = ]
@Alternate Data Stream - C:\t-ball.xls:Zone.Identifier (26 bytes)
C:\WHAT ARE MY STRENGTHS answer sheet.doc [Ver = | Size = 69632 bytes | Created Date = 3/23/2007 11:31:42 PM | Attr = ]
@Alternate Data Stream - C:\WHAT ARE MY STRENGTHS answer sheet.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [Folder | Created Date = 3/27/2007 4:02:03 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Application Data\SUPERAntiSpyware.com [Folder | Created Date = 3/27/2007 4:01:54 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\FileASSASSIN.lnk [Ver = | Size = 730 bytes | Created Date = 4/19/2007 10:26:18 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Desktop\drweb-cureit.exe [Ver = | Size = 6247712 bytes | Created Date = 4/20/2007 9:20:24 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Desktop\Shortcut to avenger.zip.lnk [Ver = | Size = 262 bytes | Created Date = 4/20/2007 12:29:47 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Desktop\SUPERAntiSpyware Free Edition.lnk [Ver = | Size = 780 bytes | Created Date = 3/27/2007 4:01:56 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Desktop\WinPFind [Folder | Created Date = 4/20/2007 10:25:40 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Desktop\winpfind.exe [Ver = | Size = 267222 bytes | Created Date = 4/20/2007 10:25:10 PM | Attr = ]
C:\Program Files\Common Files\Wise Installation Wizard [Folder | Created Date = 3/27/2007 4:01:14 PM | Attr = ]
C:\WINDOWS\FMSY4AGMSY4AGMSY [Folder | Created Date = 3/25/2007 11:06:15 PM | Attr = ]
C:\WINDOWS\ORUN32.EXE [Ver = | Size = 0 bytes | Created Date = 3/27/2007 4:07:44 PM | Attr = ]
C:\WINDOWS\_detmp.1 [Ver = | Size = 8683 bytes | Created Date = 3/25/2007 9:33:23 PM | Attr = ]
C:\WINDOWS\System32\CMMGR32.EXE [Ver = | Size = 0 bytes | Created Date = 3/28/2007 4:27:43 PM | Attr = ]
C:\WINDOWS\System32\dumphive.exe [Ver = | Size = 51200 bytes | Created Date = 4/19/2007 9:50:21 PM | Attr = ]
C:\WINDOWS\System32\SrchSTS.exe S!Ri [Ver = | Size = 288417 bytes | Created Date = 4/19/2007 9:50:21 PM | Attr = ]
C:\WINDOWS\System32\swreg.exe SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Created Date = 4/19/2007 9:50:21 PM | Attr = ]
C:\WINDOWS\System32\swsc.exe [Ver = | Size = 40960 bytes | Created Date = 4/19/2007 9:50:21 PM | Attr = ]
C:\WINDOWS\System32\swxcacls.exe SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Created Date = 4/19/2007 9:50:21 PM | Attr = ]
C:\WINDOWS\System32\tmp.reg [Ver = | Size = 3690 bytes | Created Date = 4/19/2007 9:50:59 PM | Attr = ]

»»»»»»»»»»»»»»»»»»»» Files / Folders Modified Within 30 Days »»»»»»»»»»»»»

