Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus In System32 Folder


  • This topic is locked This topic is locked
15 replies to this topic

#1 thelocaluk

thelocaluk

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 11 July 2007 - 05:57 AM

Hi all, I have a computer that has got a virus that avast, kaspersky and symantec is unable to detect. It appears to be triggered at certain times of the day and what it does is fill system32 folder with tmp files all the same size, until the harddrive is full. I can keep deleting the tmp files using ms dos but how do I find out what the virus is and how to deal with it. I'm suspicious of a file in system32 named baeadf.dll which is a Winlogon process dll, but when I try to delete it the system understandingly crashes. Any help appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 08:04:54, on 11/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\vsAOD.Exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ConWare\INTERC~1\IC3.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Ortho Group
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Inter-Chat] C:\PROGRA~1\ConWare\INTERC~1\IC3
O20 - Winlogon Notify: baeadf - C:\WINDOWS\system32\baeadf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: Visionsoft Audit On Demand Service (vsAOD) - Visionsoft Limited - C:\WINDOWS\vsAOD.Exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 11 July 2007 - 09:12 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum thelocaluk :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


-----------------------------------------

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\baeadf.dll
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\baeadf.dll
Then click on 'Send'.
Post the results into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 thelocaluk

thelocaluk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 12 July 2007 - 02:20 AM

"AndreV" - 2007-07-12 8:07:55 - ComboFix 07-07-12.3 - Service Pack 2

/wow section - STAGE #8

((((((((((((((((((((((((( Files Created from 2007-06-12 to 2007-07-12 )))))))))))))))))))))))))))))))


2007-07-12 08:07 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-12 08:05 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-12 08:05 <DIR> d-------- C:\d2435a26e5edcde616914e
2007-07-11 08:17 <DIR> d-------- C:\DOCUME~1\AndreV\.housecall6.6
2007-07-09 19:03 208,248 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-09 12:54 <DIR> d-------- C:\06ec4cf8af4459baf97bad82011a46
2007-07-09 11:02 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-09 11:02 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-09 11:02 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-09 11:02 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-09 11:02 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-09 11:02 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-09 11:02 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-09 11:02 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-07-09 11:02 <DIR> d-------- C:\Program Files\Alwil Software
2007-07-06 12:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab Setup Files
2007-07-05 07:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1.VRB\APPLIC~1\HP
2007-06-27 09:00 93,184 --a------ C:\WINDOWS\system32\baeadf.dll
2007-06-19 15:37 <DIR> d-------- C:\DOCUME~1\AndreV\.thinupload


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-12 07:05:08 -------- d-----w C:\Program Files\OrthoCIS
2007-07-06 11:37:54 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-06 11:37:51 -------- d-----w C:\Program Files\Symantec
2007-07-06 11:37:48 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-25 09:21:31 -------- d-----w C:\DOCUME~1\AndreV\APPLIC~1\AdobeUM
2007-05-18 11:33:47 -------- d-----w C:\Program Files\Windows Defender
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-10 08:39:16 1 ----a-w C:\WINDOWS\system32\ps.dat
2007-05-10 08:39:16 1 ----a-w C:\WINDOWS\system32\cookie.dat
2007-05-10 08:28:03 10,857 ----a-w C:\WINDOWS\system32\helper.sys
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-13 02:21:14 271,360 ----a-w C:\WINDOWS\system32\mscoree.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="%SystemRoot%\system32\mobsync.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Inter-Chat"="C:\PROGRA~1\ConWare\INTERC~1\IC3" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"SetVisualStyle"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\baeadf]
C:\WINDOWS\system32\baeadf.dll --a------ 2007-07-05 08:29 93184 C:\WINDOWS\system32\baeadf.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LayoutM]
KLayMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAKTray]
MAKTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zweitgeist Assistant]
C:\Program Files\zweitgeist\zweitgeistAssistant.exe


Contents of the 'Scheduled Tasks' folder
2007-07-12 07:06:33 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-07-12 07:05:00 C:\WINDOWS\tasks\User_Feed_Synchronization-{29BB0ACC-7FD3-45F4-81B0-C1687967BB8F}.job
2007-07-11 08:33:29 C:\WINDOWS\tasks\User_Feed_Synchronization-{633A2C46-4AE8-4EF5-AD00-1ECFEFE3CF1B}.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-12 08:09:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-12 8:10:01

--- E O F ---

-------------------------------------------------------------------------------------------------------------------------------

RESULTS FROM ONLINE SCANS - UNSUCCESSFUL

virusscan
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Virustotal
0 bytes size received / Se ha recibido un archivo vacio

-------------------------------------------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 08:16, on 2007-07-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\vsAOD.Exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ConWare\INTERC~1\IC3.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Inter-Chat] C:\PROGRA~1\ConWare\INTERC~1\IC3
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.5.0/jin...indows-i586.cab
O20 - Winlogon Notify: baeadf - C:\WINDOWS\system32\baeadf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: Visionsoft Audit On Demand Service (vsAOD) - Visionsoft Limited - C:\WINDOWS\vsAOD.Exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 12 July 2007 - 03:37 AM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINDOWS\system32\baeadf.dll
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

-------------------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

-------------------------------------------------

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Also post a new Hijackthis log,let me know how your pc is running now.

Edited by RichieUK, 12 July 2007 - 03:37 AM.

Posted Image
Posted Image

#5 thelocaluk

thelocaluk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 12 July 2007 - 05:28 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/12/2007 at 10:29 AM

Application Version : 3.9.1008

Core Rules Database Version : 3268
Trace Rules Database Version: 1279

Scan type : Complete Scan
Total Scan Time : 00:30:16

Memory items scanned : 395
Memory threats detected : 0
Registry items scanned : 4985
Registry threats detected : 0
File items scanned : 27536
File threats detected : 46

