TheTechGuide Forum
General Category => Tech Clinic => Topic started by: friedemann on October 23, 2005, 10:08:55 AM
-
My anti- virus noted this bug in 2500 zip files in a folder I can't find. I never knowingly downloaded these porn zips and almost all memory is used up because of them. The bug is TR/Drop.WinAD.H
I am running Win XP, have Spybot, Ad-aware and AntiVir. Appreciate some help as I don't have enough free memory to do a system restore(I am under the impression I could go back in time before problems existed-maybe not???)
-
Can you please post a Hijackthis log
Here's the instructions (http://\"http://www.thetechguide.com/forum/index.php?showtopic=14623\")
-
Logfile of HijackThis v1.99.1
Scan saved at 6:22:33 PM, on 10/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\bern schau\Desktop\AA-REPAIR\hijackthis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125637809135 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125637809135\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125795761545 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125795761545\")
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
-
Let's see what we can find
Your log looks okay
==Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet
Please Restart your computer into
SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after
Restart back to Normal mode
Post the results of the WindPFind.txt located in the WinPFind folder
-
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 8/23/2001 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 8/23/2001 12:00:00 PM 630784 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PECompact2 9/8/2005 8:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 8:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/1/2005 8:39:36 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
10/24/2005 7:17:24 AM S 2048 C:\WINDOWS\bootstat.dat
10/21/2005 11:23:12 PM H 54156 C:\WINDOWS\QTFont.qfn
9/1/2005 6:36:20 PM RH 188448 C:\WINDOWS\HWINFO.DAT
9/1/2005 6:35:34 PM H 13122 C:\WINDOWS\folder.htt
9/1/2005 7:48:54 PM H 2969 C:\WINDOWS\ttfCache
9/1/2005 6:34:14 PM H 9793 C:\WINDOWS\HELP\windows.GID
9/1/2005 9:59:52 PM H 10820 C:\WINDOWS\HELP\nocontnt.GID
9/1/2005 6:35:34 PM H 13122 C:\WINDOWS\SYSTEM32\folder.htt
9/1/2005 8:39:36 PM RH 749 C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
9/1/2005 8:39:58 PM RH 488 C:\WINDOWS\SYSTEM32\logonui.exe.manifest
9/1/2005 8:39:58 PM RH 488 C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
9/1/2005 8:39:36 PM RH 749 C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
9/1/2005 8:39:36 PM RH 749 C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
9/1/2005 8:39:36 PM RH 749 C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
9/1/2005 8:39:36 PM RH 749 C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
10/24/2005 7:16:16 AM H 720896 C:\WINDOWS\SYSTEM32\config\system.LOG
10/24/2005 7:16:16 AM H 81920 C:\WINDOWS\SYSTEM32\config\software.LOG
10/24/2005 7:16:16 AM H 8192 C:\WINDOWS\SYSTEM32\config\default.LOG
9/1/2005 8:22:12 PM H 1024 C:\WINDOWS\SYSTEM32\config\userdiff.LOG
9/1/2005 8:22:10 PM H 1024 C:\WINDOWS\SYSTEM32\config\TempKey.LOG
10/24/2005 7:17:40 AM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
10/24/2005 7:17:26 AM H 12288 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