C:\7-8.xls [Ver = | Size = 20992 bytes | Modified Date = 3/25/2007 4:59:30 PM | Attr = ]
@Alternate Data Stream - C:\7-8.xls:Zone.Identifier (26 bytes)
C:\avenger [Folder | Modified Date = 4/20/2007 2:16:24 PM | Attr = ]
C:\Combined.xls [Ver = | Size = 18432 bytes | Modified Date = 3/25/2007 7:49:58 PM | Attr = ]
C:\ComboFix.exe [Ver = | Size = 974888 bytes | Modified Date = 4/20/2007 1:26:36 PM | Attr = ]
C:\Documents and Settings [Folder | Modified Date = 4/20/2007 2:15:38 PM | Attr = ]
C:\Draft Plan 3-08-07.doc [Ver = | Size = 176128 bytes | Modified Date = 3/24/2007 12:35:52 AM | Attr = ]
@Alternate Data Stream - C:\Draft Plan 3-08-07.doc:Zone.Identifier (26 bytes)
C:\DrWeb.csv [Ver = | Size = 1176 bytes | Modified Date = 4/20/2007 11:14:22 PM | Attr = ]
C:\fixwareout [Folder | Modified Date = 4/19/2007 11:10:28 PM | Attr = ]
C:\hiberfil.sys [Ver = | Size = 534827008 bytes | Modified Date = 4/20/2007 11:15:42 PM | Attr = HS]
C:\Hijackthis [Folder | Modified Date = 3/28/2007 5:20:24 PM | Attr = ]
C:\KA [Folder | Modified Date = 3/25/2007 11:45:18 PM | Attr = ]
C:\Program Files [Folder | Modified Date = 4/20/2007 1:34:14 PM | Attr = R ]
C:\SDFix [Folder | Modified Date = 4/19/2007 10:36:40 PM | Attr = ]
C:\SDFix.doc [Ver = | Size = 36352 bytes | Modified Date = 3/27/2007 9:34:04 PM | Attr = ]
C:\SDFix.exe [Ver = | Size = 700372 bytes | Modified Date = 3/27/2007 10:23:18 AM | Attr = ]
C:\SDFixa.doc [Ver = | Size = 34816 bytes | Modified Date = 3/27/2007 10:19:16 PM | Attr = ]
C:\System Volume Information [Folder | Modified Date = 3/26/2007 5:11:36 PM | Attr = HS]
C:\t-ball.xls [Ver = | Size = 19968 bytes | Modified Date = 3/25/2007 5:08:36 PM | Attr = ]
@Alternate Data Stream - C:\t-ball.xls:Zone.Identifier (26 bytes)
C:\WHAT ARE MY STRENGTHS answer sheet.doc [Ver = | Size = 69632 bytes | Modified Date = 3/24/2007 12:58:48 AM | Attr = ]
@Alternate Data Stream - C:\WHAT ARE MY STRENGTHS answer sheet.doc:Zone.Identifier (26 bytes)
C:\WINDOWS [Folder | Modified Date = 4/20/2007 11:15:58 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [Folder | Modified Date = 3/27/2007 5:02:04 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Application Data\Microsoft [Folder | Modified Date = 3/27/2007 5:02:00 PM | Attr = S]
C:\Documents and Settings\Russell Semon\Application Data\SUPERAntiSpyware.com [Folder | Modified Date = 3/27/2007 5:01:56 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Application Data\U3 [Folder | Modified Date = 4/20/2007 1:28:02 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Local Settings\Application Data\8EADD2E2-8BC4-4898-B196-973DBF4C0BC4.ini [Ver = | Size = 1938 bytes | Modified Date = 4/20/2007 10:23:04 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Local Settings\Application Data\ApplicationHistory [Folder | Modified Date = 4/20/2007 11:16:16 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\FileASSASSIN.lnk [Ver = | Size = 730 bytes | Modified Date = 4/19/2007 11:26:20 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\NetZero Internet.lnk [Ver = | Size = 1509 bytes | Modified Date = 4/7/2007 9:52:46 AM | Attr = ]
C:\Documents and Settings\All Users\Desktop\NetZero Quick Help.lnk [Ver = | Size = 1590 bytes | Modified Date = 4/7/2007 9:52:46 AM | Attr = ]
C:\Documents and Settings\Russell Semon\Desktop\drweb-cureit.exe [Ver = | Size = 6247712 bytes | Modified Date = 4/20/2007 9:52:10 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Desktop\Microsoft Word (2).lnk [Ver = | Size = 2483 bytes | Modified Date = 3/27/2007 10:17:30 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Desktop\Shortcut to avenger.zip.lnk [Ver = | Size = 262 bytes | Modified Date = 4/20/2007 1:29:48 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Desktop\SUPERAntiSpyware Free Edition.lnk [Ver = | Size = 780 bytes | Modified Date = 3/27/2007 5:01:58 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Desktop\WinPFind [Folder | Modified Date = 4/20/2007 11:25:42 PM | Attr = ]