Adware.Tracking Cookie
C:\Documents and Settings\AndreV\Cookies\andrev@toplist[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@itv.112.2o7[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@ads.ak.facebook[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@hitbox[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@overture[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@bluestreak[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@ads.lasvegas[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@adtech[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@ad.adserverplus[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@2o7[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@67.15.239[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@chappel.pro-gmedia[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@stats.sphere[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@112.2o7[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@www.yourtracking[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@uk.gamestracker[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@adrevenue[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@specificclick[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@www.gamestracker[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@adbrite[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@argos.112.2o7[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@ehg-mgmmirageoperations.hitbox[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@ads.adbrite[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@ehg-futurepub.hitbox[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@atdmt[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@ehg-globalgamingleague.hitbox[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@ads.vegas[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@www.stopzilla[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@advertstream[1].txt
C:\Documents and Settings\AndreV\Cookies\andrev@xiti[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@ad.yieldmanager[2].txt
C:\Documents and Settings\AndreV\Cookies\andrev@tracking.summitmedia.co[1].txt
C:\Documents and Settings\OxfordWorkshop\Cookies\oxfordworkshop@ads.aol.co[2].txt
C:\Documents and Settings\SteveG\Cookies\steveg@247realmedia[1].txt
C:\Documents and Settings\SteveG\Cookies\steveg@67.15.239[2].txt
C:\Documents and Settings\SteveG\Cookies\steveg@67.15.239[3].txt
C:\Documents and Settings\SteveG\Cookies\steveg@atdmt[2].txt
C:\Documents and Settings\SteveG\Cookies\steveg@eas.apm.emediate[2].txt
C:\Documents and Settings\SteveG\Cookies\steveg@ehg-onlinetravelgroup.hitbox[2].txt
C:\Documents and Settings\SteveG\Cookies\steveg@go.drivecleaner[1].txt
C:\Documents and Settings\SteveG\Cookies\steveg@go.drivecleaner[3].txt
C:\Documents and Settings\SteveG\Cookies\steveg@hitbox[2].txt
C:\Documents and Settings\SteveG\Cookies\steveg@indexstats[2].txt
C:\Documents and Settings\SteveG\Cookies\steveg@klik.klikadvertising[2].txt
C:\Documents and Settings\SteveG\Cookies\steveg@overture[2].txt
C:\Documents and Settings\SteveG\Cookies\steveg@tracker.roitesting[2].txt

-----------------------------------------------------------------------------------------------------------------------------

BitDefender Online Scanner


Scan report generated at: Thu, Jul 12, 2007 - 11:08:19


Scan path: C:\;D:\;

Statistics
Time 00:17:41
Files 141304
Folders 4041
Boot Sectors 2
Archives 723
Packed Files 4945

Results
Identified Viruses 3
Infected Files 8
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 15

Engines Info
Virus Definitions 671800
Engine build AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)
Scan plugins 14
Archive plugins 38
Unpack plugins 6
E-mail plugins 6
System plugins 1

Scan Settings
First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions

Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes

Scanned File
Status
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03980000\47DD56A5.VBN=>(Quarantine-PE)
Infected with: Trojan.Agent.AAAN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03980000\47DD56A5.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03980000\47DD56A5.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03980001\47DD56C5.VBN=>(Quarantine-PE)
Infected with: Trojan.Agent.AAAN
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03980001\47DD56C5.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03980001\47DD56C5.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00000\46DBDECF.VBN=>(Quarantine-PE)
Infected with: Trojan.Downloader.Agent.BGC
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00000\46DBDECF.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00000\46DBDECF.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00001\46DBE158.VBN=>(Quarantine-PE)
Infected with: Trojan.Downloader.Agent.BGC
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00001\46DBE158.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00001\46DBE158.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00002\46DBE175.VBN=>(Quarantine-PE)
Infected with: Trojan.Downloader.Agent.BGC
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00002\46DBE175.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00002\46DBE175.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00003\46DC1509.VBN=>(Quarantine-PE)
Infected with: Trojan.Downloader.Agent.BGC
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00003\46DC1509.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00003\46DC1509.VBN=>(Quarantine-PE)
Deleted
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00004\46DC1528.VBN=>(Quarantine-PE)
Infected with: Trojan.Downloader.Agent.BGC
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00004\46DC1528.VBN=>(Quarantine-PE)
Disinfection failed
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04D00004\46DC1528.VBN=>(Quarantine-PE)
Deleted
C:\WINDOWS\system32\helper.sys
Infected with: Trojan.Banker.AB
C:\WINDOWS\system32\helper.sys
Disinfection failed
C:\WINDOWS\system32\helper.sys
Deleted

-----------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:11:18, on 12/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\vsAOD.Exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DWRCST.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ConWare\INTERC~1\IC3.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OrthoCIS\OrthoCIS.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Inter-Chat] C:\PROGRA~1\ConWare\INTERC~1\IC3
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.5.0/jin...indows-i586.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: baeadf - C:\WINDOWS\system32\baeadf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: Visionsoft Audit On Demand Service (vsAOD) - Visionsoft Limited - C:\WINDOWS\vsAOD.Exe



The computer is still running the same, Killbox was unable to delete the file baeadf.dll despite several attempts :thumbsup:

Virus is still doing its evil work.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 12 July 2007 - 08:08 AM

Disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

-------------------------------------

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

-------------------------------------

Download AVG Anti-Rootkit and save to your desktop
1. Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit.
2. Accept the license and follow the prompts to install.
3. You will be asked to reboot to finish the installation so click "Finish".
4. After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
5. You will see a window with four buttons at the bottom.
6. Click "Search For Rootkits" and the scan will begin.
7. You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
8. When the scan has finished, a small window will open so you can view the results.
9. Right click and select "Save Result To File".
10. By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file). Copy and paste the results in your next reply.
11. If anything was found, click "Remove selected items"
12. If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.
Posted Image
Posted Image

#7 thelocaluk

thelocaluk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 13 July 2007 - 08:17 AM

DrWeb log
dwrcs.exe;c:\windows\system32;Program.RemoteAdmin;Deleted.;
DWRCS.EXE;C:\WINDOWS\system32;Program.RemoteAdmin;Incurable.Deleted.;
hpljP2015_driver_automatic_2_sided.exe;C:\Program Files\HP\ToolBoxFX\products\HP LaserJet P2015\documentation\animations;Trojan.PWS.Banker.10351;Deleted.;
hpljP2015_paper_jam_removal.exe;C:\Program Files\HP\ToolBoxFX\products\HP LaserJet P2015\documentation\animations;Trojan.PWS.Banker.10351;Deleted.;
hpljP2015_paper_jams_automatic_2_sided.exe;C:\Program Files\HP\ToolBoxFX\products\HP LaserJet P2015\documentation\animations;Trojan.PWS.Banker.10351;Deleted.;
hpljP2015_toner_cart.exe;C:\Program Files\HP\ToolBoxFX\products\HP LaserJet P2015\documentation\animations;Trojan.PWS.Banker.10351;Deleted.;

AVG Root scanner found nothing and gave no option to do a log.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 13 July 2007 - 10:16 AM

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Standard
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Click OK
- Now under select a target to scan:
- Select My Computer
- This will start the program and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste the contents of that file into your next reply.

Edited by RichieUK, 13 July 2007 - 10:20 AM.