9/15/2005 7:04:56 AM H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG
9/1/2005 8:24:12 PM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\desktop.ini
9/1/2005 8:41:18 PM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\desktop.ini
9/1/2005 8:41:18 PM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
9/1/2005 8:41:18 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
9/1/2005 8:41:18 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
9/1/2005 8:41:18 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KRQBHRU7\desktop.ini
9/1/2005 8:41:18 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OVSVOPP3\desktop.ini
9/1/2005 8:41:18 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AMNIP661\desktop.ini
9/1/2005 8:41:18 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GJ03D8S4\desktop.ini
9/1/2005 8:24:12 PM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\desktop.ini
9/1/2005 8:44:02 PM HS 206 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\desktop.ini
9/1/2005 8:44:02 PM HS 482 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
9/1/2005 8:44:02 PM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
9/1/2005 8:44:02 PM HS 348 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
9/1/2005 8:44:02 PM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
9/1/2005 8:40:04 PM HS 181 C:\WINDOWS\SYSTEM32\config\systemprofile\SendTo\desktop.ini
9/1/2005 8:24:12 PM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\desktop.ini
9/1/2005 8:59:18 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\9720d58c-e8c8-4caa-9b6a-ed0cfe502fb7
9/1/2005 8:59:18 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
9/1/2005 10:16:42 PM RHS 13695 C:\WINDOWS\SYSTEM32\Restore\filelist.xml
9/1/2005 8:42:28 PM HS 67 C:\WINDOWS\FONTS\desktop.ini
9/1/2005 6:35:32 PM H 19600 C:\WINDOWS\WEB\WVLOGO.GIF
9/1/2005 6:35:32 PM H 4204 C:\WINDOWS\WEB\CONTROLP.HTT
9/1/2005 6:35:32 PM H 11530 C:\WINDOWS\WEB\FOLDER.HTT
9/1/2005 6:35:32 PM H 4988 C:\WINDOWS\WEB\MYCOMP.HTT
9/1/2005 6:35:32 PM H 5044 C:\WINDOWS\WEB\PRINTERS.HTT
9/1/2005 6:35:34 PM H 855 C:\WINDOWS\WEB\webview.css
9/1/2005 6:35:34 PM H 14258 C:\WINDOWS\WEB\default.htt
9/1/2005 6:35:34 PM H 5403 C:\WINDOWS\WEB\nethood.htt
9/1/2005 6:35:34 PM H 8088 C:\WINDOWS\WEB\recycle.htt
9/1/2005 6:35:34 PM H 5495 C:\WINDOWS\WEB\schedule.htt
9/1/2005 6:35:34 PM H 5521 C:\WINDOWS\WEB\dialup.htt
9/1/2005 6:35:34 PM H 44686 C:\WINDOWS\WEB\wvleft.bmp
9/1/2005 6:35:34 PM H 840 C:\WINDOWS\WEB\wvline.gif
9/1/2005 6:35:36 PM H 10931 C:\WINDOWS\WEB\ftp.htt
9/28/2005 4:58:14 PM HS 77312 C:\WINDOWS\WEB\Wallpaper\Thumbs.db
10/24/2005 7:16:08 AM H 6 C:\WINDOWS\TASKS\SA.DAT
9/1/2005 8:41:06 PM RHS 242478 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
9/1/2005 8:41:06 PM RHS 19959 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
9/1/2005 8:41:06 PM RHS 727 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
9/9/2005 6:31:42 AM H 30 C:\WINDOWS\TEMP\CS3E3ECF10-D174-405A-9D0E-E03B963DD4F3.tmp
9/9/2005 6:31:42 AM H 0 C:\WINDOWS\TEMP\CS2A84024B-A968-4B80-80FD-0D0597DE0C0D.tmp
9/9/2005 6:31:42 AM H 0 C:\WINDOWS\TEMP\CSCF1EF2A2-102C-4C07-9D54-BD30F308CF87.tmp
9/9/2005 6:31:42 AM H 2234862 C:\WINDOWS\TEMP\CSE1CEF7F2-60F3-4FC1-98BB-7F2523C30C72.tmp
9/9/2005 6:31:42 AM H 1413142 C:\WINDOWS\TEMP\CS8C93ABB7-7999-4917-85B1-6E8D5F69FAC7.tmp