C:\Documents and Settings\Russell Semon\Desktop\winpfind.exe [Ver = | Size = 267222 bytes | Modified Date = 4/20/2007 11:23:24 PM | Attr = ]
C:\Program Files\Common Files\Wise Installation Wizard [Folder | Modified Date = 3/27/2007 5:01:16 PM | Attr = ]
C:\WINDOWS\BOOTSTAT.DAT [Ver = | Size = 2048 bytes | Modified Date = 4/20/2007 11:15:42 PM | Attr = S]
C:\WINDOWS\FMSY4AGMSY4AGMSY [Folder | Modified Date = 3/26/2007 12:06:16 AM | Attr = ]
C:\WINDOWS\INF [Folder | Modified Date = 3/27/2007 5:00:32 PM | Attr = H ]
C:\WINDOWS\Installer [Folder | Modified Date = 3/27/2007 5:02:00 PM | Attr = HS]
C:\WINDOWS\Minidump [Folder | Modified Date = 3/25/2007 10:23:12 PM | Attr = ]
C:\WINDOWS\ORUN32.EXE [Ver = | Size = 0 bytes | Modified Date = 3/27/2007 5:07:46 PM | Attr = ]
C:\WINDOWS\Prefetch [Folder | Modified Date = 4/20/2007 11:25:30 PM | Attr = ]
C:\WINDOWS\Registration [Folder | Modified Date = 3/25/2007 11:09:04 PM | Attr = ]
C:\WINDOWS\SYSTEM32 [Folder | Modified Date = 4/20/2007 11:13:20 PM | Attr = ]
C:\WINDOWS\Tasks [Folder | Modified Date = 4/20/2007 10:21:36 AM | Attr = S]
C:\WINDOWS\Temp [Folder | Modified Date = 4/20/2007 11:23:28 PM | Attr = ]
C:\WINDOWS\System32\byrmljzm.dll [Ver = | Size = 125440 bytes | Modified Date = 4/7/2007 10:07:34 AM | Attr = ]
C:\WINDOWS\System32\byrmljzm.dll.bak [Ver = | Size = 117248 bytes | Modified Date = 3/25/2007 4:49:22 PM | Attr = ]
C:\WINDOWS\System32\CatRoot2 [Folder | Modified Date = 4/19/2007 10:42:44 PM | Attr = ]
C:\WINDOWS\System32\CMMGR32.EXE [Ver = | Size = 0 bytes | Modified Date = 3/28/2007 5:27:44 PM | Attr = ]
C:\WINDOWS\System32\CONFIG [Folder | Modified Date = 3/25/2007 11:09:14 PM | Attr = ]
C:\WINDOWS\System32\Config.MPF [Ver = | Size = 26946 bytes | Modified Date = 4/20/2007 9:57:02 PM | Attr = ]
C:\WINDOWS\System32\dla [Folder | Modified Date = 3/25/2007 11:00:38 PM | Attr = ]
C:\WINDOWS\System32\DRIVERS [Folder | Modified Date = 4/20/2007 2:16:28 PM | Attr = ]
C:\WINDOWS\System32\FNTCACHE.DAT [Ver = | Size = 220840 bytes | Modified Date = 4/19/2007 11:21:54 PM | Attr = ]
C:\WINDOWS\System32\gknagkn.dll [Ver = | Size = 79872 bytes | Modified Date = 4/7/2007 10:07:00 AM | Attr = ]
C:\WINDOWS\System32\gknagkn.dll.bak [Ver = | Size = 78848 bytes | Modified Date = 3/27/2007 5:48:52 PM | Attr = ]
C:\WINDOWS\System32\PERFC009.DAT [Ver = | Size = 53436 bytes | Modified Date = 4/7/2007 9:53:08 AM | Attr = ]
C:\WINDOWS\System32\PERFH009.DAT [Ver = | Size = 381692 bytes | Modified Date = 4/7/2007 9:53:08 AM | Attr = ]
C:\WINDOWS\System32\PerfStringBackup.INI [Ver = | Size = 441808 bytes | Modified Date = 4/7/2007 9:53:08 AM | Attr = ]
C:\WINDOWS\System32\Restore [Folder | Modified Date = 3/26/2007 5:11:36 PM | Attr = ]
C:\WINDOWS\System32\tmp.reg [Ver = | Size = 3690 bytes | Modified Date = 4/19/2007 11:03:16 PM | Attr = ]
C:\WINDOWS\System32\vpldvqmd(3).dll [Ver = | Size = 43008 bytes | Modified Date = 3/23/2007 5:31:46 PM | Attr = ]
C:\WINDOWS\System32\vpldvqmd.dll [Ver = | Size = 43008 bytes | Modified Date = 4/7/2007 10:07:46 AM | Attr = ]
C:\WINDOWS\System32\vpldvqmd.dll.bak [Ver = | Size = 43008 bytes | Modified Date = 3/25/2007 4:49:34 PM | Attr = ]
C:\WINDOWS\System32\WBEM [Folder | Modified Date = 3/25/2007 11:09:04 PM | Attr = ]
C:\WINDOWS\System32\WPA.DBL [Ver = | Size = 2206 bytes | Modified Date = 4/19/2007 9:48:20 PM | Attr = ]
C:\WINDOWS\System32\drivers\ETC [Folder | Modified Date = 3/27/2007 10:08:52 PM | Attr = ]