Posted Image
Posted Image

#9 thelocaluk

thelocaluk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 17 July 2007 - 03:49 AM

CounterSpy

Scan History Details
Start Date: 16/07/2007 12:02:32
End Date: 16/07/2007 12:14:24
Total Time: 11 Min 52 Sec
Detected security risks

Cookie: ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\andrev\cookies\andrev@atdmt[1].txt


Cookie: Com.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\andrev\cookies\andrev@com[1].txt


Cookie: GeoCities Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\andrev\cookies\andrev@geocities[1].txt


Trojan-Downloader.Win32.Delf.amb Trojan Downloader more information...
Status: Deleted

Files detected
C:\WINDOWS\gc_407.cnf
C:\WINDOWS\gsc_407.cnf



Kaspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 17, 2007 9:43:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 17/07/2007
Kaspersky Anti-Virus database records: 363253
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
U:\

Scan Statistics:
Total number of scanned objects: 24433
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:22:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05182007-082900.log Object is locked skipped
C:\Documents and Settings\AndreV\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\Documents and Settings\AndreV\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\AndreV\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\AndreV\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\AndreV\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\AndreV\Local Settings\History\History.IE5\MSHist012007071720070718\index.dat Object is locked skipped
C:\Documents and Settings\AndreV\Local Settings\Temp\~DF448F.tmp Object is locked skipped
C:\Documents and Settings\AndreV\Local Settings\Temp\~DF4495.tmp Object is locked skipped
C:\Documents and Settings\AndreV\Local Settings\Temp\~DF64A2.tmp Object is locked skipped
C:\Documents and Settings\AndreV\Local Settings\Temp\~DF6743.tmp Object is locked skipped
C:\Documents and Settings\AndreV\Local Settings\Temp\~DF7E12.tmp Object is locked skipped
C:\Documents and Settings\AndreV\Local Settings\Temp\~DFAB49.tmp Object is locked skipped
C:\Documents and Settings\AndreV\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\AndreV\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\AndreV\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\AndreV\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\OxfordWorkshop\Local Settings\Temporary Internet Files\AntiPhishing\07FB382D-AA75-4683-82F4-EAB265A275CB.dat Object is locked skipped
C:\Documents and Settings\OxfordWorkshop\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat Object is locked skipped
C:\Documents and Settings\OxfordWorkshop\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\CSC\00000002 Object is locked skipped
C:\WINDOWS\CSC\00000003 Object is locked skipped
C:\WINDOWS\CSC\d1\00000018 Object is locked skipped
C:\WINDOWS\CSC\d2\00000011 Object is locked skipped
C:\WINDOWS\CSC\d3\00000012 Object is locked skipped
C:\WINDOWS\CSC\d5\0000001C Object is locked skipped
C:\WINDOWS\CSC\d7\0000001E Object is locked skipped
C:\WINDOWS\CSC\d8\00000017 Object is locked skipped
C:\WINDOWS\CSC\d8\0000001F Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{10624C11-7BBA-4F25-839F-D9E0E0F90662}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\baeadf.dll Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\HPPDEVX.DLL.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4f0.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


The virus seems to of gone quiet these last two days, but the baeadf.dll file is still there.

Edited by thelocaluk, 17 July 2007 - 05:36 AM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 17 July 2007 - 02:26 PM

Download chercher.zip by Malekal_morte to your Desktop:
http://www.malekal.com/download/telecharger.com/chercher.zip

* Right click with your mouse onto the 'chercher.zip', unzip all.
* You will get a new folder.
* Open this folder and Double-Click onto 'chercher.cmd'
* A DOS Window opens, let it open and wait until it asks you to press any key.
* Notepad will open with a long report.

Copy this report and paste it to your next reply.
Also post a new Hijackthis log.
Posted Image
Posted Image

#11 thelocaluk

thelocaluk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 19 July 2007 - 06:52 AM

C:\WINDOWS\agrsmmsg.exe |Agere Systems |28/07/2005 16:12:09
C:\WINDOWS\bdoscandel.exe |COMPANY |25/05/2006 01:22:06
C:\WINDOWS\catchme.exe |COMPANY |12/07/2007 08:07:40
C:\WINDOWS\KLayMgr.exe |Chicony |26/08/2004 15:17:18
C:\WINDOWS\MAKHkey.exe |HP |28/07/2005 15:35:06
C:\WINDOWS\MAKTray.exe |Hewlett-Packard Development Company, L.P. |28/07/2005 15:35:06
C:\WINDOWS\MicCal.exe |Realtek Semiconductor Corp. |19/01/2006 17:42:46
C:\WINDOWS\MidTrans.exe |COMPANY |28/07/2005 15:35:06
C:\WINDOWS\nircmd.exe |NirSoft |12/07/2007 08:07:40
C:\WINDOWS\RDir.exe |COMPANY |28/07/2005 15:35:06
C:\WINDOWS\RTHDCPL.exe |Realtek Semiconductor Corp. |28/07/2005 14:47:33
C:\WINDOWS\RtlUpd.exe |Realtek Semiconductor Corp. |19/01/2006 17:42:47
C:\WINDOWS\slrundll.exe |Smart Link |28/07/2005 16:44:03
C:\WINDOWS\twunk_16.exe |Twain Working Group |31/03/2003 13:00:00
C:\WINDOWS\twunk_32.exe |Twain Working Group |31/03/2003 13:00:00
C:\WINDOWS\uninst.exe |InstallShield Corporation, Inc. |23/03/2006 10:10:09
C:\WINDOWS\vsAOD.Exe |Visionsoft Limited |28/07/2005 15:38:19
C:\WINDOWS\EAKUSB.dll |COMPANY |28/07/2005 15:35:06
C:\WINDOWS\MAKHkdll.dll |COMPANY |28/07/2005 15:35:06
C:\WINDOWS\RtlExUpd.dll |Realtek Semiconductor Corp. |28/07/2005 13:48:38
C:\WINDOWS\twain.dll |Twain Working Group |31/03/2003 13:00:00
C:\WINDOWS\twain_32.dll |Twain Working Group |31/03/2003 13:00:00
C:\WINDOWS\system32\agrsmdel.exe |Agere Systems |28/07/2005 16:12:09
C:\WINDOWS\system32\append.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\asuninst.exe |Panda Software |18/05/2007 12:18:37
C:\WINDOWS\system32\aswBoot.exe |ALWIL Software |09/07/2007 11:02:44
C:\WINDOWS\system32\ChCfg.exe |COMPANY |28/07/2005 13:49:57
C:\WINDOWS\system32\debug.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\dosx.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\dvdplay.exe |COMPANY |17/08/2001 23:36:42
C:\WINDOWS\system32\DWRCST.EXE |DameWare Development |29/07/2005 09:23:22
C:\WINDOWS\system32\edlin.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\exe2bin.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\fastopen.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\FileOps.exe |COMPANY |29/07/2005 10:01:01
C:\WINDOWS\system32\HdAShCut.exe |Windows ® Server 2003 DDK provider |07/01/2005 17:07:16
C:\WINDOWS\system32\hkcmd.exe |Intel Corporation |25/04/2005 10:29:00
C:\WINDOWS\system32\ialmudlg.exe |Intel® Corporation |20/09/2005 10:37:00
C:\WINDOWS\system32\igfxcfg.exe |Intel Corporation |25/04/2005 10:31:34
C:\WINDOWS\system32\igfxext.exe |Intel Corporation |25/04/2005 10:32:44
C:\WINDOWS\system32\igfxpers.exe |Intel Corporation |25/04/2005 10:32:52
C:\WINDOWS\system32\igfxsrvc.exe |Intel Corporation |25/04/2005 10:28:52
C:\WINDOWS\system32\igfxtray.exe |Intel Corporation |25/04/2005 10:32:12
C:\WINDOWS\system32\igfxzoom.exe |Intel Corporation |25/04/2005 10:32:38
C:\WINDOWS\system32\java.exe |Sun Microsystems, Inc. |11/07/2007 08:16:49
C:\WINDOWS\system32\javaw.exe |Sun Microsystems, Inc. |11/07/2007 08:16:49
C:\WINDOWS\system32\javaws.exe |Sun Microsystems, Inc. |11/07/2007 08:16:49
C:\WINDOWS\system32\mem.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\mscdexnt.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\nlsfunc.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\nw16.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\redir.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\setver.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\share.exe |COMPANY |31/03/2003 13:00:00
C:\WINDOWS\system32\slrundll.exe |Smart Link |28/07/2005 16:44:05
C:\WINDOWS\system32\slserv.exe |Smart Link |28/07/2005 16:44:05
C:\WINDOWS\system32\swreg.exe |SteelWerX |12/07/2007 08:07:40