9/9/2005 6:31:42 AM H 1726954 C:\WINDOWS\TEMP\CSCC79B85D-7525-4617-987D-1AA9F3EC9300.tmp
9/9/2005 6:31:42 AM H 80790 C:\WINDOWS\TEMP\CS540A512A-9618-44D4-85B5-C73B1002309B.tmp
9/9/2005 6:31:42 AM H 360444 C:\WINDOWS\TEMP\CS95F192B2-5A0C-4820-A504-C74C8FE986B6.tmp
9/9/2005 6:31:42 AM H 23436 C:\WINDOWS\TEMP\CS7026B2A2-1416-4CC2-A6E9-EA73943AD364.tmp
9/9/2005 6:31:42 AM H 72836 C:\WINDOWS\TEMP\CS42274365-33FA-4E95-8E32-1D82736EA8F2.tmp
9/9/2005 6:31:42 AM H 1292850 C:\WINDOWS\TEMP\CS026FA6B3-4954-49CC-B6D0-858B3D202040.tmp
9/9/2005 6:31:42 AM H 748 C:\WINDOWS\TEMP\CSE297CAA0-FC97-41EB-961C-EC0BE10EB51C.tmp
9/9/2005 6:31:42 AM H 240 C:\WINDOWS\TEMP\CS16EEE3AC-A587-424E-A373-3616E9831B21.tmp
9/9/2005 6:31:42 AM H 0 C:\WINDOWS\TEMP\CSDD8F6E5E-5900-448E-8B9D-45CFC19836ED.tmp
9/9/2005 6:31:42 AM H 3402 C:\WINDOWS\TEMP\CSCE13CC0D-50FC-4324-9480-F78FFECCFFF7.tmp
9/9/2005 6:31:42 AM H 160 C:\WINDOWS\TEMP\CSC79193A7-9F49-46F1-889A-582BE2338694.tmp
9/9/2005 6:31:42 AM H 5464 C:\WINDOWS\TEMP\CSFB438AE6-34C7-4238-8B4D-87FF57426B3C.tmp
9/9/2005 6:31:42 AM H 69460 C:\WINDOWS\TEMP\CSCE4BAD25-7E83-4615-818A-630A726200C8.tmp
9/9/2005 6:31:42 AM H 333 C:\WINDOWS\TEMP\CS490965C9-795C-4B19-A600-F2C98A1F4C01.tmp
9/9/2005 6:31:42 AM H 1602 C:\WINDOWS\TEMP\CSE0DF9E1A-6445-4C61-97A3-09D8ADECBA5B.tmp
9/9/2005 6:31:42 AM H 128 C:\WINDOWS\TEMP\CS47EFB099-AA82-4017-82FF-0603D48AF8AC.tmp
9/9/2005 6:31:42 AM H 32 C:\WINDOWS\TEMP\CS2BAE2104-DF2B-4F2D-B906-021E21BB0F53.tmp
9/9/2005 6:31:42 AM H 2016 C:\WINDOWS\TEMP\CS62008CE9-4DE1-4B4F-82F7-C98F1231C5E3.tmp
9/9/2005 6:31:42 AM H 1466936 C:\WINDOWS\TEMP\CS0CE55D78-D9DE-44D7-8853-4BB125A76496.tmp
9/9/2005 6:31:42 AM H 902322 C:\WINDOWS\TEMP\CSC53B3870-6E75-4B27-A4B4-33AA145B5035.tmp
9/9/2005 6:31:42 AM H 1077458 C:\WINDOWS\TEMP\CS487ED19D-32A7-4016-BA06-8A7BD6D11757.tmp
9/9/2005 6:31:42 AM H 556628 C:\WINDOWS\TEMP\CS90375F74-938C-4C15-8C39-8D2ADC688058.tmp
9/9/2005 6:31:42 AM H 40712 C:\WINDOWS\TEMP\CSD592C3CA-2DDA-4196-85D4-286BDEDA6B98.tmp
9/9/2005 6:31:42 AM H 104878 C:\WINDOWS\TEMP\CSFD0C5196-65C9-4333-A9FE-E9232F8E5B17.tmp
9/9/2005 6:31:42 AM H 38312 C:\WINDOWS\TEMP\CS8ED5DB2E-F018-40FD-B606-D06BD57FD8F4.tmp
9/9/2005 6:31:42 AM H 6460 C:\WINDOWS\TEMP\CS9EF6B288-B141-419A-913E-335E362D5635.tmp
9/9/2005 6:31:42 AM H 204 C:\WINDOWS\TEMP\CSDE790104-9006-42ED-A0A4-78B9E3FB9FBB.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSD87BFE67-4E20-427B-ACA4-9F84AED06D69.tmp
9/9/2005 6:32:08 AM H 508 C:\WINDOWS\TEMP\CSC8733840-1BD8-4F93-AF29-887002EA7AC9.tmp
9/9/2005 6:32:08 AM H 14 C:\WINDOWS\TEMP\CS0F212E94-9FDE-4E9C-B1C6-F972FD45FAE5.tmp
9/9/2005 6:32:08 AM H 30 C:\WINDOWS\TEMP\CS5D9DB00F-AC9C-4265-B485-0750685D9B8F.tmp
9/9/2005 6:32:08 AM H 48 C:\WINDOWS\TEMP\CSFA5D3313-4B64-4963-B8A5-2429FBAAD879.tmp
9/9/2005 6:32:08 AM H 412 C:\WINDOWS\TEMP\CS648B1A6B-5528-4BBF-8CB3-2C49D1DF0D67.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS553E2234-5982-49B6-9A92-A5F2899E79E9.tmp
9/9/2005 6:32:08 AM H 508 C:\WINDOWS\TEMP\CS4B3297D5-568C-44F9-91D7-7DA13EC9BF82.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS049AD159-FE76-4BBF-92F3-4BF380115948.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS73AD5D18-56A9-436E-9A02-32ABB5982FDD.tmp
9/9/2005 6:32:08 AM H 346 C:\WINDOWS\TEMP\CS4E5EFD2D-8D23-48C9-899F-1C360B6F6EE2.tmp