»»»»»»»»»»»»»»»»»»»» File String Scan (Non-Microsoft Only) »»»»»
@Alternate Data Stream - C:\1.xls:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\2.id=:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\7-8.xls:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\ABS May 2006.doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\AdultUMGuidelines.pdf:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\AMPAR Formtina2005-2006 Area C.doc:Zone.Identifier (26 bytes)
File scan skipped for file C:\AR.dbf. File size too big (157357729 bytes)
File scan skipped for file C:\ARList.dbf. File size too big (152901349 bytes)
@Alternate Data Stream - C:\AVOYELLESLAYOFFAVOIDANCETEMP6.xls:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\BehavioralHealthServicesGuide.pdf:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\bmsetup.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\CCOE overview.ppt:Zone.Identifier (26 bytes)
[UPX! , UPX0 , ]C:\ComboFix.exe ()
@Alternate Data Stream - C:\COMMUNITY MENTAL HEALTHUM.doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Draft Plan 3-08-07.doc:Zone.Identifier (26 bytes)
[WSUD , ]C:\DSC_0417.jpg ()
@Alternate Data Stream - C:\Firefox Setup 1.5.0.6.exe:Zone.Identifier (26 bytes)
[Thawte Consulting , UPX! , UPX0 , ]C:\Firefox Setup 1.5.0.6.exe (Mozilla)
@Alternate Data Stream - C:\Florida EBP Presentation Lon Herman.ppt:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\LAYOFFAVOIDANCETEMPLATE8.xls:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\LSU Crisis Triage budrev1 2-07.rtf:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\MIS8_113_en-US_1.exe:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Practice Implementation.pdf:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\RDM_UM_Program_Manual_12012006.pdf:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Review of Adult Goals, Indicators & Action plans8[1].21.06.doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\SmileboxInstaller.exe:Zone.Identifier (26 bytes)
[Thawte Consulting , ]C:\SmileboxInstaller.exe ()
@Alternate Data Stream - C:\Strengthsa.xls:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\t-ball.xls:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Thumbs.db:encryptable (0 bytes)
@Alternate Data Stream - C:\towing-weight-demonstrator.xls:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\WHAT ARE MY STRENGTHS answer sheet.doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Russell Semon\Desktop\Shortcut to AR Books - Look Up in AR Books.MAR:SummaryInformation (88 bytes)
@Alternate Data Stream - C:\Documents and Settings\Russell Semon\Desktop\Shortcut to AR Books - Look Up in AR Books.MAR:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes)
@Alternate Data Stream - C:\WINDOWS\Thumbs.db:encryptable (0 bytes)
[PEC2 , ]C:\WINDOWS\System32\DFRG.MSC ()
[UPX! , UPX0 , ]C:\WINDOWS\System32\SrchSTS.exe (S!Ri)
[UPX! , UPX0 , ]C:\WINDOWS\System32\swreg.exe (SteelWerX)
[UPX! , UPX0 , ]C:\WINDOWS\System32\swsc.exe ()
[UPX! , UPX0 , ]C:\WINDOWS\System32\swxcacls.exe (SteelWerX)
[winsync , ]C:\WINDOWS\System32\WBDBASE.DEU ()
[Thawte Consulting , ]C:\WINDOWS\System32\XceedFtp.dll (Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com)

< End of report >

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 21 April 2007 - 03:13 AM

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Registry keys to delete:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8EADD2E2-8BC4-4898-B196-973DBF4C0BC4}]

Files to delete:
C:\Documents and Settings\Russell Semon\Local Settings\Application Data\8EADD2E2-8BC4-4898-B196-973DBF4C0BC4.ini
C:\WINDOWS\System32\gknagkn.dll
C:\WINDOWS\System32\gknagkn.dll.bak

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users