Logfile of HijackThis v1.99.1
Scan saved at 12:47:44, on 19/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\vsAOD.Exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ConWare\INTERC~1\IC3.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Inter-Chat] C:\PROGRA~1\ConWare\INTERC~1\IC3
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O20 - Winlogon Notify: baeadf - C:\WINDOWS\system32\baeadf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\system32\DWRCS.EXE (file missing)
O23 - Service: Visionsoft Audit On Demand Service (vsAOD) - Visionsoft Limited - C:\WINDOWS\vsAOD.Exe



The Virus is still there as i discovered this morning :thumbsup:

Thank you

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 19 July 2007 - 09:01 AM

Download win32delfkil.exe.
http://users.telenet.be/marcvn/tools/win32delfkil.exe
Save it on your desktop.
Double click on win32delfkil.exe and install it.
This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat Posted Image
The computer will reboot automatically.
Post the contents of the logfile c\windelf.txt

------------------------------------------

Download Winpfind V2.0.2 and extract the contents to your desktop:
http://download.bleepingcomputer.com/oldtimer/winpfind.exe
Open the WinPFind folder and double click on Winpfind.exe
Leave the configuation settings as they are and click on 'Run Scan'.
The scan will take some time to complete so please be patient.
Once complete close the program.
Open the WinPFind folder,then copy and paste the entire content of winpfind.txt into your next reply.

*NOTE*
It may take more than one reply to post the whole winpfind.txt.
Posted Image
Posted Image

#13 thelocaluk

thelocaluk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 20 July 2007 - 02:02 AM

WIN32DELFKIL LOGFILE - by Marckie


version 3.129
19/07/2007 16:53:29.57
running from: "C:\Documents and Settings\AndreV\Desktop"


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskScheduler key ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{D1159422-16E3-462F-A93D-FB718E100408}"="za"



--- sharedtaskkey (1): D1159422-16E3-462F-A93D-FB718E100408 ---
no keys found

--- Notify key ---


--- rebooting the computer ---


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskSchedulerkey ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



--- Notify key ---

Finished!


WinPFind logfile created on: 19/07/2007 16:55:37
WinPFind by OldTimer - v2.0.3 Folder = C:\Documents and Settings\AndreV\Desktop\WinPFind\

Windows OS and Versions

Product Name: Microsoft Windows XP Service Pack 2 | Version: 5.1.2600
Internet Explorer Version: 7.0.5730.11

Memory/Drive Info

503.35 Mb Total Physical Memory | 276.12 Mb Available Physical Memory | 54.86% Memory free
1.20 Gb Paging File | 1.00 Gb Available in Paging File | 82.99% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 68.68 Gb Free Space | 92.15% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: OXF000544
Current User Name: AndreV
Logged in as Administrator.
Current Boot Mode: Normal

Running Processes (Non-Microsoft)

C:\Documents and Settings\AndreV\Desktop\WinPFind\WinPFind.exe (OldTimer Tools)
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
C:\Program Files\ConWare\InterChat3\IC3.exe (ConWare)
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe (Sun Microsystems, Inc.)
C:\WINDOWS\vsAOD.Exe (Visionsoft Limited)

Win32 Services (Non-Microsoft)

(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running]
= C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)

(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running]
= C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)

(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running]
= C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)

(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running]
= C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\system32\dmadmin.exe (Microsoft Corp., Veritas Software)

(DWMRCS) DameWare Mini Remote Control [Win32_Own | Auto | Stopped]
= C:\WINDOWS\system32\DWRCS.EXE (File not found)

(vsAOD) Visionsoft Audit On Demand Service [Win32_Own | Auto | Running]
= C:\WINDOWS\vsAOD.Exe (Visionsoft Limited)

Registry Items (Non-Microsoft)

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Adobe Reader Speed Launcher = C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
avast! = C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
QuickTime Task = C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
SunJavaUpdateSched = C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe (Sun Microsystems, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Inter-Chat = C:\Program Files\ConWare\InterChat3\IC3.exe (ConWare)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Installed = 1

< Common Startup Folder = C:\Documents and Settings\All Users\Start Menu\Programs\Startup >
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

< User Startup Folder = C:\Documents and Settings\AndreV\Start Menu\Programs\Startup >
C:\Documents and Settings\AndreV\Start Menu\Programs\Startup\desktop.ini ()