9/9/2005 6:32:08 AM H 428 C:\WINDOWS\TEMP\CS2981E7DC-EE2B-4F03-84DA-E6A517AF2460.tmp
9/9/2005 6:32:08 AM H 572 C:\WINDOWS\TEMP\CSEBE856BD-178A-46C1-AA2B-146E6731FCB2.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS9A24D262-6EF0-4833-9972-F499A1D2B3B0.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSF8CBA213-87B1-4767-A371-C276E62F1E90.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS81DA16EE-4249-4584-8BB3-2B47D7B9E315.tmp
9/9/2005 6:32:08 AM H 436 C:\WINDOWS\TEMP\CS8A17643D-4AC4-4F14-8990-F6D910247A4A.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSA3C429F9-6FCF-4A80-A233-63E31FBF2ECD.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS84BB7DF4-2416-4F96-AE36-A602187B45AE.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS98E39860-0AFE-4411-B116-6BFB91897E31.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSC3725423-2CD1-46A6-9858-567865EF9EC2.tmp
9/9/2005 6:32:08 AM H 412 C:\WINDOWS\TEMP\CS9D8A87D0-4C63-443D-A994-E3E10A79E5DE.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS85044270-C336-49DA-810E-213A7D777B4E.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS62DD81BE-74E7-4865-9FD4-D8A5955AE66F.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS4B15A1BB-6983-4F3D-9B94-1E0FFDC0A326.tmp
9/9/2005 6:32:08 AM H 42 C:\WINDOWS\TEMP\CS25214661-EDF9-416B-9D75-BD912A9BDB8F.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSDFDDC863-7925-4639-A5EE-FB225BD1E658.tmp
9/9/2005 6:32:08 AM H 102 C:\WINDOWS\TEMP\CS6A0DE925-000C-4506-8F19-DDF65971696A.tmp
9/9/2005 6:32:08 AM H 120 C:\WINDOWS\TEMP\CS85A0201B-A5C0-49DA-9785-7D98F0D40C7B.tmp
9/9/2005 6:32:08 AM H 136 C:\WINDOWS\TEMP\CS5DB90B5F-35A7-43B2-BFFE-A34A05359C30.tmp
9/9/2005 6:32:08 AM H 96 C:\WINDOWS\TEMP\CS36399186-59BB-4292-8A69-EF166DB45FBC.tmp
9/9/2005 6:32:08 AM H 484 C:\WINDOWS\TEMP\CSF3DB41E0-848B-4745-926F-DBBEEDAF0BDB.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS418F131B-4290-46A5-958C-B144FB538397.tmp
9/9/2005 6:32:08 AM H 604 C:\WINDOWS\TEMP\CS191F46C6-E5F3-4AAC-B2C1-69A4F04FE708.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSE7805D78-C5B4-4C4A-A37A-71F1AE9CFE72.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS2CFC510B-0E27-46DD-81F2-F97A90327BB2.tmp
9/9/2005 6:32:08 AM H 100 C:\WINDOWS\TEMP\CS45A24491-3610-42A0-8285-5CC42C438712.tmp
9/9/2005 6:32:08 AM H 664 C:\WINDOWS\TEMP\CS7BADC4FC-55F8-4DE0-83EF-E18BB58A555E.tmp
9/9/2005 6:32:08 AM H 408 C:\WINDOWS\TEMP\CS8D265D88-DC08-4CEA-810C-5E9FFE0C7113.tmp
9/9/2005 6:32:08 AM H 528 C:\WINDOWS\TEMP\CSF1201B4C-1338-4D9E-855F-FAA599321DEB.tmp
9/9/2005 6:32:08 AM H 114 C:\WINDOWS\TEMP\CS2ED77DCC-DE3A-4CBA-AE86-58785CC34749.tmp
9/9/2005 6:32:08 AM H 30 C:\WINDOWS\TEMP\CSD226E34A-3A1B-4A0D-B8D3-CB73E72100DA.tmp
9/9/2005 6:32:08 AM H 48 C:\WINDOWS\TEMP\CS8C88EF88-5ABD-4351-9D2D-ACA41E606940.tmp
9/9/2005 6:32:08 AM H 42 C:\WINDOWS\TEMP\CS900C1BC0-A931-455C-A27B-2FE5E81D1E87.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS76F16372-8C0C-4255-86AA-DC3A4DE2F49F.tmp
9/9/2005 6:32:08 AM H 418 C:\WINDOWS\TEMP\CS600DE2A1-7600-4EFD-B332-E6CB82EF2CED.tmp
9/9/2005 6:32:08 AM H 48 C:\WINDOWS\TEMP\CS9484667D-BA23-46EA-88F1-AFDBFC4C21FF.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS72CBE9D4-E95C-49F4-895D-A1EE41A7B298.tmp