>>>>> MsConfig Disabled Items <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item =
hkey = HKLM
command =
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\High Definition Audio Property Page Shortcut]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\system32\HdAShCut.exe (Windows ® Server 2003 DDK provider)
hkey = HKLM
command = C:\WINDOWS\system32\HdAShCut.exe (Windows ® Server 2003 DDK provider)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LayoutM]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\KLayMgr.exe (Chicony)
hkey = HKLM
command = C:\WINDOWS\KLayMgr.exe (Chicony)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MAKTray]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\MAKTray.exe (Hewlett-Packard Development Company, L.P.)
hkey = HKLM
command = C:\WINDOWS\MAKTray.exe (Hewlett-Packard Development Company, L.P.)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RTHDCPL]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
hkey = HKLM
command = C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\zweitgeist Assistant]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item = zweitgeistAssistant
hkey = HKCU
command = C:\Program Files\zweitgeist\zweitgeistAssistant.exe (File not found)
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
system.ini = 0
win.ini = 0
bootini = 0
services = 0
startup = 2

>>>>> Disabled Startup Folder Items <<<<<

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<




>>>>> Winlogon Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\baeadf]
DllName = C:\WINDOWS\system32\baeadf.dll ()

>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 468334 bytes | Modified Date: 30/06/2006 02:13:22)

>>>>> Desktop Components <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
FriendlyName = My Current Home Page
Source = About:Home
SubscribedURL = About:Home

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
Local Page = %SystemRoot%\system32\blank.htm
Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
Start Page = about:blank

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Local Page = C:\WINDOWS\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Start Page = http://www.google.co.uk/ig?hl=en


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0
ProxyOverride = <local>

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
- Adobe PDF Reader Link Helper ( HKLM = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
- SSVHelper Class ( HKLM = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (File not found) )

>>>>> HKLM Internet Explorer Bars <<<<<

>>>>> HKCU Internet Explorer Bars <<<<<

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}]
- Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

>>>>> HKLM Internet Explorer ToolBars <<<<<

>>>>> HKCU Internet Explorer ToolBars <<<<<

>>>>> HKCU Internet Explorer CmdMapping <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{49783ED4-258D-4f9f-BE11-137C18D3E543} = 8193 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8194

>>>>> HKCU Internet Explorer Menu Extensions <<<<<

>>>>> HKLM Internet Explorer Plugins Extensions <<<<<

>>>>> HKLM Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Taskbar and Start Menu ( HKLM = Reg Data - Key not found (File not found) )
{32683183-48a0-441b-a342-7c2a440a9478} = Media Band ( CLSID not found! )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Display Panning CPL Extension ( HKLM = deskpan.dll (File not found) )
{472083B0-C522-11CF-8763-00608CC02F24} = avast ( HKLM = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Shell extensions for file compression ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = User Accounts ( HKLM = Reg Data - Key not found (File not found) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Encryption Context Menu ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.) )

>>>>> HKCU Approved Shell Extensions <<<<<

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{BDEADF00-C265-11d0-BCED-00A0C90AB50F} = Web Folders ( HKLM = C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL () )

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\avast]
@ = {472083B0-C522-11CF-8763-00608CC02F24} ( HKLM = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\TzShell]
@ = {B38FE8E9-5DFC-4D58-8459-1E3AC5165E34} ( HKLM = C:\Program Files\TUGZip\TzShell.dll () )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers\igfxcui]
@ = {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} ( HKLM = C:\WINDOWS\system32\igfxpph.dll (Intel Corporation) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\avast]
@ = {472083B0-C522-11CF-8763-00608CC02F24} ( HKLM = C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\TzShell]
@ = {B38FE8E9-5DFC-4D58-8459-1E3AC5165E34} ( HKLM = C:\Program Files\TUGZip\TzShell.dll () )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}]
- PDF Shell Extension ( HKLM = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll (Adobe Systems, Inc.) )

>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments]
ScanWithAntiVirus = 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
{17492023-C23A-453E-A040-C7C580BBF700} = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
dontdisplaylastusername = 0
legalnoticecaption =
legalnoticetext =
shutdownwithoutlogon = 1
undockwithoutlogon = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
NoChangingWallPaper = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 36
NoSimpleStartMenu = 1
ForceStartMenuLogOff = 1
ForceClassicControlPanel = 1
NoDriveAutoRun = ( 255 255 255 255 ) -

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
SetVisualStyle =

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]*

>>>>> Security Providers <<<<<

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = autocheck autochk *;
ExcludeFromKnownDlls =


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
ComSpec = %SystemRoot%\system32\cmd.exe ( C:\WINDOWS\system32\cmd.exe (Microsoft Corporation) )
TEMP = %SystemRoot%\TEMP
TMP = %SystemRoot%\TEMP
windir = %SystemRoot%

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path]
C:\WINDOWS\system32
C:\WINDOWS
C:\WINDOWS\system32\wbem
%SystemRoot%\system32
%SystemRoot%
%SystemRoot%\System32\Wbem
C:\Program Files\QuickTime\QTSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT]
.COM
.EXE
.BAT
.CMD
.VBS
.VBE
.JS
.JSE
.WSF
.WSH

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> User Agent Post Platform <<<<<

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.html [@ = htmlfile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -> "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe ieframe.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe C:\WINDOWS\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "%programfiles%\internet explorer\iexplore.exe" (File not found)

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
StubPath = C:\WINDOWS\system32\ieudinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{40A83082-C755-4B32-B7BB-7B532A730812}]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AF88F044-0A00-44DE-9351-735F771CCA40}] ( Broadcom NetXtreme Gigabit Ethernet )
DefaultGateway =
DhcpDefaultGateway = 10.10.25.1;
DhcpIPAddress = 10.10.25.153
DhcpNameServer = 10.10.10.10
DhcpServer = 10.10.25.10
DhcpSubnetMask = 255.255.255.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Default Protocols [HKLM] <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@ivt - 1 = Local intranet
file - 3 = Internet
ftp - 3 = Internet
http - 3 = Internet
https - 3 = Internet
shell - 0 = Computer

>>>>> Protocol Handlers <<<<<

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}\DownloadInformation]
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab
INF = C:\WINDOWS\Downloaded Program Files\opuc.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

Files / Folders Created Within 30 Days

C:\16.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 12:16:31 | Attr = ]
C:\18.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 12:16:32 | Attr = ]
C:\2.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 12:14:58 | Attr = ]
C:\20.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:35:25 | Attr = ]
C:\22.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:35:27 | Attr = ]
C:\2C.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:45:23 | Attr = ]
C:\2E.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:45:24 | Attr = ]
C:\38.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:45:40 | Attr = ]
C:\3A.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:45:41 | Attr = ]
C:\4.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 12:14:59 | Attr = ]
C:\44.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:47:58 | Attr = ]
C:\46.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:47:59 | Attr = ]
C:\4E.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:58:39 | Attr = ]
C:\50.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:58:40 | Attr = ]
C:\59.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:58:51 | Attr = ]
C:\5B.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:58:52 | Attr = ]
C:\64.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:59:05 | Attr = ]
C:\66.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 13:59:06 | Attr = ]
C:\6B.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 14:03:13 | Attr = ]
C:\6D.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 14:03:13 | Attr = ]
C:\75.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 14:07:20 | Attr = ]
C:\77.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 14:07:21 | Attr = ]
C:\C.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 12:15:09 | Attr = ]
C:\E.tmp [Ver = | Size = 0 bytes | Created Date = 19/07/2007 12:15:10 | Attr = ]
C:\win32delfkil.exe Marckie [Ver = 3. 1. 2. 9 | Size = 280134 bytes | Created Date = 19/07/2007 15:53:19 | Attr = ]
@Alternate Data Stream - C:\win32delfkil.exe:Zone.Identifier (26 bytes)
C:\_backupD [Folder | Created Date = 19/07/2007 15:53:29 | Attr = ]
C:\_OTMoveIt [Folder | Created Date = 19/07/2007 11:58:42 | Attr = ]
C:\Documents and Settings\All Users\Application Data\Adobe [Folder | Created Date = 25/06/2007 12:20:29 | Attr = ]
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files [Folder | Created Date = 06/07/2007 11:34:26 | Attr = ]
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [Folder | Created Date = 12/07/2007 08:56:34 | Attr = ]
C:\Documents and Settings\All Users\Application Data\Zenturi [Folder | Created Date = 19/07/2007 11:30:51 | Attr = ]
C:\Documents and Settings\AndreV\Application Data\Sunbelt Software [Folder | Created Date = 16/07/2007 10:43:42 | Attr = ]
C:\Documents and Settings\AndreV\Application Data\SUPERAntiSpyware.com [Folder | Created Date = 12/07/2007 08:56:29 | Attr = ]
C:\Documents and Settings\AndreV\My Documents\My Videos [Folder | Created Date = 13/07/2007 10:16:17 | Attr = R ]
C:\Documents and Settings\AndreV\Desktop\arms.zip [Ver = | Size = 1055 bytes | Created Date = 17/07/2007 09:48:34 | Attr = ]
C:\Documents and Settings\AndreV\Desktop\Shortcut to Monthly Sub Contract Record.lnk [Ver = | Size = 794 bytes | Created Date = 05/07/2007 14:44:25 | Attr = ]
C:\Documents and Settings\AndreV\Desktop\WinPFind [Folder | Created Date = 19/07/2007 15:55:16 | Attr = ]
C:\WINDOWS\$NtUninstallKB936357$ [Folder | Created Date = 11/07/2007 16:04:51 | Attr = H ]
C:\WINDOWS\BDOSCAN8 [Folder | Created Date = 12/07/2007 09:46:56 | Attr = ]
C:\WINDOWS\Minidump [Folder | Created Date = 04/07/2007 14:35:01 | Attr = ]
C:\WINDOWS\System32\actskin4.ocx [Ver = 4, 2, 7, 3 | Size = 380928 bytes | Created Date = 09/07/2007 10:02:44 | Attr = ]
C:\WINDOWS\System32\aswBoot.exe ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Created Date = 09/07/2007 10:02:44 | Attr = ]
C:\WINDOWS\System32\AvastSS.scr ALWIL Software [Ver = 4, 7, 997, 0 | Size = 95872 bytes | Created Date = 09/07/2007 10:02:51 | Attr = ]
C:\WINDOWS\System32\baeadf.dll [Ver = | Size = 93184 bytes | Created Date = 27/06/2007 08:00:56 | Attr = ]
C:\WINDOWS\System32\java.exe Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 135168 bytes | Created Date = 11/07/2007 07:16:49 | Attr = ]
C:\WINDOWS\System32\javaw.exe Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 135168 bytes | Created Date = 11/07/2007 07:16:49 | Attr = ]
C:\WINDOWS\System32\javaws.exe Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 139264 bytes | Created Date = 11/07/2007 07:16:49 | Attr = ]
C:\WINDOWS\System32\process.exe http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 19/07/2007 15:53:19 | Attr = ]
C:\WINDOWS\System32\reboot.exe [Ver = | Size = 4096 bytes | Created Date = 19/07/2007 15:53:19 | Attr = ]
C:\WINDOWS\System32\regdacl [Folder | Created Date = 19/07/2007 15:53:19 | Attr = ]
C:\WINDOWS\System32\regdacl.exe Frank Heyne Software [Ver = 5.1.1.195 | Size = 90112 bytes | Created Date = 19/07/2007 15:53:19 | Attr = ]
C:\WINDOWS\System32\restart.exe WareSoft Software [Ver = 1.00 | Size = 16384 bytes | Created Date = 19/07/2007 15:53:19 | Attr = ]
C:\WINDOWS\System32\SBFC.dat [Ver = | Size = 0 bytes | Created Date = 16/07/2007 11:02:32 | Attr = ]
C:\WINDOWS\System32\SBRC.dat [Ver = | Size = 0 bytes | Created Date = 16/07/2007 11:02:32 | Attr = ]
C:\WINDOWS\System32\swreg.exe [Ver = | Size = 42496 bytes | Created Date = 19/07/2007 15:53:19 | Attr = ]
C:\WINDOWS\System32\swsc.exe [Ver = | Size = 40960 bytes | Created Date = 19/07/2007 15:53:19 | Attr = ]
C:\WINDOWS\System32\vfind.exe [Ver = | Size = 49152 bytes | Created Date = 12/07/2007 07:07:40 | Attr = ]
C:\WINDOWS\System32\drivers\aavmker4.sys ALWIL Software [Ver = 4.7.997.0 | Size = 26888 bytes | Created Date = 09/07/2007 10:02:54 | Attr = ]
C:\WINDOWS\System32\drivers\aswmon.sys ALWIL Software [Ver = 4.7.997.0 | Size = 85952 bytes | Created Date = 09/07/2007 10:02:50 | Attr = ]
C:\WINDOWS\System32\drivers\aswmon2.sys ALWIL Software [Ver = 4.7.997.0 | Size = 94552 bytes | Created Date = 09/07/2007 10:02:50 | Attr = ]
C:\WINDOWS\System32\drivers\aswRdr.sys ALWIL Software [Ver = 4.7.997.0 | Size = 23416 bytes | Created Date = 09/07/2007 10:02:55 | Attr = ]
C:\WINDOWS\System32\drivers\aswTdi.sys ALWIL Software [Ver = 4.7.997.0 | Size = 43176 bytes | Created Date = 09/07/2007 10:02:55 | Attr = ]