9/9/2005 6:32:08 AM H 68 C:\WINDOWS\TEMP\CSE6E8DF90-FBEA-4748-AF98-09AC36AE17DC.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS305525F2-235A-4684-9F7C-28AB57F13060.tmp
9/9/2005 6:32:08 AM H 100 C:\WINDOWS\TEMP\CSC12121D0-A905-4BFD-A074-E9BB5B6AEA11.tmp
9/9/2005 6:32:08 AM H 100 C:\WINDOWS\TEMP\CS6A008EDA-519B-481C-B6CB-9EF31265BDA6.tmp
9/9/2005 6:32:08 AM H 162 C:\WINDOWS\TEMP\CS2C2BE89A-E8D8-4C38-936B-E381F48EFC8A.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS081AD54D-B261-4157-B8BC-52F64BA7AFBB.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSC5E3A9F5-D194-4C20-AB19-27ABAD7B4F12.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS3162CD30-F6E4-409E-BCFB-CAA4A2BF9212.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSF907D817-0049-4CA7-8F87-F3679F4575ED.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSD4616B9E-B094-469C-A91D-3643DF00129C.tmp
9/9/2005 6:32:08 AM H 118 C:\WINDOWS\TEMP\CS8AA6603C-4D4D-4FDD-B7C7-ED4E83A88B23.tmp
9/9/2005 6:32:08 AM H 124 C:\WINDOWS\TEMP\CSFF13544B-2469-4AFE-A5DC-20DBDF35AC3F.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS5D233308-5655-4E3B-8C9C-4628F3BC3C82.tmp
9/9/2005 6:32:08 AM H 50 C:\WINDOWS\TEMP\CS6DADABD8-38D7-4CEE-AAA6-781823772C8C.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS167A08AB-191D-477B-8848-9706A61C1DCB.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS096CE9CA-CDE5-4742-A165-11D551939FD6.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS82F698FF-98FD-4B5B-8E5E-F69B6404A298.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS8629C8D8-34EE-4904-AD26-8D34C3F8E84F.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS23F5D514-21CB-4293-8313-F76DECAA5EFE.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSE8A8C956-4A92-4EFB-AB26-EDE53DFF7178.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSBAB94B72-1F33-45C3-A9C7-99FFF6C8C641.tmp
9/1/2005 8:39:58 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
9/1/2005 8:39:58 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
9/1/2005 8:45:38 PM H 286720 C:\WINDOWS\repair\ntuser.dat
9/1/2005 10:16:28 PM H 0 C:\WINDOWS\inf\oem0.inf
Checking for CPL files...
Microsoft Corporation 8/23/2001 12:00:00 PM 130048 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 558592 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 119808 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 294912 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 270848 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Apple Computer, Inc. 8/26/1996 2:12:00 AM R 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 558592 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 130048 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 294912 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 119808 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 270848 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
9/10/2005 3:00:50 PM 1661 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/1/2005 8:44:02 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/1/2005 8:24:12 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
9/1/2005 8:44:02 PM HS 84 C:\Documents and Settings\bern schau\Start Menu\Programs\Startup\desktop.ini
9/6/2005 11:26:18 PM 829 C:\Documents and Settings\bern schau\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk
Checking files in %USERPROFILE%\Application Data folder...