Files / Folders Modified Within 30 Days

C:\16.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 13:16:32 | Attr = ]
C:\18.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 13:16:34 | Attr = ]
C:\2.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 13:15:00 | Attr = ]
C:\20.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:35:26 | Attr = ]
C:\22.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:35:28 | Attr = ]
C:\2C.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:45:24 | Attr = ]
C:\2E.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:45:26 | Attr = ]
C:\38.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:45:42 | Attr = ]
C:\3A.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:45:42 | Attr = ]
C:\4.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 13:15:00 | Attr = ]
C:\44.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:48:00 | Attr = ]
C:\46.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:48:00 | Attr = ]
C:\4E.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:58:40 | Attr = ]
C:\50.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:58:42 | Attr = ]
C:\59.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:58:52 | Attr = ]
C:\5B.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:58:54 | Attr = ]
C:\64.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:59:06 | Attr = ]
C:\66.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 14:59:08 | Attr = ]
C:\6B.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 15:03:14 | Attr = ]
C:\6D.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 15:03:14 | Attr = ]
C:\75.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 15:07:22 | Attr = ]
C:\77.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 15:07:22 | Attr = ]
C:\boot.ini [Ver = | Size = 211 bytes | Modified Date = 04/07/2007 15:31:30 | Attr = RHS]
C:\C.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 13:15:10 | Attr = ]
C:\Documents and Settings [Folder | Modified Date = 04/07/2007 08:22:26 | Attr = ]
C:\E.tmp [Ver = | Size = 0 bytes | Modified Date = 19/07/2007 13:15:12 | Attr = ]
C:\Program Files [Folder | Modified Date = 17/07/2007 09:50:48 | Attr = R ]
C:\RECYCLER [Folder | Modified Date = 04/07/2007 15:36:34 | Attr = HS]
C:\win32delfkil.exe Marckie [Ver = 3. 1. 2. 9 | Size = 280134 bytes | Modified Date = 19/07/2007 16:51:16 | Attr = ]
@Alternate Data Stream - C:\win32delfkil.exe:Zone.Identifier (26 bytes)
C:\WINDOWS [Folder | Modified Date = 19/07/2007 16:29:00 | Attr = ]
C:\_backupD [Folder | Modified Date = 19/07/2007 16:53:30 | Attr = ]
C:\_OTMoveIt [Folder | Modified Date = 19/07/2007 12:58:44 | Attr = ]
C:\Documents and Settings\All Users\Application Data\Adobe [Folder | Modified Date = 25/06/2007 13:21:14 | Attr = ]
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files [Folder | Modified Date = 06/07/2007 12:34:28 | Attr = ]
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [Folder | Modified Date = 12/07/2007 09:56:36 | Attr = ]
C:\Documents and Settings\All Users\Application Data\Symantec [Folder | Modified Date = 06/07/2007 12:37:50 | Attr = ]
C:\Documents and Settings\All Users\Application Data\Zenturi [Folder | Modified Date = 19/07/2007 12:30:52 | Attr = ]
C:\Documents and Settings\AndreV\Application Data\AdobeUM [Folder | Modified Date = 25/06/2007 10:21:32 | Attr = ]
C:\Documents and Settings\AndreV\Application Data\Microsoft [Folder | Modified Date = 26/06/2007 15:12:42 | Attr = S]
C:\Documents and Settings\AndreV\Application Data\Sunbelt Software [Folder | Modified Date = 16/07/2007 11:43:44 | Attr = ]
C:\Documents and Settings\AndreV\Application Data\SUPERAntiSpyware.com [Folder | Modified Date = 12/07/2007 12:01:00 | Attr = ]
C:\Documents and Settings\AndreV\Local Settings\Application Data\Adobe [Folder | Modified Date = 25/06/2007 14:48:58 | Attr = ]
C:\Documents and Settings\AndreV\Local Settings\Application Data\ApplicationHistory [Folder | Modified Date = 04/07/2007 09:27:06 | Attr = ]
C:\Documents and Settings\AndreV\Local Settings\Application Data\IconCache.db [Ver = | Size = 1415332 bytes | Modified Date = 19/07/2007 16:11:56 | Attr = H ]
C:\Documents and Settings\AndreV\My Documents\My Music [Folder | Modified Date = 17/07/2007 10:54:38 | Attr = R ]
C:\Documents and Settings\AndreV\My Documents\My Pictures [Folder | Modified Date = 17/07/2007 10:54:16 | Attr = R ]
C:\Documents and Settings\AndreV\My Documents\My Videos [Folder | Modified Date = 13/07/2007 11:16:18 | Attr = R ]
C:\Documents and Settings\AndreV\Desktop\arms.zip [Ver = | Size = 1055 bytes | Modified Date = 17/07/2007 10:48:36 | Attr = ]
C:\Documents and Settings\AndreV\Desktop\Microsoft Outlook.lnk [Ver = | Size = 2497 bytes | Modified Date = 12/07/2007 16:33:40 | Attr = ]
C:\Documents and Settings\AndreV\Desktop\Shortcut to Monthly Sub Contract Record.lnk [Ver = | Size = 794 bytes | Modified Date = 05/07/2007 15:44:24 | Attr = ]
C:\Documents and Settings\AndreV\Desktop\WinPFind [Folder | Modified Date = 19/07/2007 16:55:18 | Attr = ]
C:\Program Files\Common Files\Adobe [Folder | Modified Date = 25/06/2007 13:20:38 | Attr = ]
C:\Program Files\Common Files\Symantec Shared [Folder | Modified Date = 06/07/2007 12:37:56 | Attr = ]
C:\WINDOWS\$hf_mig$ [Folder | Modified Date = 11/07/2007 10:26:28 | Attr = H ]
C:\WINDOWS\$NtUninstallKB936357$ [Folder | Modified Date = 11/07/2007 17:04:52 | Attr = H ]
C:\WINDOWS\assembly [Folder | Modified Date = 11/07/2007 17:06:10 | Attr = R S]
C:\WINDOWS\BDOSCAN8 [Folder | Modified Date = 12/07/2007 11:08:20 | Attr = ]
C:\WINDOWS\bootstat.dat [Ver = | Size = 2048 bytes | Modified Date = 19/07/2007 16:54:04 | Attr = S]
C:\WINDOWS\CSC [Folder | Modified Date = 19/07/2007 16:54:08 | Attr = HS]
C:\WINDOWS\Downloaded Program Files [Folder | Modified Date = 19/07/2007 12:48:26 | Attr = S]
C:\WINDOWS\inf [Folder | Modified Date = 17/07/2007 08:33:00 | Attr = H ]
C:\WINDOWS\Installer [Folder | Modified Date = 16/07/2007 12:19:32 | Attr = HS]
C:\WINDOWS\Microsoft.NET [Folder | Modified Date = 12/07/2007 13:43:28 | Attr = ]
C:\WINDOWS\Minidump [Folder | Modified Date = 05/07/2007 07:57:36 | Attr = ]
C:\WINDOWS\Prefetch [Folder | Modified Date = 19/07/2007 16:53:20 | Attr = ]
C:\WINDOWS\ServicePackFiles [Folder | Modified Date = 04/07/2007 08:26:22 | Attr = ]
C:\WINDOWS\setupapi.log.0.old [Ver = | Size = 1032568 bytes | Modified Date = 11/07/2007 08:17:06 | Attr = ]
C:\WINDOWS\system.ini [Ver = | Size = 227 bytes | Modified Date = 04/07/2007 15:31:30 | Attr = ]
C:\WINDOWS\system32 [Folder | Modified Date = 19/07/2007 16:53:20 | Attr = ]
C:\WINDOWS\Tasks [Folder | Modified Date = 19/07/2007 16:18:06 | Attr = S]
C:\WINDOWS\Temp [Folder | Modified Date = 19/07/2007 16:54:16 | Attr = ]
C:\WINDOWS\win.ini [Ver = | Size = 1042 bytes | Modified Date = 19/07/2007 14:35:56 | Attr = ]
C:\WINDOWS\WinSxS [Folder | Modified Date = 11/07/2007 17:02:52 | Attr = ]
C:\WINDOWS\System32\baeadf.dll [Ver = | Size = 93184 bytes | Modified Date = 05/07/2007 08:29:26 | Attr = ]
C:\WINDOWS\System32\CatRoot [Folder | Modified Date = 12/07/2007 08:06:58 | Attr = ]
C:\WINDOWS\System32\CatRoot2 [Folder | Modified Date = 19/07/2007 12:30:50 | Attr = ]
C:\WINDOWS\System32\config [Folder | Modified Date = 09/07/2007 12:46:34 | Attr = ]
C:\WINDOWS\System32\CONFIG.NT [Ver = | Size = 2626 bytes | Modified Date = 09/07/2007 11:02:56 | Attr = ]
C:\WINDOWS\System32\dllcache [Folder | Modified Date = 12/07/2007 08:05:54 | Attr = RHS]
C:\WINDOWS\System32\drivers [Folder | Modified Date = 16/07/2007 12:19:28 | Attr = ]
C:\WINDOWS\System32\Lang [Folder | Modified Date = 04/07/2007 09:27:08 | Attr = ]
C:\WINDOWS\System32\perfc009.dat [Ver = | Size = 62460 bytes | Modified Date = 19/07/2007 16:19:06 | Attr = ]
C:\WINDOWS\System32\perfh009.dat [Ver = | Size = 401372 bytes | Modified Date = 19/07/2007 16:19:06 | Attr = ]
C:\WINDOWS\System32\PerfStringBackup.INI [Ver = | Size = 471150 bytes | Modified Date = 19/07/2007 16:19:06 | Attr = ]
C:\WINDOWS\System32\process.exe http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Modified Date = 19/07/2007 16:53:20 | Attr = ]
C:\WINDOWS\System32\reboot.exe [Ver = | Size = 4096 bytes | Modified Date = 19/07/2007 16:53:20 | Attr = ]
C:\WINDOWS\System32\regdacl [Folder | Modified Date = 19/07/2007 16:53:20 | Attr = ]
C:\WINDOWS\System32\regdacl.exe Frank Heyne Software [Ver = 5.1.1.195 | Size = 90112 bytes | Modified Date = 19/07/2007 16:53:20 | Attr = ]
C:\WINDOWS\System32\restart.exe WareSoft Software [Ver = 1.00 | Size = 16384 bytes | Modified Date = 19/07/2007 16:53:20 | Attr = ]
C:\WINDOWS\System32\SBFC.dat [Ver = | Size = 0 bytes | Modified Date = 16/07/2007 12:02:34 | Attr = ]
C:\WINDOWS\System32\SBRC.dat [Ver = | Size = 0 bytes | Modified Date = 16/07/2007 12:02:34 | Attr = ]
C:\WINDOWS\System32\swreg.exe [Ver = | Size = 42496 bytes | Modified Date = 19/07/2007 16:53:20 | Attr = ]
C:\WINDOWS\System32\swsc.exe [Ver = | Size = 40960 bytes | Modified Date = 19/07/2007 16:53:20 | Attr = ]
C:\WINDOWS\System32\wpa.dbl [Ver = | Size = 2206 bytes | Modified Date = 19/07/2007 16:54:26 | Attr = ]

File String Scan (Non-Microsoft Only)
@Alternate Data Stream - C:\win32delfkil.exe:Zone.Identifier (26 bytes)
[UPX! , UPX0 , ]C:\win32delfkil.exe (Marckie )
[UPX! , UPX0 , ]C:\WINDOWS\System32\aswBoot.exe (ALWIL Software)
[PEC2 , ]C:\WINDOWS\System32\dfrg.msc ()
[UPX! , UPX0 , ]C:\WINDOWS\System32\dtssource.ax ()
[PEC2 , PECompact2 , ]C:\WINDOWS\System32\DWRCST.EXE (DameWare Development)
[UPX! , UPX0 , ]C:\WINDOWS\System32\swreg.exe ()
[UPX! , UPX0 , ]C:\WINDOWS\System32\swsc.exe ()
[winsync , ]C:\WINDOWS\System32\wbdbase.deu ()
[UPX0 , WSUD , ]C:\WINDOWS\System32\dllcache\hwxjpn.dll ()
[PTech , ]C:\WINDOWS\System32\drivers\mtlstrm.sys (Smart Link)
[abetterinternet.com , ad-w-a-r-e.com , PTech , qoologic , SAHAgent , web-nex , ]C:\WINDOWS\System32\drivers\etc\HOSTS ()

< End of report >

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 20 July 2007 - 03:47 AM

Copy and paste ALL the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\System32\baeadf.dll
C:\16.tmp
C:\18.tmp
C:\2.tmp
C:\20.tmp
C:\22.tmp
C:\2C.tmp
C:\2E.tmp
C:\38.tmp
C:\3A.tmp
C:\4.tmp
C:\44.tmp
C:\46.tmp
C:\4E.tmp
C:\50.tmp
C:\59.tmp
C:\5B.tmp
C:\64.tmp
C:\66.tmp
C:\6B.tmp
C:\6D.tmp
C:\75.tmp
C:\77.tmp
C:\C.tmp
C:\E.tmp

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\baeadf]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of C:\Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#15 thelocaluk

thelocaluk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 25 July 2007 - 10:17 AM

That sorted it good and proper, the system32 folder got deleted :thumbsup:
Oh well, nice try. I'll reinstall XP and try to be more careful in future. Thanks Richie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users