9/4/2005 9:25:04 AM 1697 C:\Documents and Settings\bern schau\Application Data\AdobeDLM.log
9/1/2005 8:24:12 PM HS 62 C:\Documents and Settings\bern schau\Application Data\desktop.ini
9/4/2005 9:25:04 AM 0 C:\Documents and Settings\bern schau\Application Data\dm.ini
9/6/2005 11:26:18 PM 83 C:\Documents and Settings\bern schau\Application Data\sversion.ini
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
DigExt =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Program Files\AVPersonal\AVShlExt.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Program Files\AVPersonal\AVShlExt.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SystemTray SysTray.Exe
AVSCHED32 C:\Program Files\AVPersonal\AVSched32.EXE /min
AVGCtrl C:\Program Files\AVPersonal\AVGNT.EXE /min
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key †€6òØÁbÚðwSõ~–ÁÉ
Hint relativity
FileName0 C:\WINDOWS\System32\RSACi.rat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
Allow_Unknowns 1
PleaseMom 0
Enabled 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
v 4
s 4
n 4
l 4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
NumSys 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/24/2005 7:29:01 AM
-
I don't see what I'm looking for, but let's try some cleanup anyways
Ensure you are running the latest version of Ad-Aware
If you don't have the latest, uninstall your version and/or
Download and Install Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
After checking for updates, close down, we'll need it later
==Download and UNZIP to desktop
BFU.zip (http://\"http://castlecops.com/zx/Merijn/bfu.zip\")
So you now have BFU.exe extracted to desktop
Please Download and UNZIP to desktop
P2pnetwork.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=400\")
Make sure you unzip this so you now have p2pnetwork.bfu extracted to desktop
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run this yet, we'll need it in a bit
Open Ewido
click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
Please print this out or save to notepad for reference
Reboot back to SAFE MODE
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu on your desktop
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
Open Ad-Aware>>Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
Reboot back to Normal mode
Afterwards
Come back here and supply a fresh hijackthis log
and the Report from Ewidos
-
Logfile of HijackThis v1.99.1
Scan saved at 7:51:21 PM, on 10/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\bern schau\Desktop\AA-REPAIR\hijackthis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program
Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE
/min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program
Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: + &Download Express: download this file
- C:\Program Files\Download Express\Add_Url.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
Class) -
http://update.microsoft.com/windowsupdate/...s/en/x86/client (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client\")
/wuweb_site.cab?1125637809135
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl
Class) -
http://update.microsoft.com/microsoftupdat...ols/en/x86/clie (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/clie\")
nt/muweb_site.cab?1125795761545
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik
GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH,
Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -
C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
****NOTE: Ewido did not give me a report to save. However I checked
it over ,,, it said that 6460 infected files were removed (all
Trojans)
Ad-aware came thru clean
Windows CleanUp 4.0 gained 1.91 GB of space
I still have the BFU and P2P programs.
P2P??
(Speaking of which....I did have "LimeWire" for a period of time.
Because I am on dialup modem I unchecked the sharing of files,
however I did download music files for a time. Finally got tired of
it all and nuked the program....which did not uninstall that easily
or cleanly.. I did not keep any of the files either.
Things are better now, however clicking with the mouse is somewhat
sluggish (like connecting back onto the net thru dial up procedures)and it seems the computer is working more (there is alot of
clicking going on inside the pc just to simple tasks - it seems as
though something else is running in surges inside as the hard drive
light comes on in groups and then goes out for a couple of minutes.
Just my observation at this moment.
Is a defrag necessary?
-
Can you reboot the computer one more time
Back in Windows
Run hijackthis again and post a fresh log, one from normal mode
-
Logfile of HijackThis v1.99.1
Scan saved at 6:21:51 AM, on 10/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\bern schau\Desktop\AA-REPAIR\hijackthis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125637809135 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125637809135\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125795761545 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125795761545\")
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
-
I suspect things are getting quicker on startup?
CleanUp!, also cleans the Prefetch folder, so startup will be a bit slower at first, but will increase in speed after a couple bootups
You can look for the Complete folder and delete it if found
It will have hidden attributes
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Look for the Complete folder in this location
C:\Documents and Settings\bern schau\Complete
or under another user name
Go back and hide hidden files and folders later
Your way behind on Windows updates, it's important to keep up on updates to keep secure
If on dialup you can order the Service pack 2 CD from here
http://www.microsoft.com/windowsxp/downloa...us/default.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx\")
You need to get these updates on your computer
At minimum for now, install Service pack 1a
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx\")
You may have to disable your download manager before installing
-
I can't figure out how to download sp1a from MS website as there is no download button for that. When I press downloads, I get taken to SP2. I have tried to download that 5x's and keep getting booted out. I fugured at that time it was a memory capacity issue or something so OH well! Lets see how long I live I guess....I can always wipe the pc clean and go back to 98
-
You should do the following
For some final cleanup
If everything is running better, please do the following
You should disable system restore and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
Use this link and get the express installation of Sp1a
Choose language and hit the GO button
Of course, you Windows version must be legit
http://www.microsoft.com/windowsxp/downloa...1/expresso.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp1/expresso.mspx\")
Order the Sp2 CD